• Register
0 votes
2.3k views

Problem :

Uncaught domexception: blocked a frame with origin from accessing a cross-origin frame:I am trying to load the <iframe> in my HTML page and want to access the elements within it using the Javascript, however when I want to execute my code, I face the below error:

SecurityError: Blocked a frame with origin "http://www.<domain>.com" from accessing a cross-origin frame.

Can anyone help me to find the solution so that I can try to access the elements in the iframe?

I am using following code for testing but it is not working:

$(document).ready(function() {
var my iframeWindow = document.getElementById("my-iframe-id").contentWindow;
my iframeWindow.addEventListener("load", function() {
var mydoc = iframe.contentDocument || iframe.contentWindow.document;
var mytarget = mydoc.getElementById("my-target-id");
mytarget.innerHTML = "Found it!";
    });
});
6 5 3
7,540 points

Please log in or register to answer this question.

2 Answers

0 votes

Solution :

The same-origin policy:

Because of same-origin policy you can not access the <iframe> with the different origin using JavaScript, it will be the huge security flaw if anybody could do it. For the same-origin policy browsers do block scripts which are trying to access the iframe with a different origin.

The origin can be considered as different if at least one of the below parts of the address is not maintained:

<protocol>://<hostname>:<port>/path/to/page.html 

If you want to access a frame then your Protocolhostname and port must be the same for your domain,

Even if the same-origin policy is blocking your scripts from accessing the content of your sites with a different origin but if you own both the pages then you can work around this problem using window.postMessage and it is relative message event to send the messages between your two pages,

9 7 4
38,600 points
0 votes

Solution:

Same-origin policy

You can't access an <iframe> with different origin employing JavaScript, it would be a huge security flaw in case you could do it. For the same-origin policy browsers block scripts attempting to access a frame with a different origin.

Origin is considered different in case at least one of the following parts of the address isn't maintained:

<protocol>://<hostname>:<port>/...

Protocol, hostname and port should be the similar of your domain, in case you want to access a frame.

Examples

Here's what would occur attempting to access the following URLs from

http://www.example.com/home/index.html

URL                                             RESULT 
http://www.example.com/home/other.html       -> Success 
http://www.example.com/dir/inner/another.php -> Success 
http://www.example.com:80                    -> Success (default port for HTTP) 
http://www.example.com:2251                  -> Failure: different port 
http://data.example.com/dir/other.html       -> Failure: different hostname 
https://www.example.com/home/index.html:80   -> Failure: different protocol
ftp://www.example.com:21                     -> Failure: different protocol & port 
https://google.com/search?q=james+bond       -> Failure: different protocol, port & hostname 

Workaround

Even though same-origin policy blocks scripts from accessing the content of sites with a different origin, in case you own both the pages, you can perform around this problem employing window.postMessage and its relative message event to send messages between the two pages, like this:

In your main page:

let frame = document.getElementById('your-frame-id');
frame.contentWindow.postMessage(/*any variable or object here*/, 'http://your-second-site.com');

The second argument to postMessage() can be '*' to indicate no preference regarding the origin of the destination. A target origin must always be provided when possible, to fudge disclosing the data you send to any other site.

In your <iframe> (contained in the main page):

window.addEventListener('message', event => {
    // IMPORTANT: check the origin of the data! 
    if (event.origin.startsWith('http://your-first-site.com')) { 
        // The data was sent from your site.
        // Data sent with postMessage is stored in event.data:
        console.log(event.data); 
    } else {
        // The data was NOT sent from your site! 
        // Be careful! Do not use it. This else branch is
        // here just for clarity, you usually shouldn't need it.
        return; 
    } 
}); 

This method can be employed in both directions, making a listener in the main page too, and taking responses from the frame. The similar logic can also be executed in pop-ups and originally any new window produced by the main page (for examle employing window.open()) as well, without any difference.

Disabling same-origin policy in your browser

There meanwhile are some good answers regarding this topic. Hence, for the browsers where this is possible, I'll link the comparative answer. But, please remember that disabling the same-origin policy will just affect your browser. Further, running a browser with same-origin security settings disabled grants any website access to cross-origin resources, hence it's very unsafe and must NEVER be done in case you do not know accurately what you are doing (for example development purposes).

In your main page:

var frame = document.getElementById('your-frame-id'); 

frame.contentWindow.postMessage(/*any variable or object here*/, '*'); 

In your <iframe> (contained in the main page):

window.addEventListener('message', function(event) { 

    // IMPORTANT: Check the origin of the data! 
    if (~event.origin.indexOf('http://yoursite.com')) { 
        // The data has been sent from your site 

        // The data sent with postMessage is stored in event.data 
        console.log(event.data); 
    } else { 
        // The data hasn't been sent from your site! 
        // Be careful! Do not use it. 
        return; 
    } 
}); 

 

10 6 4
31,120 points

Related questions

0 votes
1 answer 8 views
8 views
Problem: I face this error: Uncaught domexception: blocked a frame with origin from accessing a cross-origin frame .
asked Mar 13 Wafa Abu Yousef 6.1k points
0 votes
1 answer 29 views
29 views
Problem: uncaught domexception: blocked a frame with origin "null" from accessing a cross-origin frame.
asked Feb 23 Muneeb Saadii 127k points
1 vote
1 answer 33 views
33 views
Problem: I'm new to Javascript and am learning the basics via a textbook that focuses on its applications in IE 7+ and Firefox 2+. However, I am using Chrome and am getting the following error when running the program given in the book: "blocked a frame of origin ' ... tell me what is causing the error and how I can fix it? blocked a frame with origin "null" from accessing a cross-origin frame.
asked Feb 23 Sofia Castro 4.2k points
0 votes
1 answer 106 views
106 views
Problem : I am getting following error cross-origin request blocked: the same origin policy disallows reading the remote resource at
asked Nov 15, 2019 peterlaw 6.9k points
0 votes
1 answer 2 views
2 views
Problem: I am using angular in my front-end and this is the piece of code where i call my loclhost , todo variable should have the value, but I get error: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
asked Apr 2 ummesalma 24.5k points
0 votes
1 answer 4 views
4 views
Problem: Please help me to fix cross-origin request blocked.
asked Apr 1 zayed1 30.9k points
0 votes
1 answer 10 views
10 views
Problem : Any help, I am facing following error: Uncaught (in promise) domexception: failed to load because no supported source was found.
asked Mar 13 Wafa Abu Yousef 6.1k points
0 votes
1 answer 2.3K views
2.3K views
Problem : I am facing following error message: DOMException: Failed to load because no supported source was found in video.play(); line. I have started getting this issue only after adding following code: video.setAttribute('crossorigin', 'anonymous'); I am trying to develop an app in the mobile so ... 0); setTimeout(loop, 1000 / 30); // drawing at 30fps } })(); }, 0); </script> </body> </html>
asked Nov 27, 2019 alecxe 7.5k points
0 votes
0 answers 4 views
4 views
Problem: Can anyone help me with this problem, " Cross origin requests are only supported for http chrome disable " ?
asked 1 day ago salim1 34.8k points