15

The issue is about Chrome throwing Cross Domain Error on using file url

I am embedding a svg document into a HTML using the object tag with the data attribute in the form of relative path, upon onload event I want to get the SVGDocument using getSVGDocument().

I am accessing the html file using file url, when getSVGDocument is called, Chrome gives a Cross Domain Error. Chrome actually does embed the SVG but getSVGDocument does not return the DOM for the SVG

The Chrome Error is "Unsafe JavaScript attempt to access frame with URL file:///C:/MyFiles/website/Dir1/a.svg from frame with URL file:///C:/MyFiles/website/Dir1/index.html Domains, protocols and ports must match."

As you may see the base path is same for both the html and the embedded document svg, so why does Chrome throw this error ?

Raks
  • 1,593
  • 3
  • 17
  • 25
  • 2
    Documents loaded from File URLs have special security restrictions stop malicious scripts you happen to have saved to your desktop doing bad things. Try running a local web server or uploading the files to a 'proper' web server and see if you still get the error. – robertc May 19 '11 at 16:32
  • Web server is what I wanted to avoid. – Raks May 20 '11 at 04:38
  • @robertc can you clarify what security concern there is with loading svg from relative file urls (relative images, css, js all seem to work ok)? I am hitting only this error: Unsafe attempt to load URL file:///Users/ericbloch/repos/set/shapes.svg#oval from frame with URL file:///Users/ericbloch/repos/set/index.html. Domains, protocols and ports must match. – Eric Bloch Jul 18 '15 at 20:16
  • @EricBloch You'll have to ask the Chrome developers, usually it's to do with `iframe` – robertc Jul 18 '15 at 21:04
  • I asked here in a bug: https://code.google.com/p/chromium/issues/detail?id=512542 (nothing to do with iframe so far). – Eric Bloch Jul 21 '15 at 22:39

1 Answers1

16

You are hitting the cross domain/file security limitations of Chrome.

You can, disable this by following the instructions in Disable same origin policy in Chrome and details in How can access and the origin policy in chrome as I'm not using a server on how to start Chrome with these turned off.

A word of warning, though: they are called "security limitations" for a reason so do not go applying this when browsing 3rd party sites. This is extremely dangerous to turn off whilst browsing the web normally. For example, with this turned off I can now make requests on your behalf to sites like gmail.com, facebook.com and yourbank.com, and your cookies will be set allowing me to masquerade as yourself.

If you still really need this, you need to run chrome with the --disable-web-security flag:

chrome --disable-web-security # unix/linux only

If you need cross OS instructions on how to apply the flag, see http://www.chromium.org/developers/how-tos/run-chromium-with-flags.

Community
  • 1
  • 1
Nathan Kleyn
  • 4,965
  • 3
  • 29
  • 49
  • Two SO links in your post are extremely helpful and covers all possibilities related to altering chrome's security settings for development purposes. +1 – RBT May 31 '17 at 01:10