4

I've made a component for an SAP solution (whatever) that is embedded into a report through an iframe. After I deployed the report on an SAP plateform (BO), I got this error (on Chrome, but does not work on IE or FF either):

Uncaught SecurityError: Blocked a frame with origin "http://support.domain.com" from accessing a frame with origin "http://support.domain.com". The frame requesting access set "document.domain" to "domain.com", but the frame being accessed did not. Both must set "document.domain" to the same value to allow access.

The iframe is embedded into my component so it's suppose to run on the same domain with same port than report.

I found this post on SO and this one, but it does not really helped me to understand what I need to do.

Is there a way to get rid of this, or at least work around this ? Thanks :).

EDIT:

Host Page URL : http://support.domain.com/BOE/OpenDocument/opendoc/openDocument.jsp?sIDType=CUID&iDocID=AbmffWLjCAlFsLj14TjuDWg

URL of the file calling a property on the iframe (and generating the error) : http://support.domain.com/BOE/OpenDocument/1411281523/zenwebclient/zen/mimes/sdk_include/com.domain.ds.extension/res/cmp/js/component.js

URL of the frame : http://support.domain.com/BOE/OpenDocument/1411281523/zenwebclient/zen/mimes/sdk_include/com.domain.ds.extension/res/cmp/js/map/js/map.html

The iframe embed itself some script tag, I can see everything loading fine in the Network tag of the console.

Maybe it can help.

EDIT 2 :

I just realized SAP report is itself embedded into an iframe. That means my iframe is within an iframe, that might be the issue. Still, when lauching the report from Eclipse, everything is working.

Community
  • 1
  • 1
Stranded Kid
  • 1,347
  • 3
  • 15
  • 23
  • use `sandbox="allow-same-origin"` on your iframe, if on the same domain. – Mouser Feb 02 '15 at 18:59
  • The domain and the port and the method (`http` vs. `https`) have to be **exactly** the same. – Pointy Feb 02 '15 at 19:01
  • Ok I'll try sandbox property. I've added URL in my post. – Stranded Kid Feb 02 '15 at 19:05
  • and the host page url? – Luizgrs Feb 02 '15 at 19:13
  • I've jut tried sandbox="allow-same-origin", it does not work. The same error still triggers – Stranded Kid Feb 03 '15 at 11:55
  • possible duplicate of [SecurityError: Blocked a frame with origin from accessing a cross-origin frame](http://stackoverflow.com/questions/25098021/securityerror-blocked-a-frame-with-origin-from-accessing-a-cross-origin-frame) – Marco Bonelli Aug 18 '15 at 18:08
  • @Marco Bonelli I indeed first checked your post before posting mine, but the problem is not the same because my iframe is "technically" on the same domain as my top page. Maybe my title is not enough explicit. – Stranded Kid Sep 11 '15 at 08:55
  • @SecularKid man, I read your answer and I can assure you that these are **different** domains, for the rule I specified in my linked answer. If you have subdimain.domain.com and domain.com they are indeed different domains because the hostname, as you can see, is different. – Marco Bonelli Sep 11 '15 at 10:08
  • @MarcoBonelli Ok I get it, I've been mislead on term "subdomain", like explained here https://razyr.zendesk.com/hc/en-us/articles/202651353--Subdomains-vs-Host-Names- . I though that the domain was like toto.com, and in bob.toto.com, bob was the subdomain of toto (which it is technically), and so belongs to the same domain as toto.com – Stranded Kid Sep 11 '15 at 10:26
  • Still, browsers allowed me to rewrite support.domain.com to domain.com on my iframe side without moaning. So I'm kinda lost. – Stranded Kid Sep 11 '15 at 10:29

1 Answers1

7

I've finally found a solution.

The top of my iframe had a domain.location set to domain.com and my iframe a domain.location set to support.domain.com.

Event though I still think that both belong to the same domain, browsers don't like it it seems so.

Re-setting the domain.location did the work.

To answer the ones asking about how to re-set location.domain, here is the snippet of code my team used to use. This is quite old (2y ago), not really optimized and we do not use it anymore, but I guess it's worth sharing. Basically, what we were doing is load the iframe with passing it top domain in the URL parameters.

var topDomain = (function handleDomain(parameters) {
        if (typeof parameters === "undefined") {
            return;
        }
        parameters = parameters.split("&");
        var parameter  = [],
            domain;
        for (var i = 0; i<parameters.length; ++i) {
            parameter.push(parameters[i]);
        }
        for (var j = 0; j<parameter.length; ++j) {
            if (parameter[j].indexOf("domain") > -1) {
                domain = parameter[j];
                break;
            }
        }
        if (typeof domain !== "undefined") {
            domain = domain.split("=");
            return domain[1];
        }
        return; 
    })(window.location.search),
    domain = document.domain;

if (domain.indexOf(topDomain) > -1 && domain !== topDomain) {
    document.domain = topDomain;
}
Stranded Kid
  • 1,347
  • 3
  • 15
  • 23