问题描述:
浏览器报错
I am loading an <iframe> in my HTML page and trying to access the elements within it using Javascript, but when I try to execute my code, I get the following error: SecurityError: Blocked a frame with origin "http://www.<domain>.com" from accessing a cross-origin frame. I am using this code for testing, but in vain:
$(document).ready(function() {
var iframeWindow = document.getElementById("my-iframe-id").contentWindow; iframeWindow.addEventListener("load", function() {
var doc = iframe.contentDocument || iframe.contentWindow.document;
var target = doc.getElementById("my-target-id"); target.innerHTML = "Found it!";
});
});

问题原因:

Same-origin security policy

You can't access an <iframe> with Javascript, it would be a huge security flaw if you could do it. For the same-origin policy browsers block scripts trying to access a frame with a different origin.

Origin is considered different if at least one of the following parts of the address isn't maintained:

<protocol>://<hostname>:<port>/path/to/page.html 
Protocolhostname and port must be the same of your domain, if you want to access a frame.

Examples

Here's what would happen trying to access the following URLs from

 http://www.example.com/home/index.html

URL                                             RESULT
http://www.example.com/home/other.html -> Success
http://www.example.com/dir/inner/another.php -> Success
http://www.example.com:80 -> Success (default port for HTTP)
http://www.example.com:2251 -> Failure: different port
http://data.example.com/dir/other.html -> Failure: different hostname
https://www.example.com/home/index.html.html -> Failure: different protocol
ftp://www.example.com:21 -> Failure: different protocol & port
https://google.com/search?q=james+bond -> Failure: different hostname & protocol

Workaround

Even though same-origin policy blocks scripts from accessing the content of sites with a different origin, if you own both the pages, you can work around this problem using window.postMessageand its relative message event to send messages between the two pages, like this:

  • In your main page:

var frame = document.getElementById('your-frame-id'); 

frame.contentWindow.postMessage(/*any variable or object here*/, '*');

In your <iframe> (contained in the main page):

window.addEventListener('message', function(event) { 

    // IMPORTANT: Check the origin of the data!
if (~event.origin.indexOf('http://yoursite.com')) {
// The data has been sent from your site // The data sent with postMessage is stored in event.data
console.log(event.data);
} else {
// The data hasn't been sent from your site!
// Be careful! Do not use it.
return;
}
});

This method can be applied in both directions, creating a listener in the main page too, and receiving responses from the frame. The same logic can also be implemented in pop-ups and basically any new window generated by the main page (e.g. using window.open()) as well, without any difference.

Disabling same-origin policy in your browser

There already are some good answers about this topic (I just found them googling), so, for the browsers where this is possible, I'll link the relative answer. However, please remember thatdisabling the same-origin policy (or the CORS) will only affect your browser. Also, running a browser with same-origin security settings disabled grants any website access to cross-origin resources, so it's very unsafe and should be done for development purposes only.

the best current way of interacting between frames/iframes is using window.postMessagesupported by all browsers

转:http://stackoverflow.com/questions/25098021/securityerror-blocked-a-frame-with-origin-from-accessing-a-cross-origin-frame

SecurityError: Blocked a frame with origin from accessing a cross-origin frame的更多相关文章

  1. iframe跨端口报错 Blocked a frame with origin from accessing a cross-origin frame

    前言    在不同的端口号,甚至是不同的ip进行iframe嵌套的时候,在父页面调用子页面的方法的时候,报错 SecurityError: Blocked a frame with origin fr ...

  2. iframe跨源报错:"Blocked a frame with origin from accessing a cross-origin frame"

    一.报错信息: “Blocked a frame with origin from accessing a cross-origin frame” 二.在stackoverflow上找到原因 Same ...

  3. Ajax本地跨域问题 Cross origin requests are only supported for HTTP

    问题:打开本地html文件时,报错如下 Cross origin requests are only supported for protocol schemes: http, data,chrome ...

  4. Blocking Cross Origin API request for /api/contents Creating Notebook Failed An error occurred while creating a new notebook.

    anacoda安装的jupyter,使用nginx进行了转发,远程访问可以进去,但是创建文件和创建目录都会报错 浏览器页面报错: 第一次使用jupyter创建python时错误:Creating No ...

