Uncaught SecurityError: Blocked a frame with origin ... from accessing a frame with origin

javascript security iframe same-origin-policy

70,016

I've finally found a solution.

The top of my iframe had a domain.location set to domain.com and my iframe a domain.location set to support.domain.com.

Event though I still think that both belong to the same domain, browsers don't like it it seems so.

Re-setting the domain.location did the work.

To answer the ones asking about how to re-set location.domain, here is the snippet of code my team used to use. This is quite old (2y ago), not really optimized and we do not use it anymore, but I guess it's worth sharing. Basically, what we were doing is load the iframe with passing it top domain in the URL parameters.

var topDomain = (function handleDomain(parameters) {
        if (typeof parameters === "undefined") {
            return;
        }
        parameters = parameters.split("&");
        var parameter  = [],
            domain;
        for (var i = 0; i<parameters.length; ++i) {
            parameter.push(parameters[i]);
        }
        for (var j = 0; j<parameter.length; ++j) {
            if (parameter[j].indexOf("domain") > -1) {
                domain = parameter[j];
                break;
            }
        }
        if (typeof domain !== "undefined") {
            domain = domain.split("=");
            return domain[1];
        }
        return; 
    })(window.location.search),
    domain = document.domain;

if (domain.indexOf(topDomain) > -1 && domain !== topDomain) {
    document.domain = topDomain;
}

70,016

Author by

Stranded Kid

If there is no solution, there is no problem

Updated on July 20, 2020

Comments

Stranded Kid almost 4 years
I've made a component for an SAP solution (whatever) that is embedded into a report through an iframe. After I deployed the report on an SAP plateform (BO), I got this error (on Chrome, but does not work on IE or FF either):
```
Uncaught SecurityError: Blocked a frame with origin "http://support.domain.com" from accessing a frame with origin "http://support.domain.com". The frame requesting access set "document.domain" to "domain.com", but the frame being accessed did not. Both must set "document.domain" to the same value to allow access.
```
The iframe is embedded into my component so it's suppose to run on the same domain with same port than report.

I found this post on SO and this one, but it does not really helped me to understand what I need to do.

Is there a way to get rid of this, or at least work around this ? Thanks :).

EDIT:

Host Page URL : http://support.domain.com/BOE/OpenDocument/opendoc/openDocument.jsp?sIDType=CUID&iDocID=AbmffWLjCAlFsLj14TjuDWg

URL of the file calling a property on the iframe (and generating the error) : http://support.domain.com/BOE/OpenDocument/1411281523/zenwebclient/zen/mimes/sdk_include/com.domain.ds.extension/res/cmp/js/component.js

URL of the frame : http://support.domain.com/BOE/OpenDocument/1411281523/zenwebclient/zen/mimes/sdk_include/com.domain.ds.extension/res/cmp/js/map/js/map.html

The iframe embed itself some script tag, I can see everything loading fine in the Network tag of the console.

Maybe it can help.

EDIT 2 :

I just realized SAP report is itself embedded into an iframe. That means my iframe is within an iframe, that might be the issue. Still, when lauching the report from Eclipse, everything is working.
Trip almost 7 years

How do you reset the domain.location?