Blocked a frame with origin from accessing a cross-origin frame on subdomains

Question

I have 2 vhosts setup with different subdomains; x.domain.com and y.domain.com. I'm rendering iframes from x in y. So issues rendering and displaying the iframe but getting cannot access the iframe contents. I have no headers set at the moment and tried to solve it with csp but couldn't get around the error.

x.domain.com/frame.html:

<html>
  <body>
  </body>

  <script>
    function myFunc() {
      console.log('called');
    }
  </script>
</html>

y.domain.com:

let iframe = (iframe_element.contentWindow || iframe_element.contentDocument);
if (iframe.document) iframe = iframe.document;
iframe.myFunc();

postMessage is not option as I can't modify iframe contents.

https://stackoverflow.com/questions/3076414/ways-to-circumvent-the-same-origin-policy — Teemu, Dec 02 '22 at 11:17
The idea of the strictened COEP (dropped `document.domain`) is to provide "inter-human contact" between the domains, that is you can either control the other domain, or you contact the owner and ask for support for your domain. Otherwise you simply can't access cross-domain embedded content in a browser. — Teemu, Dec 02 '22 at 11:56

Blocked a frame with origin from accessing a cross-origin frame on subdomains

0 Answers0