I'm trying to access to the URL of the parent window from an iFrame but I got an error on my server:
Unsafe JavaScript attempt to access frame with URL
http://www.domain.com/folder/ from frame with URL
http://www.domain.com/folder/file.html. The frame being accessed set
'document.domain' to 'domain.com', but the frame requesting access did
not. Both must set 'document.domain' to the same value to allow
access.
I'm in the same domain so I don't understand why I get this error.
For your information everything works good in localhost.
Thanks for your help.
OK I found the solution.
I put this code and that works:
document.domain = 'domain.com';
Related
Here is my code
tl2010handle = window.open("/path/main.html", 'tl2010', 'statusbar=no,toolbar=no,scrollbars=no,locationbar=no,setResizable=no,width=840,height=600');
setTimeout(function() {console.log(tl2010handle.window.location.href)}, 2000);
If I load my page as https://ec2b.foo.com/console/login2020.jsp
I get DOMException: Blocked a frame with origin "https://ec2b.foo.com" from accessing a cross-origin frame.
If I add an entry 143.67.75.100 ec2b to /etc/hosts, and then load my page as https://ec2b/console/login2020.jsp it works and my console logs the href.
The mystery is that I am opening the window with a URL that does not specify an origin, so I don't understand how Chrome can complain that my request is cross-origin.
The code only exists on one server so there is no possibility that ec2b and ec2b.foo.com are different. Also confirmed with dig.
I've tried this in both Chrome and Firefox with the same result, albeit that in the case of Firefox, the tl2010handle variable is unset in the first case, and set in the second case.
The mystery is that I am opening the window with a URL that does not
specify an origin
You have a misconception about the Origin request header. The Origin is sent by the browser under these circumstances... in case of JavaScripts, the origin is inherited from the page that executes the script. The error message that you are getting indicates that your origin is set to: “https://ec2b.foo.com”
The code only exists on one server so there is no possibility that
ec2b and ec2b.foo.com are different.
Note that same-origin does not mean same-ip. It means the protocol:host:port tuple should be exactly the same, which means foo.com, ec2b.foo.com and www.foo.com are all different origins (even though they all point to the same IP).
The error message indicates that your JavaScript's origin is set to:
“https://ec2b.foo.com”... now in your JavaScript file, you open a new browser window, by running the following:
window.open("/path/main.html", ....); // <-- open a new browser window
You have not mentioned what is the URL that you see in this new window (I suspect it's "https://ec2b/path/main.html")... but it is certainly not “https://ec2b.foo.com”, that's why when you try to access the location.href of this new window, you are getting blocked because it's a Cross-Origin request.
According to MDN: Window.Open() returns a Window object, representing the newly created window:
The returned reference can be used to access properties and methods of
the new window as long as it complies with Same-origin policy security
requirements.
You can also try running the following script to find out the origin of your JavaScript file:
tl2010handle = window.open("/path/main.html", 'tl2010', 'statusbar=no,toolbar=no,scrollbars=no,locationbar=no,setResizable=no,width=840,height=600');
console.log(tl2010handle.origin); // <-- origin of your script file
/*
* if you compare: tl2010handle.origin with the url display in tl2010handle window
* it should clarify why you are having a cross-origin request.
*/
I'm getting this error :
Uncaught SecurityError: Blocked a frame with origin "https://lss-servicedesk.techteam.com"
from accessing a frame with origin "http://mydomain.com".
The frame requesting access has a protocol of "https", the frame being accessed has a protocol of "http".
Protocols must match.
<FORM ACTION=https://lss-servicedesk.techteam.com/CAisd/pdmweb.exe METHOD=POST onsubmit="return checkform(this);">
Is there any way to get around this problem ? thanks in advance...
You're getting 2 errors here. The first one is a cross-domain problem, and you won't be able to fix that. It is impossible for your site to access the loaded iframe's site at all. Otherwise, the browser would be really insecure, allowing one site to very easily get the user's settings on another site by just loading an iframe. So, you can't change anything within the iframe. The only thing you can do to the iframe's contents is iframeElement.src = '//otherurl.com'; - changing the source url of the iframe.
