1

I am working on a website, let say the website name is "https://website" (which is built on wordpress) in which I am getting the following error on console:

Uncaught DOMException: Blocked a frame with origin "https://website" from accessing a cross-origin frame.

    at contents (https://website/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,utils,underscore,wp-util,backbone,&load%5B%5D=moxiejs,plupload&ver=4.9.8:2:26921)

    at Function.map (https://website/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,utils,underscore,wp-util,backbone,&load%5B%5D=moxiejs,plupload&ver=4.9.8:2:3613)

    at a.fn.init.n.fn.(anonymous function) [as contents] (https://website/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,utils,underscore,wp-util,backbone,&load%5B%5D=moxiejs,plupload&ver=4.9.8:2:27001)

    at b (https://website/wp-admin/load-scripts.php?c=1&load%5B%5D=postbox,thickbox,hoverIntent,common,admin-bar,wp-a11y,updates,plugin-install,svg-painter,heartbeat,wp-auth-check,shortcode,wp-ba&load%5B%5D=ckbone,media-models,wp-plupload,wp-mediaelement,wp-api-request,media-views,media-editor,media-audiovideo,mce-view,imgareaselect,&load%5B%5D=image-edit&ver=4.9.8:347:103)

    at HTMLBodyElement.<anonymous> (https://website/wp-admin/load-scripts.php?c=1&load%5B%5D=postbox,thickbox,hoverIntent,common,admin-bar,wp-a11y,updates,plugin-install,svg-painter,heartbeat,wp-auth-check,shortcode,wp-ba&load%5B%5D=ckbone,media-models,wp-plupload,wp-mediaelement,wp-api-request,media-views,media-editor,media-audiovideo,mce-view,imgareaselect,&load%5B%5D=image-edit&ver=4.9.8:347:1306)

    at HTMLBodyElement.dispatch (https://website/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,utils,underscore,wp-util,backbone,&load%5B%5D=moxiejs,plupload&ver=4.9.8:3:12444)

    at HTMLBodyElement.r.handle (https://website/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,utils,underscore,wp-util,backbone,&load%5B%5D=moxiejs,plupload&ver=4.9.8:3:9173)

    at Object.trigger (https://website/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,utils,underscore,wp-util,backbone,&load%5B%5D=moxiejs,plupload&ver=4.9.8:3:11573)

    at Object.a.event.trigger (https://website/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,utils,underscore,wp-util,backbone,&load%5B%5D=moxiejs,plupload&ver=4.9.8:9:8275)

    at HTMLDivElement.<anonymous> (https://website/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,utils,underscore,wp-util,backbone,&load%5B%5D=moxiejs,plupload&ver=4.9.8:3:18991)

The above error is generated by clicking View Details section of wordpress plugins (as shown below):

enter image description here

This error seems to exist in every single wordpress plugins but it works when I open in a new tab but it doesn't work when I open in the same window.


Problem Statement:

I am wondering which file I need to modify in wordpress in order to solve this error. This error seems to exist in every wordpress plugins. As mentioned, it works in a new tab but fails to work in the same page.

I have a feeling I have to make some changes in the following file by seeing the error above (load-scripts.php, as the error is generated in that file) but not sure what line I need to add in order to make it work.

https://website/wp-admin/load-scripts.php

john
  • 9,493
  • 34
  • 111
  • 210
  • It sounds like the entire Wordpress site is loaded within an iframe. Please take a look at the pages source code and check if it is. The link is there for trying to load inside the iframe which could explain why it works when you open in a new window. – OrderAndChaos Nov 27 '18 at 20:04
  • @Sarcoma Where I need to look for the page source code ? or Which file I need to check for the page source code ? – john Dec 02 '18 at 03:01
  • Just view source in the browser and see where the iframe is. It should tell you what it is requesting in its `src` attribute, that might tell you why it's requesting resources outside of your domain. It looks like @Blackbam knows why the iframe exists. If you can see a domain in the iframe src it might give you a clue as to what's going wrong. – OrderAndChaos Dec 02 '18 at 10:18
  • @Sarcoma I am sending you the [link](https://test.caubo.ca/) of the website on which I am working on and which is causing this bug. When I globally search iframe here, I can see `iframe is commented` from `line#106 to line#108` and iframe is used in css as well. Let me know if I am doing anything wrong. – john Dec 02 '18 at 16:18
  • @Sarcoma and Iframe is also used in css at `line#341` – john Dec 02 '18 at 16:20
  • @Sarcoma Are you around ? – john Dec 02 '18 at 16:40
  • When you say `https://website` what is the actual domain that is blocked? is it identical to the link you sent or is there a difference? I'd expect them to be different to throw that error if you see what I mean. – OrderAndChaos Dec 02 '18 at 17:14
  • Its same. I didn't mention in the question. – john Dec 02 '18 at 17:18
  • Is it asking for password ? Let me know. – john Dec 02 '18 at 17:21
  • Here is the [website](https://test.caubo.ca/) which I am working on but I don't think so its public. – john Dec 02 '18 at 17:35
  • @Sarcoma Are you around ? – john Dec 02 '18 at 17:45
  • Yes, it is asking for a password. – OrderAndChaos Dec 02 '18 at 20:43
  • You have indicated they are the same, but the error suggests that they are not. Even if the subdomain is different it will throw this error I believe. I was thinking as you are on a `https://test.website.com` that it could be looking for `https://website.com` or something. – OrderAndChaos Dec 02 '18 at 20:47
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/184593/discussion-between-john-and-sarcoma). – john Dec 02 '18 at 21:58

