0

We have a page loaded with http that loads an iframe with https. The two pages are on the same domain, except for the protocol.

(I know having an https iframe is a bad practice. I can't help that.)

When Javascript in the iframe tries to call a javascript function in the parent, it fails with this:

Unsafe JavaScript attempt to access frame with URL http://www.foo.com/homepage/ from frame with URL https://www.foo.com/homepage/en/loginModal.html. Domains, protocols and ports must match.

Is there any way this can be modified to work? Is it possible that using the "Access-Control-Allow-Origin" header will do this?

If we change the jsp for the main page so that it sets a response header like:

Access-Control-Allow-Origin: https://www.foo.com

Will that work?

David M. Karr
  • 14,317
  • 20
  • 94
  • 199
  • 1
    I believe it will. Wouldn't it be easier to just test it instead of writing the question? – iMoses Nov 06 '12 at 18:20
  • This post may give you some guidance - http://stackoverflow.com/questions/6346176/youtube-embed-unsafe-javascript-attempt-to-access-frame – Zack Macomber Nov 06 '12 at 18:25
  • Duplicate addressing the question of CORS and iframes: [Can Cross-Origin Resource Sharing headers authorize X-Domain IFRAME access?](http://stackoverflow.com/questions/6460200/can-cross-origin-resource-sharing-headers-authorize-x-domain-iframe-access) (Answer: it seems that CORS cannot affect iframe permissions in either direction; use `postMessage` for cross-origin communication.) – apsillers Nov 06 '12 at 18:36

0 Answers0