Cors domain problem with and .htaccess, why?</a></h1> </div> <div class="grid fw-wrap pb8 mb16 bb bc-black-075"> <div class="grid--cell ws-nowrap mr16 mb8" title="2016-01-12 19:07:53Z"> <span class="fc-light mr2">Asked</span> <time itemprop="dateCreated" datetime="2019-05-22T23:12:59.530" class="fromnow">May 22 '19 at 23:12</time> </div> <div class="grid--cell ws-nowrap mr16 mb8"> <span class="fc-light mr2">Active</span> <time class="fromnow" title="2019-12-16T03:09:14.490" datetime="2019-12-16T03:09:14.490">Dec 16 '19 at 03:09</a> </div> <div class="grid--cell ws-nowrap mb8" title="Viewed 1,512 times"> <span class="fc-light mr2">Viewed</span> 1,512 times </div> </div> <div id="mainbar" role="main" aria-label="questions and answers"> <div id="question" class="question" data-questionid="56266115" data-ownerid="11541973" data-score="-1"> <div class="post-layout"> <div class="votecell post-layout--left"> <div class="js-voting-container grid jc-center fd-column ai-stretch gs4 fc-black-200" data-post-id="56266115"> <button class="js-vote-up-btn grid--cell s-btn s-btn__unset c-pointer"><svg aria-hidden="true" class="m0 svg-icon iconArrowUpLg" width="36" height="36" viewBox="0 0 36 36"><path d="M2 26h32L18 10 2 26z"></path></svg></button> <div class="js-vote-count grid--cell fc-black-500 fs-title grid fd-column ai-center" itemprop="upvoteCount" data-value="-1">-1</div> <button class="js-bookmark-btn s-btn s-btn__unset c-pointer py4"> <svg aria-hidden="true" class="svg-icon iconBookmark" width="18" height="18" viewBox="0 0 18 18"><path d="M6 1a2 2 0 00-2 2v14l5-4 5 4V3a2 2 0 00-2-2H6zm3.9 3.83h2.9l-2.35 1.7.9 2.77L9 7.59l-2.35 1.7.9-2.76-2.35-1.7h2.9L9 2.06l.9 2.77z"></path></svg> <div class="js-bookmark-count mt4" data-value=""></div> </button> </div> </div> <div class="postcell post-layout--right"> <div class="s-prose js-post-body" itemprop="text"><p>My problem is my iframe blocks my Javascript access, when I try to access to the content inside the <code>&lt;iframe&gt;</code> of my subdomain(test.example.com:xx), xx is the line number of my code, look below the error.</p> <p>Error:</p> <blockquote> <p>Uncaught DOMException: Blocked a frame with origin "<a class="external-link" href="https://example.com" rel="nofollow noreferrer">https://example.com</a>" from accessing a cross-origin frame. at window.onload (<a class="external-link" href="https://example.com" rel="nofollow noreferrer">https://example.com</a>)</p> </blockquote> <p>Here the code of <a class="external-link" href="https://example.com/index.html" rel="nofollow noreferrer">https://example.com/index.html</a>:</p> <pre class="s-code-block"><code>&lt;!DOCTYPE html&gt; &lt;html&gt; &lt;body&gt; &lt;iframe id="frames" src="https://test.example.com"&gt; &lt;/iframe&gt; &lt;script&gt; var x = document.getElementById("frames"); console.log(x); window.onload = function() { console.log(window.frames[0].document.body.innerHTML); } &lt;/script&gt; &lt;/body&gt; &lt;/html&gt; </code></pre> <p>Here the code of my <a class="external-link" href="https://test.example.com/index.html" rel="nofollow noreferrer">https://test.example.com/index.html</a>:</p> <pre class="s-code-block"><code>&lt;!DOCTYPE html&gt; &lt;html&gt; &lt;body&gt; &lt;p&gt;This is my test subdomain...&lt;p&gt; &lt;/body&gt; &lt;/html&gt; </code></pre> <p>And here the code of my .htaccess file, of both domains, my <a class="external-link" href="https://example.com" rel="nofollow noreferrer">https://example.com</a> and <a class="external-link" href="https://test.example.com" rel="nofollow noreferrer">https://test.example.com</a>:</p> <pre class="s-code-block"><code>RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] Header always set x-frame-options "ALLOWALL" Header always set Access-Control-Allow-Origin: "*" Header always set Access-Control-Allow-Credentials: "true" Header always set Access-Control-Allow-Methods: "POST, GET, OPTIONS" Header always set Access-Control-Allow-Headers: "Content-Type" Header always set Origin: "*" </code></pre> <p>What went wrong and how can I fix it?