DOCSLIB.ORG

Securing Frame Communication in Browsers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Securing Frame Communication in Browsers Securing Frame Communication in Browsers Adam Barth Collin Jackson John C. Mitchell Stanford University Stanford University Stanford University [email protected] [email protected] [email protected] Abstract isolate frames. In more complex mashups, the integra- tor does intend to communicate with the gadgets and re- Many web sites embed third-party content in frames, re- quires secure inter-frame communication. lying on the browser’s security policy to protect them In this paper, we study the contemporary web ver- from malicious content. Frames, however, are often in- sion of a recurring problem in computer systems: isolat- sufficient isolation primitives because most browsers let ing untrusted, or partially trusted, software components framed content manipulate other frames through naviga- while providing secure inter-component communication. tion. We evaluate existing frame navigation policies and Whenever a site integrates third-party content, such as advocate a stricter policy, which we deploy in the open- an advertisement, a map, or a photo album, the site runs source browsers. In addition to preventing undesirable the risk of incorporating malicious content. Without iso- interactions, the browser’s strict isolation policy also hin- lation, malicious content can compromise the confiden- ders communication between cooperating frames. We tiality and integrity of the user’s session with the inte- analyze two techniques for inter-frame communication. grator. While the browser’s well-known “same-origin The first method, fragment identifier messaging, pro- policy” [34] restricts script running in one frame from vides confidentiality without authentication, which we manipulating content in another frame, the browser uses repair using concepts from a well-known network pro- a different policy to determine whether one frame is al- tocol. The second method, postMessage, provides lowed to navigate (change the location of) another frame. authentication, but we discover an attack that breaches Although restricting navigation is essential to providing confidentiality. We modify the postMessage API to isolation, navigation also enables one form of inter-frame provide confidentiality and see our modifications stan- communication used in mashup frameworks from lead- dardized and adopted in browser implementations. ing companies. Furthermore, we show that an attacker can use frame navigation to attack another inter-frame 1 Introduction communication mechanism, postMessage. Web sites contain content from sources of varying trust- Isolation. We examine the browser frame as an iso- worthiness. For example, many web sites contain third- lation primitive. Because frames can contain untrusted party advertising supplied by advertisement networks or content, the browser’s security policy restricts frame in- their sub-syndicates [6]. Other common aggregations teractions. Many browsers, however, insufficiently re- of third-party content include Flickr albums [12], Face- strict the ability of one frame to navigate another frame book badges [9], and personalized home pages offered to a new location. These overly permissive frame nav- by the three major web portals [15, 40, 28]. More ad- igation policies lead to a variety of attacks, which we vanced uses of third-party components include Yelp’s demonstrate against the Google AdSense login page and use of Google Maps [14] to display restaurant locations the iGoogle gadget aggregator. To prevent these attacks, and the Windows Live Contacts gadget [27]. A web we propose tightening the browser’s frame navigation site combining content from multiple sources is called a policy while maintaining compatibility with existing web mashup, with the party combining the content called the content. We have collaborated with browser vendors to integrator and integrated content called a gadget. In sim- deploy this policy in Firefox 3 and Safari 3.1. As the ple mashups, the integrator does not intend to communi- policy is already implemented in Internet Explorer 7, the cate with the gadgets and requires only that the browser policy is now deployed in the three most-used browsers. Confidentiality Authentication Network Analogue Fragment identifier channel X Public Key Encryption postMessage channel X Public Key Signatures postMessage (our proposal) X X SSL/TLS Table 1: Security properties of frame communication channels Communication. With strong isolation, frames are Organization. The remainder of the paper is organized limited in their interactions, raising the issue of how iso- as follows. Section 2 details the threat model for these at- lated frames can cooperate as part of a mashup. We tacks. Section 3 surveys existing frame navigation poli- analyze two techniques for inter-frame communication: cies and converges browsers on a secure policy. Sec- fragment identifier messaging and postMessage. The tion 4 analyzes two frame communication mechanisms, results of our analysis are summarized in Table 1. demonstrates