Embedding Youtube video using iframe gives "Unsafe JavaScript attempt ... "

Question

I'm trying to embed a YouTube video with this code:

<iframe width="425" height="319" frameborder="0" wmode="Opaque"allowfullscreen=""
      src="http://www.youtube.com/embed/8vJwFvFi4ZY?wmode=transparent">
</iframe>

and although it is working fine, but it gives this error in the console:

Chrome version 22.0.1229.94:

Unsafe JavaScript attempt to access frame with URL http://example.com/
from frame with URL http://www.youtube.com/embed/8vJwFvFi4ZY?wmode=transparent.
Domains, protocols and ports must match.

Firefox version 17.0:

Error: Permission denied to access property 'toString'

I searched around but I found that it is probably a YouTube issue and they should solve it,

The question is: how can I get rid of this error? (by any means, even by suppressing it.)

This is a bit of a guess so I'm not going to post it as an answer but I suspect that a script in the youtube content is trying to look at the parameters of the iframe to get parameters like wmode and allowfullscreen. Your browser sees it, correctly, as a cross site scripting attempt which is not allowed for security reasons. If you embed all the parameters required by youtube in the URL query string instead then you might prevent it from doing this. — Noel Walters, Nov 29 '12 at 12:56
Also couldn't help but notice that you have wmode=opaque in the iframe and wmode=transparent in the URL. — Noel Walters, Nov 29 '12 at 13:00
I read many opinions of why this is happening, and many say that it is because the loaded Youtube APIs inside the iframe tries to access a parent element which against security standards, and it is already reported as a bug, but what I'm more concerned in here, is how to stop this error from appearing in the console, and not just waiting Youtube developers to solve it. And concerning the wmode, I didn't noticed it :) , thanks — AbdelHady, Nov 29 '12 at 13:32
My suggested (guessed at) solution is in the last line of my comment - embed all the parameters required by youtube in the URL query string - it has to be worth a try. — Noel Walters, Nov 29 '12 at 13:36
Yes I just tried it too... But I found this answer which might help you http://stackoverflow.com/a/13429941/53030. I never noticed this error before - now it's really bugging me to know that this error is coming up in the console! — Noel Walters, Nov 29 '12 at 14:52
I didn't tried the "IFrame Player API" yet but I read form others who tried it with no difference, but I tried the &origin and it didn't work either :( — AbdelHady, Nov 29 '12 at 17:52

score 12 · Accepted Answer · edited Jul 27 '20 at 21:15

You can’t stop it, at least not in any way I know (and I have tried a lot). There is a script in the iframe destination that tries to access your document, probably looking for global functions it can call to enable the API.

Another thing is that the error persists even when using their own iframe API: http://jsbin.com/izabed/1/edit

There is no harm in this, your video will work fine. But it looks kind of bold if you run it in a console. They should probably include this as a parameter, and at first I thought that this was the idea of the origin parameter, but it doesn’t make any difference.

It’s also worth noting that their own demo displays the same error (and others). Also, if you use the embed tag instead of iframe, it wont display any errors.

So you could do something like this to prevent the error in most desktop browsers:

if(haveflash) {
    // use <embed>
} else {
    // use iframe
}

Update

Most browsers no longer support flash, nor does Adobe. Unfortunately, this means that using <embed> is no longer a viable option.

Thanks David, I know it is not a direct answer to the question but after searching a lot for alternatives I get many findings and you summed them up in your answer giving the most fit solution so far — AbdelHady, Dec 02 '12 at 11:20
+1 for the line "You can’t stop it".This is absolutely direct answer instead of writing about Cross domain security etc — Soundar Rathinasamy, Mar 29 '13 at 12:57

score 2 · Answer 2 · answered Nov 29 '12 at 14:23

2

Moving the discussion from comments to this answer. In-short, the problem is that cross domain JS object access is not allowed, which in your case, a script at youtube.com is trying to do to the parent page.

If you only want to show the youtube video, you can use <embed> tag instead.

answered Nov 29 '12 at 14:23

user1803112

83
1
5

thanks for this, I know it will work, but the problem with changing to in my case is: 1- the code I'm working on is coupled with other areas and needs more time to refactor (which I don't have now) , 2- and the most important thing that we still need to use the Iframe API to support non-flash browsers – AbdelHady Dec 02 '12 at 11:14

score 2 · Answer 3 · answered Jan 20 '15 at 08:00

2

Just add ?html5=1 to prevent this error. (Swich to HTML5 player)

answered Jan 20 '15 at 08:00

Kārlis Millers

664
2
11
29

score 0 · Answer 4 · answered Nov 29 '12 at 12:03

0

What browser is it ? When I try to append an iframe using JavaScript in Firefox in this page, the error/warning does not appear.

answered Nov 29 '12 at 12:03

user1803112

83
1
5

1

chrome & firefox, and it is not a general iframe problem, it has something to do with the Youtube page loaded within the iframe, try the Youtube iframe & it will give you the error – AbdelHady Nov 29 '12 at 12:08
The src of the iframe I appended is the same as in your example. Moreover, iframes are allowed to be of different domains. Can you try this piece of code : `var iframe = document.createElement('iframe'); iframe.setAttribute('src' , 'http://www.youtube.com/embed/8vJwFvFi4ZY?wmode=transparent'); document.body.appendChild(iframe);` and see if the error still comes ? – user1803112 Nov 29 '12 at 12:27
yes, it still comes out in the console of both firefox & chrome, even when putting the code in an empty html page containing only this code or only the question's iframe – AbdelHady Nov 29 '12 at 12:36
by the way, I havn't written the firefox's error before because it wasn't clear enough like the chrome's error, the firefox one is: "Error: Permission denied to access property 'toString'" – AbdelHady Nov 29 '12 at 12:44
Actually what is happening is that one of the scripts from that youtube page is trying to access the parent's javascript objets, and that is not allowed between parent-iframe of different domains. Only same domain iframe can access parent's JS objects. Your video will work, since that is only flash, but other scripts in that youtube page are trying to access parent's JS objects which is giving error. – user1803112 Nov 29 '12 at 13:02
thanks for you declarations, but I'm more concerned now in how to stop this error from appearing in the console, even by swallowing it, I have tried to catched it but couldn't ? – AbdelHady Nov 29 '12 at 13:34
1

Why are you trying to do it via iframe, and not an tag ? – user1803112 Nov 29 '12 at 13:57

score 0 · Answer 5 · answered Sep 28 '16 at 02:44

0

Why use Javascript when you can only use CSS? It works every.single.time. You can even incorporate any video in a responsive slider.

OR just visit: http://embedresponsively.com/

<style>
.embed-container 
{ 
position: relative; 
padding-bottom: 56.25%; 
height: 0; 
overflow: hidden; 
max-width: 100%; 
} 

.embed-container iframe, .embed-container object, .embed-container embed 
{ 
position: absolute; 
top: 0; 
left: 0; 
width: 100%; 
height: 100%; 
}
</style>

<div class='embed-container'>

<iframe src='https://www.youtube.com/watch?v=tntOCGkgt98' frameborder='0' allowfullscreen>
</iframe>
</div>

answered Sep 28 '16 at 02:44

Bic Mitchun

478
2
9
21

Thx for the tip, but how it is even related to the question!! :) – AbdelHady Sep 28 '16 at 15:20
I didn't use a javascript for loading the video in the first place, I just used the iframe, just like you, but the error shows up from the code loaded inside the iframe, not mine – AbdelHady Oct 06 '16 at 16:15

Embedding Youtube video using iframe gives "Unsafe JavaScript attempt ... "

5 Answers5

Update