I am getting an error when my app is being embedded in an iframe that reads
Permission denied for https://myapp.com to call method Location.toString on http://otherhost.com
I am not getting a stack trace, line number, or file where this occurring in any of the browsers. How could I figure out where this problem is coming from?
This error is happening because of the same-origin policy. You can't run any Javascript from a non-extension source inside of a cross domain iframe. That is, an Iframe that is from a different domain than the main page's.
I determined that this error was coming from some JS tracking code that was including some flash to do it's tracking inside the iFrame, turned off the flash portion and this error disappeared
Related
I'm trying to create an Iframe overlay for a PDF document. The document is in the same domain in folder 'static', I can render he in an iframe, but I am not able to get the HTML structure inside, when I try to access, the cross-origin problem fires.
Uncaught (in promise) DOMException: Permission denied to access
property "document" on cross-origin object
The selected area is a div I am trying to get
Line 28 is where the error fires
I found this bug/issue in Bugzilla (Bugzilla error 911444). At this moment I'm trying to make this solution only for Firefox, because the other browsers render the PDF in Iframe differently.
In all sites I read about problems with cross-origin, everything is about to access a document who is outside my domain, but in this case he is same domain.
This is some bug or some misunderstanding of mine?
As you don’t have a code example here I’m guessing your loading the pdf directly into the iframe. When you do this the content of the iframe is not a html page so can not be accessed via JavaScript.
The solution is going to be to create a small html page that uses pdf.js to render the pdf. You will then be able to access the iframe.
Question first:
Is it possible to get iframe contents when it's displaying a browser error document (page not found, connection lost, certificate problem...)?
Problem explained:
I've built a simple form with an iframe inside. This iframe has a simple file upload form that works great in every test I have done. BUT the form is meant to be used inside a company's network and some users are reporting random problems when sending the iframe upload form from inside the network. I suspect that they are receaving lost connections because of internal network malfunctions and the iframe gets blank after sending (because the size is too small to display the error document and scrollbars are disabled).
As I'm not able to reproduce the errors I need to debug the process with Javascript, logging what is loaded inside the iframe after an error occurs to a user.
Actually I use jQuery to retrieve iframe's content:
$("#iframeid").contents().find("body").html();
Works great when retrieving a regular html document but not when trying to retrieve a browser error document. In this case I get the error:
Permission denied to access property "document"
Why is this happening? Because of same origin policy? Is there any way to override this?
Why is this happening? Because of same origin policy?
Yes.
Is there any way to override this?
No.
The browser does not allow you to read the contents of an internal document, like a 404 page. You will want to configure your webserver or fastcgi to return a soft 404 page which would allow you to view the contents of the iframe.
while developing a website today I noticed something odd on the console. This is the second time I see this error message. I googled the website sasads.com and came up without any info. Website apparently is xml in nature and seems to be very suspicious.
The console error code is Blocked a frame with origin "http://video.sasads.com" from accessing a frame with origin "http://". Protocols, domains, and ports must match.
The website is php/jquery and utilizes the latest jquery distribution. I searched for sasads.com in the js folders but could not locate such string. the jquery that was blocked stated it was running in 1.7 so it must be loading it offsite somewhere.
browser used is chrome, server running latest php and mysql environment. I wasnt able to recreate the error, guess there is some kind of trigger or timer that is hidden.
Question, should I be worried that one of the potential script has some sort of trojan or malware attached to it?
Based on my experimenting, I believe this is caused by the "Edit This Cookie" extension.
Also: The reviews for the extension have similar complaints about ads.
I just very unexpectedly had my Chrome browser switch from my ebay window to a new full-page advertisement; in researching more about what happened, I found this stack overflow question through my google search regarding the website that it jumped to. I'm leaving the following information for others who may be searching for issues with "sasads.com", "adverstitial.com", "openadserve", or "adlegend.com" -- they all seem to be culprits in the hijacking of my web browser (and should be banned, blocked, blacklisted, and otherwise removed from the 'Interwebs').
In response to the Original Poster's error, I believe that the browser you were using tried to do the same exact jump to an "adverstitial.com" page. This page then has a script that loads content from "sasads.com", and you were seeing an error in how it loads.
I was able to capture the javascript from the site, and yes - it has a timer on it after which it tries to go back to the site you were originally on. Thus, you wouldn't have been able to see it. I have much more information about this and captured the javascript that was run. I haven't figured out where it was triggered yet. I only have one Chrome extension (Session Manager). I hope this helps someone.
I had this exact same error in Chrome. In my case, it started after installing the PageRank Status extension.
I have a script done by myself that uses jQuery Ajax functions to log some data from a web page when I access it. It takes some info and sends it to my local Apache host to save in a text file.
It worked for months, but I now getting an error related with this Same-Origin Policy(I know how it works and its purpose) and the browser is now ending the script execution showing this message:
The page at https://www.website.com/ displayed insecure content from
http://127.0.0.1:8081/whatever.php
Followed by this:
Refused to connect to connect 'http://127.0.0.1:8081/whatever.php?arguments=1' because it
violates the following Content Security Policy directive: "connect-src
https://www.website.com/* https://*.website.com/
https://*.website.net xhr: error: SECURITY_ERR: DOM Exception 18
That last domain is colored in red on the error message. A curious detail is that on the JavaScript code on Tampermonkey I have the #includes of those domains but not the red marked domain. I've added it and tested, but didn't work.
Every discussion I've found on Google tells how to disable this policy but in case that you're developing an extension, that is not my case.
This code will just run in my machine, I didn't have the intention to distribute it in any way so any solution will be appreciated, even if the solution is to change browser configuration directly.
If this' useful, I'm using Windows 7.
Tampermonkey Beta fixed its GM_xmlHttpRequest to be independent from the page's CSP.
Unfortunately it can not fix jQuery AJAX requests cause it doesn't have a clue what sites are going to be contacted.
If the page you're contacting is Facebook, then the CSP is sent only to Chrome 21-23, but not Chrome 24. So you can use Tampermonkey's #user-agent tag to simulate Chrome 24.
On your local server, the whatever.php you're sending the data to, set up CORS (ie. send header Access-Control-Allow-Origin: *).
You do not need anything from above. All you have to do in your ajax call is to add
script.php?callback=?&your_parametars_here
and in php file you just have to add this when retrieving data:
echo $_GET['callback'].$your_data_here
thats all!
Is there any way any error happens on page we can suppress the error. When we he have Iframe where we are loading third party websites which we don't have any control
Only way to suppress the error is if the code runs on your domain and you can catch it with window.onerror. If it is on theirs [in iframe/frame], there is nothing you can do.
Tell them to fix it or do not include their page.
You cannot modify the code or behavior of a site from a different domain that's in an iframe or a frame. The browser prevents any cross domain modifications. See the "same origin policy" at MDN for details.
It would take a browser plug-in to do what you are describing. If you want to display third party sites in an iframe/frame, you get whatever behavior they produce.