1

I have a website that I am loading an iframe in. The iframe is on a different subdomain than the website itself. Let's say the website is on portal.domain.com and the iframe is on iframe.domain.com. I need to make requests to iframe.domain.com from portal.domain.com and I was hoping to use this iframe to make those requests.

I created the iframe like this:

// On portal.domain.com
document.domain = "domain.com";
var iframe = document.body.appendChild(document.createElement('iframe'));
iframe.contentWindow.onIframeLoad = function() {
    iframe.contentWindow.makeRequest();
}

var doc = iframe.contentWindow.document;
doc.open().write('<body onload="' + 
        'var s = document.createElement(\'script\');' + 
        's.onload = onIframeLoad;' +
        'document.getElementsByTagName(\'head\')[0].appendChild(s).src=\'' + "iframe.domain.com/content.js" + '\'">');
doc.close();

The script loaded in the iframe looks like this:

// iframe.domain.com/content.js
document.domain = "domain.com"

function makeRequest() {
  // AJAX call here
}

The AJAX call is made, but the origin gets set to portal.domain.com. This causes the cookies not to be sent and for the browser to block the response due to its CORS policy. Why is this happening?

Max
  • 15,157
  • 17
  • 82
  • 127
  • Why aren't you using JSONP? – GuyT Feb 22 '16 at 08:10
  • 1
    @GuyT — Why would anyone use JSONP in 2016? We have CORS now. – Quentin Feb 22 '16 at 08:13
  • @Quentin I agree.. The OP has first to give the exact reason why this is necessary before we can give any good advice. – GuyT Feb 22 '16 at 08:18
  • I'm not using JSONP because private data is involved. I'm not using CORS because it creates a weird dependency structure. E.g. `portal.domain.com` depends on `iframe.domain.com`, but, if I use CORS, `iframe.domain.com` must also know `portal.domain.com` exists. Additionally, the CORS implementation for CXF (which is what I'm using) isn't great. – Max Feb 22 '16 at 08:33

2 Answers2

2

Well,

You can not. Doing that is actually cross-domain execution, which is a huge security risk. So most of modern browsers will track you originating entry point to you script and see that it was loaded from different domain.

If you want to do it :

  1. Load JavaScript from iFrame domain

  2. Define an object (lets’ say window.iframeparams)

  3. Populate it

  4. Call “send” on the JavaScript code, loaded from iframe domain

It is actually the same proceeding as google analytics or any other tracking software

Edit :

Again, browsers will track origin of call. So, your method by creating dynamic iFrame will not work (Or may be on ie6)

Jurion
  • 1,230
  • 11
  • 18
  • Oh I see my error. I need to set the iframe `src` field to something belonging to `iframe.domain.com`. Thanks! – Max Feb 22 '16 at 08:10
  • Exact ! It should be on the same domain as a call. But still not sure it will work with dynamic iFrame creation – Jurion Feb 22 '16 at 08:11
  • Just tested it. This does work with a programmatically created iframe. You can also use `iframe.onload` to trigger a function when the iframe finishes loading (instead of the weird hack I used in the post). – Max Feb 22 '16 at 09:58
  • Can u please present a working code for this problem. – Nishant Dec 13 '17 at 08:53
0

This is restricted in most browser because of the "Same-Origin" policy. You can read more about this, here: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy.

There are ways to work around this limitation, using technologies such as JSONP or html5 messaging.

You may want to look at similar questions and their answers, here:

Edit: There is also a lengthy list of ways to circumvent the same-origin policy, here: Ways to circumvent the same-origin policy

Community
  • 1
  • 1
Daniel Andre
  • 303
  • 1
  • 7
  • That page is not found. The reason I'm using an iframe is because it is supposed to circumvent same-origin-policy. This doesn't explain why the origin is not the domain of the iframe. – Max Feb 22 '16 at 08:04
  • Sorry, I made a typo in the url – Daniel Andre Feb 22 '16 at 08:09