attacks, and proposes defenses. Section 5 describes related work. Section 6 concludes. • Fragment identifier messaging uses characteristics of frame navigation to send messages between 2 Threat Model frames. As it was not designed for communica- tion, the channel has less-than-desirable security In this paper, we are concerned with securing in-browser properties: messages are confidential but senders interactions from malicious attackers. We assume an are not authenticated. To understand these prop- honest user employs a standard web browser to view con- erties, we draw an analogy between this commu- tent from an honest web site. A malicious “web attacker” nication channel and a network channel in which attempts to disrupt this interaction or steal sensitive infor- senders encrypt their messages to their recipi- mation. Typically, a web attacker places malicious con- ent’s public key. For concreteness, we examine tent (e.g., JavaScript) in the user’s browser and modifies Microsoft.Live.Channels the library [27], the state of the browser, interfering with the honest ses- which uses fragment identifier messaging to let sion. To study the browser’s security policy, which deter- the Windows Live Contacts gadget communicate mines the privileges of the attacker’s content, we define with its integrator. The protocol used by Win- the web attacker threat model below. dows Live is analogous to the Needham-Schroeder public-key protocol [29]. We discover an attack web attacker on this protocol, related to Lowe’s anomaly in the Web Attacker. A is a malicious princi- Needham-Schroeder protocol [23], in which a mali- pal who owns one or more machines on the network. In cious gadget can impersonate the integrator to the order to study the security of browsers when rendering Contacts gadget. We suggested a solution based malicious content, we assume that the browser gets and on Lowe’s improvement to the Needham-Schroeder renders content from the attacker’s web site. protocol [23], and Microsoft implemented and de- • Network Abilities. The web attacker has no spe- ployed our suggestion within days. cial network abilities. In particular, the web attacker can send and receive network messages only from • postMessage is a new browser API designed for machines under his or her control, possibly acting inter-frame communication [19]. postMessage as a client or server in network protocols of the at- is implemented in Opera, Internet Explorer 8, Fire- tacker’s choice. Typically, the web attacker uses at fox 3, and Safari. Although postMessage has least one machine as an HTTP server, which we been deployed since 2005, we demonstrate an attack refer to for simplicity as attacker.com. The on the channel’s confidentiality using frame navi- web attacker can obtain SSL certificates for do- gation. In light of this attack, the postMessage mains he or she owns; certificate authorities such channel provides authentication but lacks confiden- as instantssl.com provide such certificates for tiality, analogous to a channel in which senders free. The web attacker’s network abilities are decid- cryptographically sign their messages. To se- edly weaker than the usual network attacker consid- cure the channel, we propose a change to the ered in studies of network security because the web postMessage API. We implemented our change attacker can neither eavesdrop on messages sent to in patches for Safari and Firefox. Our proposal has other recipients nor forge messages from other net- been adopted by the HTML 5 working group, Inter- work locations. For example, a web attacker cannot net Explorer 8, Firefox 3, and Safari. act as a “man-in-the-middle.” • Interaction with Client. We assume the honest Out-of-Scope Threats. Although phishing [11, 7] can user views attacker.com in at least one browser be described informally as a “web attack,” the web window, thereby rendering the attacker’s content. attacker defined above does not attempt to fool the We make this assumption because we believe that user by choosing a confusing domain name (such as an honest user’s interaction with an honest site bankofthevvest.com) or using other social engi- should be secure even if the user separately vis- neering. In particular, we do not assume that a user its a malicious site in a different browser window. treats attacker.com as if it were a site other than We assume the web attacker is constrained by the attacker.com. The attacks presented in this paper browser’s security policy and does not employ a are “pixel-perfect” in the sense that the browser provides browser exploit to circumvent the policy. The web the user no indication whatsoever that an attack is under- attacker’s host privileges are decidedly weaker than way. The attacks do not display deceptive images over an attacker who can execute a arbitrary code on the the browser security indicators nor do they spoof the lo- user’s machine with the user’s privileges. For exam- cation bar and or the lock icon. In this paper, we do not ple, a web attacker cannot install or run a system- consider cross-site scripting attacks, in which an attacker wide key logger or botnet client.
