Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Make x-domain safe frame example work out of the box * Nest in <script> tags * Use garden-variety JS * Dynamically parse host domain * Use https for ad server * Replace doc.write in x-domain safe frame code, so IE works IE was throwing `SEC7111: HTTPS security is compromised by (null)` Other approaches to writing the HTML out would be to use innerHTML, but see https://stackoverflow.com/questions/1197575/can-scripts-be-inserted-with-innerhtml One of the suggestions there lead to http://krasimirtsonev.com/blog/article/Convert-HTML-string-to-DOM-element but that assumes the HTML is all under a single element (doesn't work with <p>..</p><p>..</p>) and also moves DOM elements around which might cause <script> tags to not find nearby elements properly. So settled on creating a new iframe, and leaving it rather than moving its contents up into the current frame. * Verify event "message" type, and event origin, as recommended by https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns * Ensure an incorrect ad can never be accidentally or maliciously rendered * IE includes :443 in .host even though it shouldn't, so use hostname instead
- Loading branch information