DOM with cross-site frames

Someone is linking to a site I maintain but their site uses a frameset  
when linking to external sites so that their own branding and site  
navigation remain a the top of other peoples's sites.

Their frameset contains just two frames, the top one with their  
branding/navigation page from the same domain, and the bottom one that  
contains the external site.

Is it possible to use the DOM to allow my own Javascript to rewrite the  
contents of their frame or is this out of the question due to XSS  
protection? Is there any way to achieve this or am I limited to changing  

On Thu, 03 Aug 2006 21:25:34 +0200, Eik <spam@hotmail.com> wrote:

> Someone is linking to a site I maintain but their site uses a frameset  
> when linking to external sites so that their own branding and site  
> navigation remain a the top of other peoples's sites.
>
> Their frameset contains just two frames, the top one with their  
> branding/navigation page from the same domain, and the bottom one that  
> contains the external site.
>
> Is it possible to use the DOM to allow my own Javascript to rewrite the  
> contents of their frame or is this out of the question due to XSS  
> protection? Is there any way to achieve this or am I limited to changing  
> location.href to get rid of the frameset entirely?


It is possible to detect whether or not our page is inside a frameset. If  
it is, we can show, for instance, a line on our page that indicates it's  
trapped, with a link that opens your page in a new window. We aren't  
allowed to change the top frame's location (for cross-domain protection).

However, it might be better just to inform the author of that site, that  
Microsoft's Internet Explorer 7 will block any cross-domain usage of  
frames by default. That will break their site, which will lead to them  
losing customers.

-- 
Yours,
ΩJr