0

I am creating a javascript console extension for theia-ide for use by students who are on computers where devtools are blocked.

The IDE interface is at my-project.ide.example.com, while the iframe preview is at preview.my-project.ide.example.com. In order to get this console working, I need access to the window object on the iframe. I know postMessage() is preferrable for cross-origin iframe communication, but that is not an option for me as I would have to serialize every imaginable type of javascript object and re-construct it on the other end.

Is there any way to loosen the cross-origin restriction to allow access from the opener window at the "parent" domain?

Ben Davis
  • 13,112
  • 10
  • 50
  • 65
  • To be clear, both documents are on the same domain but different sub-domains? – Kaiido Nov 05 '20 at 01:03
  • Yes, they are on the same domain, but the child iframe is a sub-domain of the parent. – Ben Davis Nov 05 '20 at 01:19
  • 1
    That the answer there is deprecated doesn't makes your question less a duplicate of the other **question**. If there was an other solution, then it should be posted there, to avoid people having to go through 346 different posts to find the up to date answer. (+ I don't think it's been removed from any browser yet) – Kaiido Nov 05 '20 at 01:22
  • @Kaiido Alternative solutions usually involve `postMessage()`, but my use case is unique in that `postMessage()` is not an option, hence why I think my question should not be marked duplicate. – Ben Davis Nov 05 '20 at 01:37
  • Did you try the `document.domain` solution? They use it in the [top 1 domain](https://www.naver.com/) in South Korea, I believe they also use it in facebook, so I guess they did check it works (just tried and it does in FF at least). While there was a lot of discussion asking it to be removed, even just for https, they never really could because it's used everywhere. – Kaiido Nov 05 '20 at 01:43
  • I haven't tried it due to an [issue I'm having](https://stackoverflow.com/questions/64689972/how-can-i-allow-document-domain-on-a-sandboxed-iframe) with the iframe being sandboxed. If I can figure that out, that's probably what I will go with for now. Having said that, I don't think it's unreasonable to not want to use a deprecated feature. – Ben Davis Nov 05 '20 at 01:46
  • Well when you don't want to use the official way... – Kaiido Nov 05 '20 at 01:49
  • Thinking a bit more about your situation, since you are able to disable the dev-tools, I guess you can install extensions on your students' browsers? If so, I think you can have access directly to the browser console output, even across domains (though I'm not an extensions expert myself). – Kaiido Nov 05 '20 at 04:55
  • Dev tools are disabled by school administrators, and they also do not allow extensions. They're fairly locked down, unfortunately. – Ben Davis Nov 05 '20 at 05:38

0 Answers0