0

I have been reading for hours now about the Same Origin Exception and I just can't figure out why it's happening to my document. The set up is very simple, I have a regular html 5 document (in my desktop, everything is locally. There is no local WebServer, I literally open the html document with a browser, that's it), inside of it I load an iframe from a .json file that is on the same directory as the html5 document.

<!DOCTYPE html> 
<meta charset="UTF-8">
<html>
  <head>
    <title>TagCanvas example</title>
    <!--[if lt IE 9]><script type="text/javascript" src="excanvas.js"></script><![endif]-->
    <link rel="stylesheet" type="text/css" href="tagcanvas.css">
    <script src="tagcanvas.min.js" type="text/javascript"></script> 
    <script type="text/javascript">
      window.onload = function() {
        try {
          TagCanvas.Start('myCanvas','tags',{
            textColour: '#ff0000',
            outlineColour: '#ff00ff',
            reverse: true,
            depth: 0.8,
            maxSpeed: 0.05
          });
        } catch(e) {
          // something went wrong, hide the canvas container
          document.getElementById('myCanvasContainer').style.display = 'none';
        }
      };
    </script>

  </head>
  <body>
    <h1>TagCanvas example page</h1>
    <div class="myCanvasContainer">
      <canvas width="300" height="300" id="myCanvas">
        <p>Anything in here will be replaced on browsers that support the canvas element</p>
      </canvas>
    </div>
    <iframe id="texto" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" src="./nube.json" onload="loadJsonData()"> </iframe>  
    <script src="./cloud.js" type="text/javascript"></script>
  </body>
</html>

The cloud.js holds the loadJsonData() funciton as follows:

var loadJson = function() {

    var iframe_content = frames.texto.contentDocument.body.innerHTML
    console.log(iframe_content);

}

When this javscript executes I get the following message from console:

Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "null" from accessing a frame with origin "null". Protocols, domains, and ports must match.

This stackoverflow question asks the same thing, but the comments do not dissipate my ignorance. The upvoted comment states that it's because of "Same Origin Policy", but my files are both on the same domain. Or is "file://" treated different ? Any enlightment would be much appreciated.

Directory setup

Everything hangs from directory TagCanvas.

I know the code is right because I've uploaded it to a GoDaddy server I have, there the code executes great. It's locally that it breaks and gives that nasty exception. All I want is to understand why.

I´ve also tried opening the html page after executing chrome with:

path to your chrome installation\chrome.exe --allow-file-access-from-files

but nothing.

Community
  • 1
  • 1
Chayemor
  • 3,577
  • 4
  • 31
  • 54
  • Just to be clear, `nube.json` and `cloud.js` are in the same directory as the HTML file? I see they are referenced as such with `./`, but I just want to make sure that your example matches your actual setup. – lxg Sep 15 '14 at 22:48
  • Why is your origin reading as "null" and not a domain. – Leeish Sep 15 '14 at 22:52
  • @lxg Yes, they all hang from the same directory, same parent, same level. – Chayemor Sep 15 '14 at 22:54
  • @Leeish I don't know why. I've typed console.log(domain.name) and it just spouts "". I suppose it's because I'm accessing the html page locally (it's not provided by a local web server, I'm simply opening the html page with a browser). – Chayemor Sep 15 '14 at 22:55
  • Hm, the `file:` protocol is special indeed, but according to https://developer.mozilla.org/en-US/docs/Same-origin_policy_for_file:_URIs your setup should be fine. Btw, why don't you just set up a local webserver like Apache or nginx? – lxg Sep 15 '14 at 22:56
  • I'm willing to bet it's freaking out because it's local. I don't work locally so it's hard to tell. – Leeish Sep 15 '14 at 22:58
  • I was told it had to be done like that (college practice -- apparently the teacher did it like that), and I'm really trying, but it's not working and I just don't understand why. @Leeish I bet it's because of the local thing (without local webserver) too. But I can't defend my position with that, I need details and understanding as to why XD – Chayemor Sep 15 '14 at 22:58
  • As the browser runs with the rights of the user it can read all the files the user can read. Assuming a malicious site triggers download of html file and somehow tricks out open it, the script in that downloaded file would be able to read all file in commonly known places. In addition Modern browser support CORS. So it should be clear why those protections where added. Personally I think that it should be even stricter. – t.niese Sep 16 '14 at 09:48
  • May be related: http://stackoverflow.com/questions/4270999/google-chrome-allow-file-access-from-files-disabled-for-chrome-beta-8 – m93a Sep 19 '14 at 12:56

0 Answers0