Allow site to dynamically load an iframe from a subdomain

Question

When some javascript trys to load an iframe when a popup is fired, it gives the error

Blocked a frame with origin "https://www3.example.com" from accessing a frame with origin "https://www.example.com". Protocols, domains, and ports must match.

I understand that is because of the security feature Same Origin Policy.

Can I allow this subdomain for dynamicly loaded by for eg setting .htacess headers? How? I've tried:

Header set Access-Control-Allow-Origin "*"
Content-Security-Policy: frame-ancestors 'self' https://www3.example.com;

Which have not solved it.

Update:

I'm not trying to "access" the iframe, just create it. I'm not sure if the suggested duplicate is the same thing.

score 0 · Answer 1 · answered Nov 23 '22 at 13:31

0

This is due to the same origin policy, not content security policy. As the origin (scheme, host and port) differs, javascript is not able to access it. You must host both pages on the same subdomain for this to work.

answered Nov 23 '22 at 13:31

Halvor Sakshaug

2,583
1
6
9

Sorry yes i tagged it with an idea how to fix it not the problem. good point – Will Nov 23 '22 at 13:42
So it's just impossible? I cant use CSP to set it to allowed for a specific domain? – Will Nov 23 '22 at 13:42
Frame and framer need to be on the same origin. CSP doesn't change anything. – Halvor Sakshaug Nov 24 '22 at 11:14

Allow site to dynamically load an iframe from a subdomain

1 Answers1