Load more

Recommended publications
  • Webgl™ Optimizations for Mobile
    WebGL™ Optimizations for Mobile Lorenzo Dal Col Senior Software Engineer, ARM 1 Agenda 1. Introduction to WebGL™ on mobile . Rendering Pipeline . Locate the bottleneck 2. Performance analysis and debugging tools for WebGL . Generic optimization tips 3. PlayCanvas experience . WebGL Inspector 4. Use case: PlayCanvas Swooop . ARM® DS-5 Streamline . ARM Mali™ Graphics Debugger 5. Q & A 2 Bring the Power of OpenGL® ES to Mobile Browsers What is WebGL™? Why WebGL? . A cross-platform, royalty free web . It brings plug-in free 3D to the web, standard implemented right into the browser. Low-level 3D graphics API . Major browser vendors are members of . Based on OpenGL® ES 2.0 the WebGL Working Group: . A shader based API using GLSL . Apple (Safari® browser) . Mozilla (Firefox® browser) (OpenGL Shading Language) . Google (Chrome™ browser) . Opera (Opera™ browser) . Some concessions made to JavaScript™ (memory management) 3 Introduction to WebGL™ . How does it fit in a web browser? . You use JavaScript™ to control it. Your JavaScript is embedded in HTML5 and uses its Canvas element to draw on. What do you need to start creating graphics? . Obtain WebGLrenderingContext object for a given HTMLCanvasElement. It creates a drawing buffer into which the API calls are rendered. For example: var canvas = document.getElementById('canvas1'); var gl = canvas.getContext('webgl'); canvas.width = newWidth; canvas.height = newHeight; gl.viewport(0, 0, canvas.width, canvas.height); 4 WebGL™ Stack What is happening when a WebGL page is loaded . User enters URL . HTTP stack requests the HTML page Browser . Additional requests will be necessary to get Space User JavaScript™ code and other resources WebKit JavaScript Engine .
    [Show full text]
  • Chapter 10 Document Object Model and Dynamic HTML
    Chapter 10 Document Object Model and Dynamic HTML The term Dynamic HTML, often abbreviated as DHTML, refers to the technique of making Web pages dynamic by client-side scripting to manipulate the document content and presen- tation. Web pages can be made more lively, dynamic, or interactive by DHTML techniques. With DHTML you can prescribe actions triggered by browser events to make the page more lively and responsive. Such actions may alter the content and appearance of any parts of the page. The changes are fast and e±cient because they are made by the browser without having to network with any servers. Typically the client-side scripting is written in Javascript which is being standardized. Chapter 9 already introduced Javascript and basic techniques for making Web pages dynamic. Contrary to what the name may suggest, DHTML is not a markup language or a software tool. It is a technique to make dynamic Web pages via client-side programming. In the past, DHTML relies on browser/vendor speci¯c features to work. Making such pages work for all browsers requires much e®ort, testing, and unnecessarily long programs. Standardization e®orts at W3C and elsewhere are making it possible to write standard- based DHTML that work for all compliant browsers. Standard-based DHTML involves three aspects: 447 448 CHAPTER 10. DOCUMENT OBJECT MODEL AND DYNAMIC HTML Figure 10.1: DOM Compliant Browser Browser Javascript DOM API XHTML Document 1. Javascript|for cross-browser scripting (Chapter 9) 2. Cascading Style Sheets (CSS)|for style and presentation control (Chapter 6) 3. Document Object Model (DOM)|for a uniform programming interface to access and manipulate the Web page as a document When these three aspects are combined, you get the ability to program changes in Web pages in reaction to user or browser generated events, and therefore to make HTML pages more dynamic.