  5. git push origin与git push -u origin master的区别

    $ git push origin 上面命令表示,将当前分支推送到origin主机的对应分支. 如果当前分支只有一个追踪分支,那么主机名都可以省略. $ git push 如果当前分支与多个主机存在追 ...

  6. jquery读取本地文件,Windows上报错。XMLHttpRequest cannot load xxx. Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https, chrome-extension-resource.k.cors.a.c

    问题: 测试报告,使用本地的json.txt文件,结果文件读取失败,报错如下: XMLHttpRequest cannot load xxx. Cross origin requests are on ...

  7. CORS (Cross Origin Resources Share) 跨域

    CORS 跨域 1 什么是跨域问题 基于安全考虑,浏览器会限制使用脚本发起任何跨域请求. 所谓的跨域请求,就是与当前页面的 http/ip/port 不一样的请求. 但在实际运用中,跨域获取数据的需求 ...

  8. nodejs报错 XMLHttpRequest cannot load localhost:3000/test_date/. Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https.

    z在请求本地的时候  如果ajax的URL 前面没有http的话 就会报错 jq.js:2 XMLHttpRequest cannot load localhost:3000/test_date/. ...

  9. Cross origin requests are only supported for protocol schemes: http, data, chrome,chrome-extension的问题

    Cross origin requests are only supported for protocol schemes: http, data, chrome,chrome-extension的问 ...

随机推荐

  1. Android开发环境——调试器 DDMS相关内容汇总

       Android开发环境将分为SDK相关内容.Eclipse ADT相关内容.模拟器AVD相关内容.调试器DDMS相关内容.日志LogCat相关内容.连接驱动ADB相关内容.内存泄露检测工具MAT ...

  2. ubuntu安装包查找及安装

    官方包源: http://packages.ubuntu.com/ ubuntu下当前安装的包保存在在:/var/cache/apt/archives ubuntu下当前安装的运用: /usr/sha ...

  3. Spring 3.0 AOP 之 AOP 术语 (一)

    关于AOP.之前我已写过一个系列的随笔: <自己实现简单的AOP>,它的关注点在于实现.实现语言是C#,实现方式为 自定义实现 RealProxy 抽象类.重写Invoke方法,以便进行方 ...

  4. Apache2.2和Apache2.4中httpd.conf配置文件 权限的异同

    Windows环境从Apache2.2改成Apache2.4后httpd.conf中的设置异同. 1.权限设定方式变更 2.2使用Order Deny / Allow的方式,2.4改用Require ...

  5. 进阶之路(基础篇) - 001 亮一个led灯

    /********************************* 代码功能:点亮一个led灯 使用函数: pinMode(引脚号,模式); digitalWrite(引脚号,电平状态); //默认 ...

  6. 解析form表单数据

    //解析form表单数据 function parseFormData(params) { var args = new Object(); for(var key in params){ if(!p ...

  7. 【C语言】为什么指明数组的列数?

    首先,我们拿二维数组为例.二维数组称为矩阵.二维数组在概念上是二维的,但实际的硬件存储器却是连续编址的,也就是说存储器单元是按一维线性排列的.如果将二维数组作为参数传递给函数,那么在函数的参数声明中必 ...

  8. sql中union 和 union all的区别

    最近发现一个视图出奇的慢,在生产环境还好,由于服务器配置较高,没有察觉出来.但是做了一次修改后在开发版 和测试版就直接查询不出结果了.就连select count(1) from 都运行2个小时没有结 ...

  9. 【转载并整理】JAVA解析或生成xml的四种方法

    参考文章 1:http://blog.csdn.net/clemontine/article/details/53011362 2:http://www.jb51.net/article/98456. ...

  10. C#基础第八天-作业-设计类-面向对象方式实现两个帐户之间转账

    要求1:完成以下两种账户类型的编码.银行的客户分为两大类:储蓄账户(SavingAccount)和信用账户(CreditAccount),两种的账户类型的区别在于:储蓄账户不允许透支,而信用账户可以透 ...