9

I have an iframe on my page P1 which is hosted on server S1. On runtime, i do iframe.src= to load page P2 hosted on server S2 inside the iframe.

I know about CORS and on server S2 for page P2, I've already set Access-Control-Allow-Origin: * and I can confirm the same on response header when I check it in browser.

Now the page P2 and all it's assets load just file, but the moment I try to access P2's DOM from P1 using window.frames["iframe"].document, it throws permission error.

Even though I'm setting Access-Control-Allow-Origin: * on server S2, why am I still unable to access P2's DOM? Is this the way Access-Control-Allow-Origin: * is supposed to work?

Request-Response

Improve this question
6
  • What happens with pre-flight request? See developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS
    – symcbean
    Commented Mar 22, 2013 at 13:55
  • 1
    Yeah would be great to see the request/response header sources.
    – Nick Matantsev
    Commented Mar 22, 2013 at 14:00
  • Well, I'm not using XMLHttpRequest and I'm not sure if I can use it with "iframe.src". But I can confirm that the response header for P2 contains "Access-Control-Allow-Origin: *" coming from S2.
    – coreSOLO
    Commented Mar 22, 2013 at 14:03
  • 3
    I don’t think CORS can disable the SOP when it comes to window access.
    – CBroe
    Commented Mar 22, 2013 at 14:06
  • 1
    With CORS setup, couldn't you just download the contents of P2 server side and then write it to P1?
    – Bafsky
    Commented Mar 31, 2013 at 17:01

1 Answer 1

Reset to default
1

You can use PostMessages to set communication between documents. Even if they from different domains.

You can send data through PostMessage. It's limited, but this is better then nothing

Take a look at http://easyxdm.net/wp/ it has good api to work with. Long time ago i have made cross-domain http <-> https ajax requests with that lib.

Improve this answer
3
  • Thanks, but unfortunately I need richer control than "PostMessages". I'm seeking full DOM manipulation and I thought "Access-Control-Allow-Origin: *" should provide me that.
    – coreSOLO
    Commented Mar 27, 2013 at 9:15
  • @coreSOLO if you can change iframed page code then you can make RPC calls through EasyXDM and make any DOM manipulations you need. It won't be easy but you will definitely can.
    – ant_Ti
    Commented Mar 27, 2013 at 9:26
  • @coreSOLO with EasyXDM i was able to harvest content from all script tags in iframe and send it to main page
    – ant_Ti
    Commented Mar 27, 2013 at 9:29

Not the answer you're looking for? Browse other questions tagged or ask your own question.