    [Show full text]
  • Webgl: the Standard, the Practice and the Opportunity Web3d Conference August 2012
    WebGL: The Standard, the Practice and the Opportunity Web3D Conference August 2012 © Copyright Khronos Group 2012 | Page 1 Agenda and Speakers • 3D on the Web and the Khronos Ecosystem - Neil Trevett, NVIDIA and Khronos Group President • Hands On With WebGL - Ken Russell, Google and WebGL Working Group Chair © Copyright Khronos Group 2012 | Page 2 Khronos Connects Software to Silicon • Khronos APIs define processor acceleration capabilities - Graphics, video, audio, compute, vision and sensor processing APIs developed today define the functionality of platforms and devices tomorrow © Copyright Khronos Group 2012 | Page 3 APIs BY the Industry FOR the Industry • Khronos standards have strong industry momentum - 100s of man years invested by industry leading experts - Shipping on billions of devices and multiple operating systems • Khronos is OPEN for any company to join and participate - Standards are truly open – one company, one vote - Solid legal and Intellectual Property framework for industry cooperation - Khronos membership fees to cover expenses • Khronos APIs define core device acceleration functionality - Low-level “Foundation” functionality needed on every platform - Rigorous conformance tests for cross-vendor consistency • They are FREE - Members agree to not request royalties Silicon Software © Copyright Khronos Group 2012 | Page 4 Apple Over 100 members – any company worldwide is welcome to join Board of Promoters © Copyright Khronos Group 2012 | Page 5 API Standards Evolution WEB INTEROP, VISION MOBILE AND SENSORS DESKTOP OpenVL New API technology first evolves on high- Mobile is the new platform for Apps embrace mobility’s end platforms apps innovation. Mobile unique strengths and need Diverse platforms – mobile, TV, APIs unlock hardware and complex, interoperating APIs embedded – mean HTML5 will conserve battery life with rich sensory inputs become increasingly important e.g.
    [Show full text]
  • Khronos Open API Standards for Mobile Graphics, Compute And
    Open API Standards for Mobile Graphics, Compute and Vision Processing GTC, March 2014 Neil Trevett Vice President Mobile Ecosystem, NVIDIA President Khronos © Copyright Khronos Group 2014 - Page 1 Khronos Connects Software to Silicon Open Consortium creating ROYALTY-FREE, OPEN STANDARD APIs for hardware acceleration Defining the roadmap for low-level silicon interfaces needed on every platform Graphics, compute, rich media, vision, sensor and camera processing Rigorous specifications AND conformance tests for cross- vendor portability Acceleration APIs BY the Industry FOR the Industry Well over a BILLION people use Khronos APIs Every Day… © Copyright Khronos Group 2014 - Page 2 Khronos Standards 3D Asset Handling - 3D authoring asset interchange - 3D asset transmission format with compression Visual Computing - 3D Graphics - Heterogeneous Parallel Computing Over 100 companies defining royalty-free APIs to connect software to silicon Camera Control API Acceleration in HTML5 - 3D in browser – no Plug-in - Heterogeneous computing for JavaScript Sensor Processing - Vision Acceleration - Camera Control - Sensor Fusion © Copyright Khronos Group 2014 - Page 3 The OpenGL Family OpenGL 4.4 is the industry’s most advanced 3D API Cross platform – Windows, Linux, Mac, Android Foundation for productivity apps Target for AAA engines and games The most pervasively available 3D API – 1.6 Billion devices and counting Almost every mobile and embedded device – inc. Android, iOS Bringing proven desktop functionality to mobile JavaScript binding to OpenGL
    [Show full text]
  • 01 Creation of HTML Pages with Frames, Links, Tables and Other Tags Date
    www.vidyarthiplus.com Ex. No. : 01 Creation of HTML pages with frames, links, tables and other tags Date : AIM: To create a simple webpage using HTML that includes all tags. ALGORITHM: 1. Write a HTML program in the notepad with the tags such as A. FRAMES With frames, you can display more than one HTML document in the same browser window. Each HTML document is called a frame, and each frame is independent of the others. The Frameset Tag The <frameset> tag defines how to divide the window into frames. The Frame Tag The <frame> tag defines what HTML document to put into each frame. Example: <frameset cols="25%, 75 %"> <frame src="frame_a.htm"> <frame src="frame_b.htm"> </frameset> Tags and their Description: <frameset> Defines a set of frames <frame> Defines a sub window (a frame) www.vidyarthiplus.com www.vidyarthiplus.com B. LINKS A hyperlink is a reference (an address) to a resource on the web. Example: <a href="http://www.w3schools.com/">Visit W3Schools!</a> The href Attribute The href attribute defines the link "address". The target Attribute The target attribute defines where the linked document will be opened. Tag and its Description: <a> Defines an anchor C. TABLES Tables are defined with the <table> tag. A table is divided into rows (with the <tr> tag), and each row is divided into data cells (with the <td> tag). The letters td stands for "table data," which is the content of a data cell. Example: <table border="1"> <tr> <td>Row 1, cell 1</td> <td>Row 1, cell 2</td> </tr> </table> Tags and their Description: <Table> Defines a table <th> Defines a table header <tr> Defines a table row <td> Defines a table cell 2.
