Javascript to extract hCard data into Address Book
in [UK Mac]
|
From: Woody on 29 Apr 2010 10:12 Adrian C <email(a)here.invalid> wrote: > On 29/04/2010 08:17, Woody wrote: > > D.M. Procida<real-not-anti-spam-address(a)apple-juice.co.uk> wrote: > > >> What's needed is a single "Add this person to your address book" button, > >> that does exactly what it says. > > > > And that has some very robust defenses against it being possible, as it > > is effectively a cross site scripting attack, or more a cross zone > > scripting attack. You cant do it with javascript > > > > Is this something that is doable if the javascript is running on a page > served (or accessed as a file based web) locally? Is this an application > intended to be hosted on an intranet? > > For ye could put the remote web service access in an iFrame, and add > javascript in that outside domain to do a HTML5 postmessage to ya local > javascript code, which would then do the address book insertion. Even then you are crossing a zone, so it wouldn't work. Too open to exploitation. -- Woody
From: Adrian C on 29 Apr 2010 13:20 On 29/04/2010 15:12, Woody wrote: > Adrian C<email(a)here.invalid> wrote: > >> On 29/04/2010 08:17, Woody wrote: >>> And that has some very robust defenses against it being possible, as it >>> is effectively a cross site scripting attack, or more a cross zone >>> scripting attack. You cant do it with javascript >>> >> >> Is this something that is doable if the javascript is running on a page >> served (or accessed as a file based web) locally? Is this an application >> intended to be hosted on an intranet? >> >> For ye could put the remote web service access in an iFrame, and add >> javascript in that outside domain to do a HTML5 postmessage to ya local >> javascript code, which would then do the address book insertion. > > Even then you are crossing a zone, so it wouldn't work. Too open to > exploitation. > The technology I've mentioned does work across zones. That is the intention. http://dev.w3.org/html5/postmsg/ http://ejohn.org/blog/cross-window-messaging/ Works fine in current versions of FireFox, Chrome / Safari & Internet Explorer - I use it myself. Question is, does Ian want to locate part of his solution on an intranet? -- Adrian C
From: Bruce Horrocks on 29 Apr 2010 14:11
On 29/04/2010 08:06, D.M. Procida wrote: > Bruce Horrocks<07.013(a)scorecrow.com> wrote: > >>> The idea is that when you visit a particular page on a site you will see >>> a record for a person. There will be a button saying "Add this person to >>> your [Mac OS X or iPhone] address book". Click the button and something >>> wonderful happens, after which there is a new contact record in your Mac >>> or iPhone Address Book. As usual, it is the wonderful >>> something that is eluding me :-) >> >> What if you just link to a vCard file for that person? Clicking on it >> causes it to be downloaded and Address Book is the default app for >> opening vCards. > > That's still a two-stage process - download it, then find it and open > it. > > What's needed is a single "Add this person to your address book" button, > that does exactly what it says. If I knew how to bypass the security features built into Safari that easily then I would save it for the next "pwn this Mac and win a prize" competition. -- Bruce Horrocks Surrey England (bruce at scorecrow dot com) |