1 Answers1

3

Something bad has happend to your WordPress admin interface.

The first thing to notice is that the error you have described is a well known problem as you may have already noticed: SecurityError: Blocked a frame with origin from accessing a cross-origin frame

Look at the first answer there:

You can't access an with different origin using JavaScript, it would be a huge security flaw if you could do it. For the same-origin policy browsers block scripts trying to access a frame with a different origin.

Protocol, hostname and port must be the same of your domain, if you want to access a frame.

The second thing to notice is what the "View details" button in the WordPress admin interface does: It opens a ThickBox containing and iframe which is showing remote contents quite often within an IFrame. How this works is ecactly described here: https://codex.wordpress.org/Javascript_Reference/ThickBox

load-scripts.php is an important WordPress core file loaded in the admin which is used to load JavaScript files without having to embed each of them. Those JavaScript files are usually added to your WordPress admin with the admin_enqueue_scripts() function (https://codex.wordpress.org/Plugin_API/Action_Reference/admin_enqueue_scripts).

As your problem is quite uncommon and the "View details" button for Plugins works almost everytime there are only two possibilities:

1. The "View Details" IFrame is usually loaded from the same location where your WordPress is - therefore you might have a problem such that the browser wants to load it from a different host

This happens if you have some misconfiguration within your WordPress installation and Thickbox tries to get an IFrame from a host which the Browser thinks is another host. Configure WordPress correctly.

2. You have a badly programmed plugin or theme which is injecting a script causing this problem

Solution: Deactivate your theme and all your plugins one-by-one and see if the error still exists. This way you can find out the modification which causes the problem and maybe do a bug request to the plugin developers then.

It is almost 100% sure that a single plugin, theme or misconfiguration is causing this problem.

Blackbam
  • 12,200
  • 19
  • 71
  • 117
  • I will comment on your answer shortly. – john Nov 28 '18 at 15:10
  • Have you found it? – Blackbam Nov 30 '18 at 14:38
  • I will let you know by today. – john Nov 30 '18 at 18:35
  • Sorry for the delay. I deactivated plugin `one-by-one` and then I clicked on the `view details` button for the deactivated plugin and the plugin which is not deactivated (for both of them). I found the bug still exists. Now, going to check themes. – john Dec 02 '18 at 01:36
  • There is two possibilities it could also be a problem with misconfiguration e.g. port in the URL. – Blackbam Dec 02 '18 at 16:19
  • How can we check that ? Which file I need to check in order to fix that ? – john Dec 02 '18 at 16:21
  • Can you check my comment in Sarcoma answer ? Maybe that can help. – john Dec 02 '18 at 16:34
  • Can you recommend some another solution in order to fix this problem ? This is the [link](http://test.caubo.ca/) of the website which I am working on. ( I didn't deactivate the theme because I was afraid that it might break the website ) – john Dec 02 '18 at 17:10
  • As, I am using Custom theme so not sure if it breaks anything or not. – john Dec 02 '18 at 17:12
  • 2
    just deactivate and check with a default theme – Blackbam Dec 02 '18 at 20:49
  • I agree with @Blackbam. You can put your site in maintenance mode while testing or using a default theme. And also, yes, the issue could be caused by a code in the currently active theme on your site. If the issue persists after trying a default theme, backup your site (database and files) and try reinstalling WordPress. – Sally CJ Dec 04 '18 at 04:30