    [Show full text]
  • 23-Introduction-To-CSS.Pdf
    Introduction to CSS Jerry Cain CS 106AX November 13, 2019 Introducing CSS • Recall that there are three technologies that are typically employed when implementing interactive web pages. – HTML: which dictates the structure and content of a web page – JavaScript: which implements animations and user interactivity and otherwise control the behavior of the elements – CSS: short for Cascading Style Sheets, controls layout, formatting, and presentation • Any nontrivial web application will require a large amount of HTML, CSS, and JavaScript. – As web applications grow in complexity, it’s important to decouple the HTML, CSS, and JavaScript as much as possible that that changes to an HTML document never break a CSS rule or compromise the execution of JavaScript event handler. – Web applications that successfully separate content, presentation, and interactivity are easier to modify and maintain. CSS Declarations • Web designers control the presentation of a page using one or more CSS declarations, each of which is structured like this: property-name: property-value; • The property name is one of several CSS keywords (567 according to https://www.w3.org) that identify some detail related to presentation. • The set of possible property values depends on the name. – background-color can take on any legal JavaScript or CSS color, e.g. green, rgb(85, 172, 238), or #E98725. – text-align governs the horizontal alignment of text and can be set to left, right, center, or justify. – display controls how an element is displayed and can be bound to inline,
    [Show full text]
  • Document Object Model †DOM‡ Level 1 Specification
    Document Object Model (DOM) Level 1 Specification REC-DOM-Level-1-19981001 Document Object Model (DOM) Level 1 Specification Version 1.0 W3C Recommendation 1 October, 1998 This version http://www.w3.org/TR/1998/REC-DOM-Level-1-19981001 http://www.w3.org/TR/1998/REC-DOM-Level-1-19981001/DOM.ps http://www.w3.org/TR/1998/REC-DOM-Level-1-19981001/DOM.pdf http://www.w3.org/TR/1998/REC-DOM-Level-1-19981001/DOM.tgz http://www.w3.org/TR/1998/REC-DOM-Level-1-19981001/DOM.zip http://www.w3.org/TR/1998/REC-DOM-Level-1-19981001/DOM.txt Latest version http://www.w3.org/TR/REC-DOM-Level-1 Previous versions http://www.w3.org/TR/1998/PR-DOM-Level-1-19980818 http://www.w3.org/TR/1998/WD-DOM-19980720 http://www.w3.org/TR/1998/WD-DOM-19980416 http://www.w3.org/TR/WD-DOM-19980318 http://www.w3.org/TR/WD-DOM-971209 http://www.w3.org/TR/WD-DOM-971009 WG Chair Lauren Wood, SoftQuad, Inc. Editors Vidur Apparao, Netscape Steve Byrne, Sun Mike Champion, ArborText Scott Isaacs, Microsoft Ian Jacobs, W3C Arnaud Le Hors, W3C Gavin Nicol, Inso EPS Jonathan Robie, Texcel Research Robert Sutor, IBM Chris Wilson, Microsoft Lauren Wood, SoftQuad, Inc. Principal Contributors Vidur Apparao, Netscape Steve Byrne, Sun (until November 1997) Mike Champion, ArborText, Inc. 1 Status of this document Scott Isaacs, Microsoft (until January, 1998) Arnaud Le Hors, W3C Gavin Nicol, Inso EPS Jonathan Robie, Texcel Research Peter Sharpe, SoftQuad, Inc. Bill Smith, Sun (after November 1997) Jared Sorensen, Novell Robert Sutor, IBM Ray Whitmer, iMall Chris Wilson, Microsoft (after January, 1998) Status of this document This document has been reviewed by W3C Members and other interested parties and has been endorsed by the Director as a W3C Recommendation.
