function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

TinyMCE breaks Javascript Insert from Lookup Popup Window


For anyone looking into using TinyMCE in a VF page: it breaks the Salesforce functionality for lookup fields to paste a selected value from the lookup popup window.

More specifically the function that occurs when you click a magnifying glass next to a lookup inputField, it launches a popup from which you can search and select a record. If the TinyMCE script is loaded I get this error logged in Firebug:

Permission denied to get property Window.lookupPick

function onclick(event) {
  top.window.opener.lookupPick2("thePage:theForm", "thePage:theForm:mainBlock:theSection:j_id46_lkid", "thePage:theForm:mainBlock:theSection:j_id46", "0037000000c2L04", "John Doe", "cas4", "Acme products", "cas4_lkid", "0017000000Sxxxx", false);

I wonder if this isn't related to the single origin security policy.  Do you have any frames or scripts loading from somewhere other than the salesforce server?

Yea I do actually. Is there documentation somewhere on that policy? I haven't noticed anything written about it anywhere and I've had a lot of funky behavior from scripts that I'm running from an external server.


It's a browser thing, not salesforce specific.

"Simply stated, the SOP states that JavaScript code running on a web page may not interact with any resource not originating from the same web site.  The reason this security policy exists is to prevent malicious web coders from creating pages that steal web users' information or compromise their privacy.  While very necessary, this policy also has the side effect of making web developers' lives difficult."

It could be that you have some JavaScript loading from an external server that is doing something behind the scenes like creating hidden iframes and attempting cross-frame scripting.  Wouldn't surprise me if TinyMCE is doing this since it's pretty advanced.

Edit: Looking at the error message again, "top.window.opener..." indicates cross-frame/window activity.  Can you host your TinyMCE files in salesforce?  perhaps as documents?


Message Edited by jeremy_ross on 10-22-2008 03:05 PM
Hosting TinyMCE in Salesforce is the right direction, using Documents is not the right solution though. This is the very thing we created Static Resources for - very powerful feature that allows you to basically host your own web root(s) in salesforce metadata by allowing you to use a ZIP or JAR as if it was a virtual file system. This means you can upload the TinyMCE library intact and it will maintain its own integrity.

See this recent post for an example of using another 3rd party library to see what I mean.
One important thing to note is that statement is often misinterpreted - the same origin policy does not mean that external scripts loaded from a different domain do not have access to the location they have been pulled into. If you add <script src="some external site"> into a page the script you pulled in will have full access to where it is running but it will not be able to call back to its source server.

Libraries like Ext.js for example work perfectly fine when referenced from an external server (including Ext's own demo servers) but it usually better just from a versioning and robustness perspective to host your own copy just like you would typically do in a non-PaaS deployment.

Message Edited by dchasman on 10-23-2008 08:02 AM