IFrame same origin policy vaiolation

Question

I'm trying to load an iframe in url example.com/somefile.html from a subdomain sub.example.com/dir/frame.html.

Inorder to avoid SOP violation, im setting the document.domain attriute to example.com in javascript code, in both frame.html & somefile.html.

This works in IE and Firefox but I still encounter the following error in Chrome: "Refused to display "frame-url" in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'."

When debugging and checking both files document.domain value I get the expected "example.com".

Can anyone enlighten me?

Related: http://stackoverflow.com/questions/3076414/ways-to-circumvent-the-same-origin-policy — Teemu, Jul 11 '16 at 09:12

score 0 · Answer 1 · edited Oct 07 '21 at 13:28

0

document.domain hacks simply have no effect on X-Frame-Options rules. If you want to allow the page to be displayed in a frame then you need to change the X-Frame-Options rules.

Use ALLOW-FROM instead of SAMEORIGIN. The spec has guidance in case you want to allow multiple subdomains access.

edited Oct 07 '21 at 13:28

Community

1
1

answered Jul 11 '16 at 09:12

Quentin

914,110
126
1,211
1,335

I know your suggestion is the "correct" one, but I have read in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options that ALLOW_FROM isn't supported in Chrome browser. – ido se Jul 11 '16 at 10:47

IFrame same origin policy vaiolation

1 Answers1