    [Show full text]
  • HTML 4.0 Specification
    HTML 4.0 Specification REC-html40-19980424 HTML 4.0 Specification W3C Recommendation, revised on 24-Apr-1998 This version: http://www.w3.org/TR/1998/REC-html40-19980424 Latest version: http://www.w3.org/TR/REC-html40 Previous version: http://www.w3.org/TR/REC-html40-971218 Editors: Dave Raggett <[email protected]> Arnaud Le Hors <[email protected]> Ian Jacobs <[email protected]> Abstract This specification defines the HyperText Markup Language (HTML), version 4.0, the publishing language of the World Wide Web. In addition to the text, multimedia, and hyperlink features of the previous versions of HTML, HTML 4.0 supports more multimedia options, scripting languages, style sheets, better printing facilities, and documents that are more accessible to users with disabilities. HTML 4.0 also takes great strides towards the internationalization of documents, with the goal of making the Web truly World Wide. HTML 4.0 is an SGML application conforming to International Standard ISO 8879 -- Standard Generalized Markup Language [ISO8879] [p.327] . Status of this document This document has been reviewed by W3C Members and other interested parties and has been endorsed by the Director as a W3C Recommendation. It is a stable document and may be used as reference material or cited as a normative reference from another document. W3C’s role in making the Recommendation is to draw attention to the specification and to promote its widespread deployment. This enhances the functionality and interoperability of the Web. W3C recommends that user agents and authors (and in particular, authoring tools) produce HTML 4.0 documents rather than HTML 3.2 documents (see [HTML32] [p.329] ).
    [Show full text]
  • Document Object Model †DOM‡ Level 2 HTML Specification
    Document Object Model (DOM) Level 2 HTML Specification Document Object Model (DOM) Level 2 HTML Specification Version 1.0 W3C Candidate Recommendation 07 October 2002 This version: http://www.w3.org/TR/2002/CR-DOM-Level-2-HTML-20021007 Latest version: http://www.w3.org/TR/DOM-Level-2-HTML Previous version: http://www.w3.org/TR/2002/CR-DOM-Level-2-HTML-20020605 Editors: Johnny Stenback, Netscape Philippe Le Hégaret, W3C Arnaud Le Hors, W3C and IBM (until November 2000) This document is also available in these non-normative formats: XML fileplain text, PostScript file, PDF file, single HTML file, and ZIP file. Copyright ©2002 W3C ® (MIT, INRIA, Keio), All Rights Reserved. W3C liability, trademark, document use and software licensing rules apply. Abstract This specification defines the Document Object Model Level 2 HTML, a platform- and language-neutral interface that allows programs and scripts to dynamically access and update the content and structure of [HTML 4.01] and [XHTML 1.0] documents. The Document Object Model Level 2 HTML builds on the Document Object Model Level 2 Core [DOM Level 2 Core] and is not backward compatible with DOM Level 1 HTML [DOM Level 1]. Status of this document This section describes the status of this document at the time of its publication. Other documents may supersede this document. The latest status of this document series is maintained at the W3C. 1 Table of contents This is the 07 October 2002 W3C Candidate Recommendation of "DOM Level 2 HTML". This version updates the 5 June 2002 version based on the feedback from the implementers and the results of the DOM Level 2 HTML Test Suite.
