3

i'm trying to make my own "website checker" for specific needs and i'm having problem accessing the iFrame..

Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "http:// checker.xcore.co.il" from accessing a frame with origin "http:// xcore.co.il". The frame requesting access set "document.domain" to "checker.xcore.co.il", but the frame being accessed did not. Both must set "document.domain" to the same value to allow access.

I must do this using iFrame because i need to access classes CSS. Click on this link, load the website and then click "fontSizeErrors" on the right and then you can see the error in the console log.

How can i pass this please?? I couldn't find anything helpful on Google..

Thanks!

Hristo
  • 42,002
  • 60
  • 155
  • 224
Nate
  • 21
  • 1
  • 1
  • 9
  • Its called the html same origin policy. https://en.wikipedia.org/wiki/Same_origin_policy. Even http://a.example.com cannot access data from http://b.example.com do to security reasons. – cforcloud Oct 12 '14 at 20:18
  • you can't bypass it unless you have access to both domains and can set `document.domain` to match in both – charlietfl Oct 12 '14 at 20:18
  • 1
    run your script on the actual page via tampermonkey or greasmonkey instead of your own page with an iframe. – dandavis Oct 12 '14 at 20:38
  • How people make website checkers such as http://wave.webaim.org/ ? There must be a way i can pull each class's CSS – Nate Oct 14 '14 at 14:13

1 Answers1

6

That's a normal security measure used by all the browsers. You can't access elements or frames that have a different origin, that would be a huge security flaw. Hence, the browser blocks all the scripts that try to do that kind of stuff. To perform any action inside a frame its content must have the same origin.

For further information take look at this answer of mine.

Community
  • 1
  • 1
Marco Bonelli
  • 48,251
  • 16
  • 95
  • 101
  • How people make website checkers such as http://wave.webaim.org/ ? There must be a way i can pull each class's CSS – Nate Oct 14 '14 at 14:12
  • @user3298188 I guess they just make some XMLHttpRequests and inspect the content, but I don't know the logic behind it, sorry – Marco Bonelli Oct 14 '14 at 14:52
  • once you have language which is capable of parsing URL page as string, you can do any magic you want ;) – Srneczek Feb 04 '16 at 21:20
  • How can this possibly be a security flaw?? The DOM I load in my browser, I should be able to handle it whichever way I want... – Dalibor May 04 '17 at 12:23
  • 1
    @Dalibor no, you shouldn't. If this was possible then *anyone* could modify and inject scripts inside frames of different sites, doing whatever they want. This would be a **huge security flaw**. To make a silly example, just think about a malicious site loading an hidden iframe containing the web page of your bank: you are already logged in because you use it often, and the malicious site would be able to access all of your data. This would be very, very dangerous. – Marco Bonelli May 04 '17 at 12:45
  • 2
    You're right. The moment I posted my response, I thought of those phising example. Makes sense, thanks. However, that issue makes my life complicated in implementing remote iframes in cordova/ionic app... – Dalibor May 05 '17 at 07:27