Reputation: 454
Iframe sandboxing with 'allow-same-origin' flag error
Can someone please provide me more information on this error and how 'allow-same-origin' flag works? I am getting following error in Chrome for iframe Sandboxing:
Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Sandbox access violation: Blocked a frame at "http://192.168.0.169" from accessing a frame at "http://192.168.0.169". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.
I am little confused as why I would need 'allow-same-origin' flag when frame from 192.168.0.169 is accessing another frame from same ip address. Thank you very much.
Upvotes: 16
Views: 42324
Answers (2)
Reputation: 1568
Old question, but worth an answer for those that follow (like me!). Don't --disable-web-security as suggested in the comment above.
The “Same Origin” policy states that:
- if we have a reference to another window, e.g. a popup created by window.open or a window inside , and that window comes from the same origin, then we have full access to that window.
- otherwise, if it comes from another origin, then we can’t access the content of that window: variables, document, anything. The only exception is location: we can change it (thus redirecting the user). But we cannot read location (so we can’t see where the user is now, no information leak).
Like molow said you probably have a sandbox attribute on your iframe, the default is not to allow communication between even the same origin (in your case http://192.168.0.169).
Rather than allow-cross-origin and open up the app to attack you should be using postMessage like so here https://web.dev/sandboxed-iframes/#safely-sandboxing-eval to communicate to the parent of the iframe, something like this for eval (just a postMessage and eventListener)
<!-- frame.html -->
<!DOCTYPE html>
<html>
<head>
<title>Evalbox's Frame</title>
<script>
window.addEventListener('message', function (e) {
var mainWindow = e.source;
var result = '';
try {
result = eval(e.data);
} catch (e) {
result = 'eval() threw an exception.';
}
mainWindow.postMessage(result, event.origin);
});
</script>
</head>
</html>
Upvotes: 1
Reputation: 3084
You probably have a sandbox attribute in your iframe:
The sandbox attribute enables an extra set of restrictions for the content in the iframe, and it is a whitelist of enabled permissions,
so You could either remove the attribute, or edit it to fit the permissions You need.
optional permissions could be found here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
and some more info here: http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
Upvotes: 10
Related Questions
- SecurityError: Blocked a frame with origin from accessing a cross-origin frame
- Uncaught SecurityError: Blocked a frame with origin ... from accessing a frame with origin
- Sandboxing, IFrame, and allow-same-origin
- Create sandboxed iFrame via jQUery
- js cross-domain to iframe
- Same Origin Policy
- How to overcome same-origin-policy from iframe?
- Unable to access iframe content (same-origin policy)
- iframe cross-domain access
- IFRAME sandbox attribute is blocking AJAX calls