    [Show full text]
  • How to Setup Petpoint's Adoptable Search I-Frame
    HOW TO SETUP PETPOINT’S ADOPTABLE SEARCH I-FRAME PetPoint | v.20101227 INTRODUCTION PetPoint’s Adoptable Search I-frame provides live adoptable pet data to your website, giving the world information about pets that are available in your shelter or rescue. Because it’s real-time, your website will be instantly updated when changes are made in PetPoint, such as when a pet is adopted. This document describes in detail the steps for adding PetPoint’s Adoptable Search I-frame to your website, including customization options. It additionally describes how to setup and update records in PetPoint so they are displayed in the I-frame. You will need to be able to edit the actual HTML code of pages on your website – either via your website provider’s Administrative utilities (ex. Convio’s PageBuilder) or by editing the files locally in a software application such as Dreamweaver and posting them to your site. Adding the Adoptable Search I-frame should only take a matter of minutes to complete – the process is very similar to adding a ShelterCare Bowl of Food Plus Program Banner Ad to your organization’s website. Should you have any questions on deploying PetPoint’s Adoptable Search I-frame after reviewing this document, please contact us at 866-630-7387 x400 or [email protected]. How to Setup PetPoint’s Adoptable Search I-frame v. 20101227 Page 2 of 15 TESTING YOUR CSS AND GENERATING YOUR SOURCE CODE You can now easily generate the Adoptable Search code using the Test page found here: http://www.petango.com/webservices/testAdoptableSearch.htm This page is also a good way to experiment with parameters and test your CSS files.
    [Show full text]
  • XHTML Frames
    IT350 Web and Internet Programming Fall 2006 SlideSet #5: Frames & SSI (from Chapter 5 & 26 of the text) Adapted from 2004 Prentice Hall, Inc. All rights reserved. Frames Example Adapted from 2004 Prentice Hall, Inc. All rights reserved. 1 Benefits of Frames Adapted from 2004 Prentice Hall, Inc. All rights reserved. Problems with Frames Result: XHTML 1.1 does not support frames Adapted from 2004 Prentice Hall, Inc. All rights reserved. 2 Making Pages with Frames • Two kinds of pages 1. “Frameset” page: A page with a <frameset> (usually the index.html page) DTD: must use “XHTML 1.0 Frameset” 2. “Content” page DTD: must use “XHTML 1.0 Transitional” Adapted from 2004 Prentice Hall, Inc. All rights reserved. “Frameset” page <?xml version = "1.0"?> index.html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"> <html xmlns = "http://www.w3.org/1999/xhtml"> <head> <title>Internet and WWW How to Program - Main</title> </head> <!-- the <frameset> tag sets the frame dimensions --> <frameset cols = "110,*"> <!-- frame elements specify which pages --> <!-- are loaded into a given frame --> <frame name = "leftframe" src = "nav.html" /> <frame name = "main" src = "main.html" /> <noframes> <body> <p>This page uses frames, but your br /owser does not support them.</p> <p>Please, <a href = "nav.html">follow this link to br /owse our site without frames</a>.</p> </body> </noframes> </frameset> </html> 3 Content page 1 <?xml version = "1.0"?> 2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" nav.html 3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> (1 of 2) 4 5 <!-- Fig.
    [Show full text]
  • UNIT II Frames
    UNIT II Frames : Introduction Frames divide a single browser window into multiple, independent regions, each of which can display a different HTML document. You begin by created FRAMESET document, which sets up the "layout" by establishing the number of frames, their position and other characteristics. This frameset document is structural only and does not contain any of the content that will appear on the final web page. It does however, specify a URL reference for each frame, which will be the HTML document, or "normal" web page that will be displayed within it. Hyperlinks in one frame can update the contents of another frame through the use of the TARGET attribute. Frames are controversial, however. Like many other web elements, such as background graphics, animations, and font colors, they can be poorly handled and often irritating, so give it some careful thought before you use them. Advantages of Frames 1. They allow parts of the screen to remain static while other parts scroll. This can be useful for navigation menus or logos that you don't want to scroll off the screen. 2. They can be handy when you want the user to be able to view a number of images chosen from a long list. 2. You can introduce material from different servers on the same page, simply by assigning the appropriate URL's. Disadvantages of Frames 1. Navigating through a framed site can be challenging for many users, as the forward and back buttons do not work as expected. 2. Bookmarking a framed site is difficult, as only the top level document is noted.
    [Show full text]