stackoom
  简体   繁体   中英

AJAX request from iframe, why is the origin the parent's URL?

 原文  2016-02-22 07:59:32       javascript/ html/ ajax/ iframe/ cors

Question

I have a website that I am loading an iframe in. The iframe is on a different subdomain than the website itself. Let's say the website is on portal.domain.com and the iframe is on iframe.domain.com . I need to make requests to iframe.domain.com from portal.domain.com and I was hoping to use this iframe to make those requests.

I created the iframe like this: 

// On portal.domain.com
document.domain = "domain.com";
var iframe = document.body.appendChild(document.createElement('iframe'));
iframe.contentWindow.onIframeLoad = function() {
    iframe.contentWindow.makeRequest();
}

var doc = iframe.contentWindow.document;
doc.open().write('<body onload="' + 
        'var s = document.createElement(\'script\');' + 
        's.onload = onIframeLoad;' +
        'document.getElementsByTagName(\'head\')[0].appendChild(s).src=\'' + "iframe.domain.com/content.js" + '\'">');
doc.close();

The script loaded in the iframe looks like this: 

// iframe.domain.com/content.js
document.domain = "domain.com"

function makeRequest() {
  // AJAX call here
}

The AJAX call is made, but the origin gets set to portal.domain.com . This causes the cookies not to be sent and for the browser to block the response due to its CORS policy. Why is this happening?

2 answers

solution1
 1 ACCPTED  2016-02-22 08:06:21

Well,

You can not. Doing that is actually cross-domain execution, which is a huge security risk. So most of modern browsers will track you originating entry point to you script and see that it was loaded from different domain.

If you want to do it :

  1. Load JavaScript from iFrame domain

  2. Define an object (lets' say window.iframeparams)

  3. Populate it

  4. Call “send” on the JavaScript code, loaded from iframe domain

It is actually the same proceeding as google analytics or any other tracking software

Edit :

Again, browsers will track origin of call . So, your method by creating dynamic iFrame will not work (Or may be on ie6)

solution2
 0  2016-02-22 08:03:11

This is restricted in most browser because of the "Same-Origin" policy. You can read more about this, here: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy .

There are ways to work around this limitation, using technologies such as JSONP or html5 messaging.

You may want to look at similar questions and their answers, here:

Edit: There is also a lengthy list of ways to circumvent the same-origin policy, here: Ways to circumvent the same-origin policy

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Changing parent window's URL from IFrame Why can an iframe change the parent window's URL from a different domain? access parent/original URL from a proxy in iframe from another domain (same origin policy) changing iframe url changes parent window url Blocked a frame with origin Get url from iframe when origin is not the same Redirecting Parent URL from an iFrame Access parent URL from iframe Change Parent url from iframe Sending an authorization token from parent window to iframe origin so that iframe origin could make the call Communicating cross-origin from parent to child iframe
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM