I am currently attempting to wrap a web application (ConnectWise) for inclusion within my company's central intranet site. It's a fairly simple process for the most part; create a containing page, with an iframe, point the iframe at the ConnectWise url. This part works for almost all of the functionality.
The problem comes during certain select features of the app (in this case, part of the process of creating a timesheet entry), which simply fail to work. Chrome gives the following console output.
Uncaught SecurityError: Failed to read the 'frame' property from 'Window': Blocked a frame with origin "https://app.example.com" from accessing a frame with origin "https://host.example.com". Protocols, domains, and ports must match.
I am aware this is caused by the security options for cross-site and same-origin policies. Given the following points, is there a way to overcome this?
- I have full control over
https://host.example.com
- I can change html, javascript, and file contents
- I can change IIS settings and headers
- I have partial control over
https://app.example.com
- I can not change html, javascript, and file contents
- I can change IIS settings and headers.
I have tried setting the Access-Control-Allow-Origin
on each server, which so far is the only method I've come across that does not involve being able to change the file contents for the app server. This does not appear to work when given the settings (and combinations of settings) of
*
orhttps://app.example.com
while onhttps://host.example.com
*
orhttps://host.example.com
while onhttps://app.example.com
Edit:
The solution to this "duplicate" question is not applicable here. I do not have access to change file contents (including javascript) of the iframed page (app.example.com
). Additionally, the script requiring the permission to run is the page within the iframe, not the page hosting the iframe.