I have a website that I am loading an iframe in. The iframe is on a different subdomain than the website itself. Let's say the website is on portal.domain.com
and the iframe is on iframe.domain.com
. I need to make requests to iframe.domain.com
from portal.domain.com
and I was hoping to use this iframe to make those requests.
I created the iframe like this:
// On portal.domain.com
document.domain = "domain.com";
var iframe = document.body.appendChild(document.createElement('iframe'));
iframe.contentWindow.onIframeLoad = function() {
iframe.contentWindow.makeRequest();
}
var doc = iframe.contentWindow.document;
doc.open().write('<body onload="' +
'var s = document.createElement(\'script\');' +
's.onload = onIframeLoad;' +
'document.getElementsByTagName(\'head\')[0].appendChild(s).src=\'' + "iframe.domain.com/content.js" + '\'">');
doc.close();
The script loaded in the iframe looks like this:
// iframe.domain.com/content.js
document.domain = "domain.com"
function makeRequest() {
// AJAX call here
}
The AJAX call is made, but the origin gets set to portal.domain.com
. This causes the cookies not to be sent and for the browser to block the response due to its CORS policy. Why is this happening?
Well,
You can not. Doing that is actually cross-domain execution, which is a huge security risk. So most of modern browsers will track you originating entry point to you script and see that it was loaded from different domain.
If you want to do it :
Load JavaScript from iFrame domain
Define an object (lets' say window.iframeparams)
Populate it
Call “send” on the JavaScript code, loaded from iframe domain
It is actually the same proceeding as google analytics or any other tracking software
Edit :
Again, browsers will track origin of call . So, your method by creating dynamic iFrame will not work (Or may be on ie6)
This is restricted in most browser because of the "Same-Origin" policy. You can read more about this, here: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy .
There are ways to work around this limitation, using technologies such as JSONP or html5 messaging.
You may want to look at similar questions and their answers, here:
Edit: There is also a lengthy list of ways to circumvent the same-origin policy, here: Ways to circumvent the same-origin policy
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.