0

I am trying to bypass the same-origin policy of a domain to click on the contents of a cross domain frame.

The code didn't work because the same origin policy is enforced.

So,i decided to use document.domain to set the subdomain and the parent page to the same address.

Then i tried setting the document.domain but i keep getting a security error.

I used the document.domain syntax,but when i run the code i get a security error.

    document.domain;
//returns www.example.com
  document.domain = "example.com"

I keep getting "Security Error: The operation is insecure".

Ivaka Zakuri
  • 47
  • 8
  • You can’t set it to a domain that isn’t a suffix of your current one, if that’s what you’re trying to do. Also, generally, what are you trying to do? – Ry- Aug 12 '19 at 17:10
  • Sounds like a [XY problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) – Alon Eitan Aug 12 '19 at 17:23
  • @Ry- i am trying to bypass the same-origin policy to click on the contents of an iframe. – Ivaka Zakuri Aug 12 '19 at 17:47
  • @tiguchi,it is not a duplicate. – Ivaka Zakuri Aug 12 '19 at 17:48
  • @AlonEitan,it has been edited. – Ivaka Zakuri Aug 12 '19 at 17:49
  • 1
    You can't bypass the same-origin policy. – Barmar Aug 12 '19 at 18:25
  • @Barmar,i meant how to escape the same origin policy. – Ivaka Zakuri Aug 12 '19 at 18:32
  • 1
    You can't escape the same-origin policy, that would be a huge security problem. – Barmar Aug 12 '19 at 18:38
  • E.g. if you have an iframe where the user logs into a web site, it would allow the containing page to get the user's password. – Barmar Aug 12 '19 at 18:39
  • I understand but there are ways to escape it like i read.document.domain is one of them postmessage() also there.. – Ivaka Zakuri Aug 12 '19 at 18:47
  • There are tools to communicate across origins, when both sides use those tools (i.e. cooperate). Do you control the inside of the iframe as well? – Ry- Aug 12 '19 at 18:51
  • @Ry- The inside of the frame is restricted due to cross origin issues...so i need to handle the same origin policy safely then trigger a click on the elements i want to click. – Ivaka Zakuri Aug 12 '19 at 19:01
  • Does the inside of the frame belong to you, though? If it doesn’t, obviously you can’t trigger clicks on some unrelated website. – Ry- Aug 12 '19 at 19:32
  • @Ry-the domain wants me to click on the elements of the frame manually but i want to use code to do the clicking.both the domain and the frame does not belong to me. – Ivaka Zakuri Aug 13 '19 at 14:58

1 Answers1

0

I didn't have a choice than to switch my browser to google chrome and i disabled the same origin policy through answers from Disable same origin policy in Chrome and voila.

Ivaka Zakuri
  • 47
  • 8