40

When script tries to access a frame from a different origin Chrome blocks it and throws exception as

"Uncaught SecurityError: Blocked a frame with origin 'provider domain' from accessing a frame with origin 'mydomain'. Protocols, domains, and ports must match".

I got this error after some update in google chrome. Any suggestions?

John
  • 541
  • 3
  • 6
  • 19
MANI
  • 476
  • 1
  • 4
  • 7
  • [Same Origin Policy](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript) – epascarello Nov 07 '13 at 13:45
  • If it's a SSO content you tried to access, a modal dialog or a popup window is probably the way to go. – adam Nov 07 '13 at 13:49

2 Answers2

24

Direct Javascript calls between frames and/or windows are only allowed if they conform to the same-origin policy. If your window and iframe share a common parent domain you can set document.domain to "domain lower") one or both such that they can communicate. Otherwise you'll need to look into something like the postMessage() API.

broofa
  • 37,461
  • 11
  • 73
  • 73
  • This answer is not correct. I have two frames, which both are on my harddisk (which definitely is the same origin) and one frame cannot even get the URL of the other frame. This happens only in Chrome. No problem in Firefox or IE. – Elmue Aug 19 '18 at 16:17
  • @Elmue "file:" URIs are special when it comes to same-origin policies, due in part to the fact that they generally don't have a domain component and local-file access is fraught with security risks. BTW, SAF and FF appear to only allow file: pages to communicate if `opener` page is in the same directory or "above" it. Regardless, Chrome generally leads when it comes to browser security behavior, so don't be surprised if FF and SAF follow suit at some point. – broofa Aug 20 '18 at 20:13
5

This is a security update. If an attacker can modify some file in the web server (the JS one, for example), he can make every loaded pages to download another script (for example to keylog your password or steal your SessionID and send it to his own server).

To avoid it, the browser check the Same-origin policy

Your problem is that the browser is trying to load something with your script (with an Ajax request) that is on another domain (or subdomain). To avoid it (if it is on your own website) you can:

Binary Brain
  • 1,170
  • 8
  • 20
  • Then why a browser doesn't throw this error when I call for instance `paypal.checkout.setup` or `facebook.login` functions? This is exactly Cross-Origin request, from my url to PayPal url! Why no error? – Green Sep 05 '16 at 16:47
  • Because I think the javascript you load to have those functions is on their website. For example, you will have a ` – Binary Brain Sep 07 '16 at 00:22