cross domain script

permission denied or Blocked a frame with origin xxx from accessing a cross-origin frame is common when you have iframe and calling outside stuff from js.

Factor 1: set Domain

You’re developing an Ajax-based application. You have an application server at which serves up all your JavaScript, HTML and CSS, and a data server at which delivers all the XML data to the application via a hidden IFRAME.

You know that cross-domain security will prevent any JavaScript from accessing the data in the IFRAME. so, you configure the data server to set the security domain of the IFRAME to “” — the common suffix between the two domains — with a small piece of JavaScript:

<script type="text/javascript">

Having done this, you test your application and get a “permission denied” error. What happened?

Depending on your browser, it may not be enough to only set the security domain of the IFRAME. You must set all of the frames and windows to the same domain, too. This is true even if the domain name you’re trying to set already matches the domain of the server that’s currently serving the page. For example, if you have two frames with pages served from and you use JavaScript to set the security domain of one frame to “” the frames will be unable to communicate.

Older browsers might let you get away with this.

Factor 2: X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or<iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

There are three possible values for X-Frame-Options:

The page cannot be displayed in a frame, regardless of the site attempting to do so.
The page can only be displayed in a frame on the same origin as the page itself.
The page can only be displayed in a frame on the specified origin.

In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.

Configuring Apache

To configure Apache to send the X-Frame-Options header for all pages, add this to your site’s configuration:

Header always append X-Frame-Options SAMEORIGIN


One thing to notice is if Access-Control-Allow-Origin is set to *, then the same origin policy is not applied. 

An example is, where you can send xhr to because the server has the Access-Control-Allow-Origin=*.

var getJSON = function(url, successHandler, errorHandler) {
  var xhr = typeof XMLHttpRequest != 'undefined'
    ? new XMLHttpRequest()
    : new ActiveXObject('Microsoft.XMLHTTP');'get', url, true);
  xhr.onreadystatechange = function() {
    var status;
    var data;
    if (xhr.readyState == 4) { // `DONE`
      status = xhr.status;
      if (status == 200) {
        data = JSON.parse(xhr.responseText);
        successHandler && successHandler(data);
      } else {
        errorHandler && errorHandler(status);

getJSON('', function(data) {
  alert('Your public IP address is: ' + data.ip);
}, function(status) {
  alert('Something went wrong.');




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s