</p> <p><strong>Note</strong>: I'm using Chrome, Firefox and Safari, to test my sites, The error is produced in this line: </p> <pre class="s-code-block"><code>console.log(window.frames[0].document.body.innerHTML); </code></pre></div> <div class="mt24 mb12"> <div class="post-taglist grid gs4 gsy fd-column"> <div class="grid ps-relative"> <a href="../../questions/tagged/javascript" class="post-tag js-gps-track" title="show questions tagged 'javascript'" rel="tag">javascript</a> <a href="../../questions/tagged/html" class="post-tag js-gps-track" title="show questions tagged 'html'" rel="tag">html</a> <a href="../../questions/tagged/apache" class="post-tag js-gps-track" title="show questions tagged 'apache'" rel="tag">apache</a> <a href="../../questions/tagged/.htaccess" class="post-tag js-gps-track" title="show questions tagged '.htaccess'" rel="tag">.htaccess</a> </div> </div> </div> <div class="mb0"> <div class="mt16 grid gs8 gsy fw-wrap jc-end ai-start pt4 mb16"> <div class="grid--cell mr16 fl1 w96"></div> <div class="post-signature grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="edited Dec 16 '19 at 03:09">edited Dec 16 '19 at 03:09</time> <a href="../../users/441757/sideshowbarker" class="s-avatar s-avatar__32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/441757.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="sideshowbarker" onerror="onImageLoadingError(this);" /> </a> <div class="s-user-card--info"> <a href="../../users/441757/sideshowbarker" class="s-user-card--link">sideshowbarker</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">62,215</li> <li class="s-award-bling s-award-bling__gold" title="21 gold badges">21</li> <li class="s-award-bling s-award-bling__silver" title="143 silver badges">143</li> <li class="s-award-bling s-award-bling__bronze" title="153 bronze badges">153</li> </ul> </div> </div> </div> <div class="post-signature owner grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="asked May 22 '19 at 23:12">asked May 22 '19 at 23:12</time> <a href="../../users/11541973/kimo41" class="s-avatar s-avatar__32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/11541973.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="Kimo41" onerror="onImageLoadingError(this);" /> </a> <div class="s-user-card--info"> <a href="../../users/11541973/kimo41" class="s-user-card--link">Kimo41</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">9</li> <li class="s-award-bling s-award-bling__bronze" title="4 bronze badges">4</li> </ul> </div> </div> </div> </div> </div> </div> <div class="post-layout--right js-post-comments-component"> <div id="comments-56266115" class="comments js-comments-container bt bc-black-075 mt12 " data-post-id="56266115" data-min-length="15"> <ul class="comments-list js-comments-list" data-remaining-comments-count="0" data-canpost="false" data-cansee="true" data-comments-unavailable="false" data-addlink-disabled="true"> <li id="comment-99148485" class="comment js-comment " data-comment-id="99148485" data-comment-owner-id="1507691" data-comment-score="1"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> <span title="number of 'useful comment' votes received" class="warm">1</span> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment99148485_56266115"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">You cannot access`iFrame` data (html) cross origin .. This is expected and **intentional** -- Otherwise what's to stop you from posting an `iFrame` of a bank login and collecting the user info?</span> –&nbsp;<a href="../../users/1507691/zak" title="5,117 reputation" class="comment-user ">Zak</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/56266115/cors-domain-problem-with-iframe-and-htaccess-why#comment99148485_56266115"><span title="2019-05-22T23:17:16.983 License: CC BY-SA 4.0" class="relativetime-clean">May 22 '19 at 23:17</span></a></span> </div> </div> </li> <li id="comment-99148536" class="comment js-comment " data-comment-id="99148536" data-comment-owner-id="11541973" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment99148536_56266115"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">Zak, How i will allow my clients access to my subdomain using <iframe>? – Kimo41 May 22 '19 at 23:21

Answer 1

Kimo41, i already read your comments, and i'm accord with you, the cors policy have to be decision of the owner of the website and domain, not of the web browsers, I think i have a good solution for you, you can try JS WORKERS, for allow cors in your domains if you are using Cloudflare as DNS.

Response headers:

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  let response = await fetch(request)

  // Make the headers mutable by re-constructing the Response.
  response = new Response(response.body, response)
  response.headers.set('x-my-header', 'custom value')

  return response
}

Request Headers:

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  // Make the headers mutable by re-constructing the Request.
  request = new Request(request)
  request.headers.set('x-my-header', 'custom value')

  return await fetch(request)
}