cross domain script

permission denied or Blocked a frame with origin xxx from accessing a cross-origin frame is common when you have iframe and calling outside stuff from js.

Factor 1: set Domain

You’re developing an Ajax-based application. You have an application server at example.com which serves up all your JavaScript, HTML and CSS, and a data server at xml.example.com which delivers all the XML data to the application via a hidden IFRAME.

You know that cross-domain security will prevent any JavaScript from accessing the data in the IFRAME. so, you configure the data server to set the security domain of the IFRAME to “example.com” — the common suffix between the two domains — with a small piece of JavaScript:

<script type="text/javascript">
  document.domain="example.com";
</script>

Having done this, you test your application and get a “permission denied” error. What happened?

Depending on your browser, it may not be enough to only set the security domain of the IFRAME. You must set all of the frames and windows to the same domain, too. This is true even if the domain name you’re trying to set already matches the domain of the server that’s currently serving the page. For example, if you have two frames with pages served from example.com and you use JavaScript to set the security domain of one frame to “example.com” the frames will be unable to communicate.

Older browsers might let you get away with this.

Factor 2: X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or<iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

There are three possible values for X-Frame-Options:

DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.

In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.

Configuring Apache

To configure Apache to send the X-Frame-Options header for all pages, add this to your site’s configuration:

Header always append X-Frame-Options SAMEORIGIN

Access-Control-Allow-Origin

One thing to notice is if Access-Control-Allow-Origin is set to *, then the same origin policy is not applied. 

An example is https://mathiasbynens.be/demo/ip, where you can send xhr to because the server has the Access-Control-Allow-Origin=*.

var getJSON = function(url, successHandler, errorHandler) {
  var xhr = typeof XMLHttpRequest != 'undefined'
    ? new XMLHttpRequest()
    : new ActiveXObject('Microsoft.XMLHTTP');
  xhr.open('get', url, true);
  xhr.onreadystatechange = function() {
    var status;
    var data;
    // https://xhr.spec.whatwg.org/#dom-xmlhttprequest-readystate
    if (xhr.readyState == 4) { // `DONE`
      status = xhr.status;
      if (status == 200) {
        data = JSON.parse(xhr.responseText);
        successHandler && successHandler(data);
      } else {
        errorHandler && errorHandler(status);
      }
    }
  };
  xhr.send();
};

getJSON('https://mathiasbynens.be/demo/ip', function(data) {
  alert('Your public IP address is: ' + data.ip);
}, function(status) {
  alert('Something went wrong.');
});

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s