zoukankan      html  css  js  c++  java
  • SecurityError: Blocked a frame with origin from accessing a cross-origin frame

    问题描述:
    浏览器报错
    I am loading an <iframe> in my HTML page and trying to access the elements within it using Javascript, but when I try to execute my code, I get the following error:

    SecurityError: Blocked a frame with origin "http://www.<domain>.com" from accessing a cross-origin frame.

    I am using this code for testing, but in vain:
    $(document).ready(function() {
        var iframeWindow = document.getElementById("my-iframe-id").contentWindow;
    
        iframeWindow.addEventListener("load", function() {
            var doc = iframe.contentDocument || iframe.contentWindow.document;
            var target = doc.getElementById("my-target-id");
    
            target.innerHTML = "Found it!";
        });
    });

    问题原因:

    Same-origin security policy

    You can't access an <iframe> with Javascript, it would be a huge security flaw if you could do it. For the same-origin policy browsers block scripts trying to access a frame with a different origin.

    Origin is considered different if at least one of the following parts of the address isn't maintained:

    <protocol>://<hostname>:<port>/path/to/page.html 
    Protocolhostname and port must be the same of your domain, if you want to access a frame.

    Examples

    Here's what would happen trying to access the following URLs from 

     http://www.example.com/home/index.html

    URL                                             RESULT 
    http://www.example.com/home/other.html       -> Success 
    http://www.example.com/dir/inner/another.php -> Success 
    http://www.example.com:80                    -> Success (default port for HTTP) 
    http://www.example.com:2251                  -> Failure: different port 
    http://data.example.com/dir/other.html       -> Failure: different hostname 
    https://www.example.com/home/index.html.html -> Failure: different protocol 
    ftp://www.example.com:21                     -> Failure: different protocol & port 
    https://google.com/search?q=james+bond       -> Failure: different hostname & protocol 

    Workaround

    Even though same-origin policy blocks scripts from accessing the content of sites with a different origin, if you own both the pages, you can work around this problem using window.postMessageand its relative message event to send messages between the two pages, like this:

    • In your main page:

        

    var frame = document.getElementById('your-frame-id'); 
    
    frame.contentWindow.postMessage(/*any variable or object here*/, '*');

    In your <iframe> (contained in the main page):

    window.addEventListener('message', function(event) { 
    
        // IMPORTANT: Check the origin of the data! 
        if (~event.origin.indexOf('http://yoursite.com')) { 
            // The data has been sent from your site 
    
            // The data sent with postMessage is stored in event.data 
            console.log(event.data); 
        } else { 
            // The data hasn't been sent from your site! 
            // Be careful! Do not use it. 
            return; 
        } 
    }); 

    This method can be applied in both directions, creating a listener in the main page too, and receiving responses from the frame. The same logic can also be implemented in pop-ups and basically any new window generated by the main page (e.g. using window.open()) as well, without any difference.

    Disabling same-origin policy in your browser

    There already are some good answers about this topic (I just found them googling), so, for the browsers where this is possible, I'll link the relative answer. However, please remember thatdisabling the same-origin policy (or the CORS) will only affect your browser. Also, running a browser with same-origin security settings disabled grants any website access to cross-origin resources, so it's very unsafe and should be done for development purposes only.

    the best current way of interacting between frames/iframes is using window.postMessagesupported by all browsers

    转:http://stackoverflow.com/questions/25098021/securityerror-blocked-a-frame-with-origin-from-accessing-a-cross-origin-frame

  • 相关阅读:
    经典傻逼题
    谈谈Spring的IoC之注解扫描
    吴裕雄 python 神经网络——TensorFlow 花瓣分类与迁移学习(1)
    吴裕雄 python 神经网络——TensorFlow 实现LeNet-5模型处理MNIST手写数据集
    吴裕雄 python 神经网络——TensorFlow 花瓣识别2
    吴裕雄 python 神经网络——TensorFlow训练神经网络:花瓣识别
    吴裕雄 python 神经网络——TensorFlow训练神经网络:卷积层、池化层样例
    吴裕雄 python 神经网络——TensorFlow训练神经网络:MNIST最佳实践
    吴裕雄 python 神经网络——TensorFlow训练神经网络:不使用滑动平均
    吴裕雄 python 神经网络——TensorFlow训练神经网络:不使用隐藏层
  • 原文地址:https://www.cnblogs.com/wangfuyou/p/6276871.html
Copyright © 2011-2022 走看看