This question already has answers here:
SecurityError: Blocked a frame with origin from accessing a cross-origin frame
(9 answers)
Closed 7 years ago.
I'm trying to fire a click event When web page loaded inside an iframe, but it doesn't seem to be working.
$(function(){
$('#iframe').load(function(){
var iframe = $('#iframe').contents();
iframe.find("#btnSubmit").click(function(){
alert("test");
});
});
});
When i am trying to using this code i am getting the error.
Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "null" from accessing a frame with origin "https://pptform.state.gov". The frame requesting access has a protocol of "file", the frame being accessed has a protocol of "https". Protocols must match.
Please tell me how to resolve this issue. Thanks in advance
You cannot do that if the domains of the iframe and your parent site do not match, which they don't seem to in this case. Allowing it would be a big security risk.
If both sites are under your control, you can communicate across the iframe border using postMessage or using some URL hash hacks. However, if they are not under your control, there isn't much you can do about it.
Related
This question already has answers here:
SecurityError: Blocked a frame with origin from accessing a cross-origin frame
(9 answers)
Closed 1 year ago.
My website provides functionality for embedding a video from my website via an iframe (similar to Youtube or any other video portals).
However, is there a way to exactly detect, which website included mine as an iframe.
Tried within my iframe embed, trying to detect parent's URL
if (window !== window.top) {
console.log(window.top.location.href);
console.log(window.parent.location.href);
}
but ended up with an error
Uncaught DOMException: Blocked a frame with origin "https://myurl.com" from accessing a cross-origin frame.
at console.log (<anonymous>)
at https://www.myurl.com/embed/1544401:20:21
Is there a workaround?
UPD. Solved by using document.referrer
You can't access an <iframe> with different origin using JavaScript, it would be a huge security flaw if you could do it. For the same-origin policy browsers block scripts trying to access a frame with a different origin.
you can work around this problem using window.postMessage and its relative message event to send messages between the two pages, like this:
//in your main page
const frame = document.getElementById('your-frame-id');
frame.contentWindow.postMessage(/*any variable or object here*/, 'http://your-second-site.com');
//In your <iframe> (contained in the main page):
window.addEventListener('message', event => {
// IMPORTANT: check the origin of the data!
if (event.origin.startsWith('http://your-first-site.com')) {
// The data was sent from your site.
// Data sent with postMessage is stored in event.data:
console.log(event.data);
} else {
// The data was NOT sent from your site!
// Be careful! Do not use it. This else branch is
// here just for clarity, you usually shouldn't need it.
return;
}
});
This method can be applied in both directions, creating a listener in the main page too, and receiving responses from the frame. The same logic can also be implemented in pop-ups and basically any new window generated by the main page (e.g. using window.open()) as well, without any difference.
or just disable the same origin policy in your browser
This question already has answers here:
SecurityError: Blocked a frame with origin from accessing a cross-origin frame
(9 answers)
Closed 1 year ago.
How can you read and change the x / y coordinates of a PDF in an iframe, my iframe looks like this: <iframe id="pdf-interface" class="pdf-interface" src=path></iframe> where path is the local path to the PDF file.
All attempts I've tried until now failed with the error message: Uncaught DOMException: Blocked a frame with origin "http://127.0.0.1:8080" from accessing a cross-origin frame.
Is there any way to fix this or an alternative way of doing this?
You can't access cross-origin iframes directly.
Read more about it on Quentin's answer https://stackoverflow.com/a/66139466/7942242
And Willy Wonka's answer might interest you as well https://stackoverflow.com/a/39685594/7942242 which has a reference about how to bypass Same Origin Policy.
This question already has answers here:
Cross domain iframe issue
(5 answers)
Closed 5 years ago.
My webpage(wp1) has an iframe. The source of the iframe is another webpage(wp2). I have some javascript functions on wp1 which try to manipulate the contents of wp2. However , the browser gives " Blocked a frame with origin "null" from accessing a cross-origin frame." How can i get around this?
According to the MDN page about postMessage, if your parent and child domains differ only by a subdomain (e.g example.com and subdomain.example.com), you can set document.domain to the same value on both pages and it should be enough to get it to work.
Accepted value for document.domain is that of the superdomain (example.com = ok, subdomain.example.com = nope), according to Same Origin Policy.
I'm trying to add some pages from my site www.drewgl.com to stumbleupon. It is very dependent on javascript. When I view my site through stumbleupon the javascript gets blocked. Specifically, I see the error:
Uncaught SecurityError: Blocked a frame with origin
"http://www.drewgl.com" from accessing a frame with origin
"http://www.stumbleupon.com". Protocols, domains, and ports must match
I'm using rails 4 deployed to heroku. I have my X-frame options set to allow all. I read through the answers here:
SecurityError: Blocked a frame with origin from accessing a cross-origin frame
and it seems as if the only way to get around this issue is to use window.postmessage to send messages between the two pages. To do this, however, you must own both pages.
Of course, this condition cannot be met with Stumbleupon, so how can I get around the issue?
Edit: I just downloaded the stumbleupon toolbar for chrome. After doing this, I no longer get the above error message. Either way I'd still like to fix this problem for stumblers that don't have the toolbar.
Rails app not loading on StumbleUpon? Add this to your ApplicationController
before_action :allow_iframe_requests
private
def allow_iframe_requests
response.headers.delete('X-Frame-Options')
end
https://github.com/rails/rails/issues/6311
Figured it out. If anyone's curious, you're not allowed to access the current path from within an iframe. This chunk of code was causing the issue:
// if (top.location.pathname === '/users/sign_in')
// {
// $('#login').modal('show');
// }
This question already has answers here:
Ways to circumvent the same-origin policy
(8 answers)
Closed 8 years ago.
DEMO
I am trying to summarise a text by posting data on to a website which provide that feature
i have used two approaches but both failed miserably
At first i tried to load it in an iframe and tried to access contents inside it but it shows some browser restriction error
Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "http://fiddle.jshell.net" from accessing a frame with origin "http://autosummarizer.com". Protocols, domains, and ports must match.
Then i tried to send a post request to the domain that to failed here is the website which i am trying to post data to but receive following error
XMLHttpRequest cannot load http://autosummarizer.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://fiddle.jshell.net' is therefore not allowed access.
Jquery
var v='Banking Jobs, recruitment in Thiruvananthapuram, Kerala | Indeed ...Jobs 1 - 10 of 60 ... 60 Banking Jobs available in Thiruvananthapuram, Kerala on Indeed.com. ... Testhouse India Private Limited - Thiruvananthapuram, Kerala ... www.indeed.co.in';
alert($('iframe').contents().find("h2").html());
$.post( "http://autosummarizer.com",{ text: v,submit:"Summarize" },{dataType : "jsonp" } ,function( data ) {
alert( data );
});
The website you're trying to add to your iframe element must enable CORS.
That Auto Summarizer apparently has an API, I suggest you get in touch with them to get access to their API and use this service properly.