To fix the second problem, you can do the following: Instead of using http:// or https:// in the url you're defining in your scripts or forms, you can just use //. That will automatically 'fill in' the same protocol as the one you're using now. So, if you're on http:// at the moment, it'll load the iframe in http:// too, and vice versa.
I had the same issue with two different domains going to my webserver. Both of them had DNS settings set to redirect domain.com (without www) to http://www.domain.com. The one domain had issues similar to yours but it turned out that it was due to a DNS error where we had set FRAME to yes. After settings FRAME to no, it solved both issues (frame error and http/https error). It is a little thing but it caused the exact same error so just wanted to mention it as another possibility for anybody else who should stumble across this thread.
I have a page that has an iframe which loads html template from amazon aws s3 bucket. In the iframe, I want to take the link of the parent window, then add some parameters.
E.g: My parent window has the link http://xx.xx.x.xxx:8088 . I want to take this url, apprend "#abc/edf" and redirect to that page. But I cannot because my iFrame has url https://bucketName.s3.amazonaws.com
The error I get is
Uncaught SecurityError: Blocked a frame with origin "https://bucketName.s3.amazonaws.com" from accessing a frame with origin "http://xx.xx.x.xxx:8088". The frame requesting access has a protocol of "https", the frame being accessed has a protocol of "http". Protocols must match.
The javascript I used to redirect to another page from within an iFrame
function navigateTo(e){
var destination = e.data.destination;
var url = window.parent.location.host;
window.parent.location.href = url+destination;
}
$("#button").click({destination: "/#abc/edf"}, navigateTo);
html
<div id="button">Redirect to another page</div>
I cannot use absolute path for a reason. The parent window link will change somehow. I think the best solution is to take the parent url and append the parameters that I want. How can I make this happen without getting the security error?
Short answer is "you can't."
Browser security model precludes cross-domain and cross-protocol scripting from the client side. Your embedded iframe under the https protocol is not allowed to access (not even read) its parent's non-https context.
To do what you want, both contexts must agree on both domain of origin and protocol in order to interact on the client side.
Despite of the fact that I have seen many articles (including in stackoverflow) demonstrating up how to bypass javascript's same origin policy assigning document.domain property, its not working. I also read in W3C specs that document.domain property is read-only and not all browsers accept setting it and I think that is the cause I can't get that working!
I have a page (domain d1.y.com.br) and I need to invoke a button in an embedded iframe's page (domain d2.x.com.br). I'm setting the parent document.domain attribute to subdomain 'x.com.br' but I'm still receiving the 'access denied' error message in firebug console.
I have also read about JSONP but its not the case here. I really need to interact with iframe's DOM and not only get data from there (using proxy service).
Does really exist any way to bypass same origin policy to interact with the iframe's DOM ???
The proper way to send data between iframes (especially across domains) is using postMessage(). https://developer.mozilla.org/en-US/docs/Web/API/window.postMessage
That effectively "bypasses" the problem by having the recipient of the message verify that the caller has the correct domain - based on whatever rules it wants.
I have a javascript script that is being run from within an iframe that is trying to access the parent but I'm getting the following error:
Unsafe JavaScript attempt to access frame with URL mysite.com from frame with URL myothersite.com?. Domains, protocols and ports must match.
The iframe html is on a different domain but I didn't think that would matter. This is the code that is generating the JS error:
var parent_site = parent.document;
Is there a way around this?
If the parent domain is a trailing part of the iframe domain (i.e., iframe is child.parent.com and parent is parent.com) you can set the domain of the iframe document with document.domain = "parent.com" and avoid the problem.
If the domains of the parent and the iframe are unrelated there is no way to work around it.
Do some research on CORS (Cross-origin resource sharing): http://www.w3.org/TR/cors/
You essentially need to add this to your .htaccess of the parent domain:
Header set Access-Control-Allow-Origin *
Header set Access-Control-Allow-Headers x-requested-with
Ideally you'd replace the * with the domain(s) for which you want to allow access.