“Access is denied” error on accessing iframe document object

StackOverflow https://stackoverflow.com/questions/151362

  •  02-07-2019
  •  | 
  •  

Question

For posting AJAX forms in a form with many parameters, I am using a solution of creating an iframe, posting the form to it by POST, and then accessing the iframe's content. specifically, I am accessing the content like this:

$("some_iframe_id").get(0).contentWindow.document

I tested it and it worked.

On some of the pages, I started getting an "Access is denied" error. As far as I know, this shouldn't happen if the iframe is served from the same domain.

I'm pretty sure it was working before. Anybody have a clue?

If I'm not being clear enough: I'm posting to the same domain. So this is not a cross-domain request. I am testing on IE only.

P.S. I can't use simple ajax POST queries (don't ask...)

Was it helpful?

Solution

Solved it by myself!

The problem was, that even though the correct response was being sent (verified with Fiddler), it was being sent with an HTTP 500 error code (instead of 200).

So it turns out, that if a response is sent with an error code, IE replaces the content of the iframe with an error message loaded from the disk (res://ieframe.dll/http_500.htm), and that causes the cross-domain access denied error.

OTHER TIPS

Beware of security limitations associated to iFrames, like Cross domain restriction (aka CORS). Below are 3 common errors related to CORS :

  1. Load an iFrame with a different domain. (Ex: opening "www.foo.com" while top frame is "www.ooof.com")

  2. Load an iFrame with a different port: iFrame's URL port differs from the one of the top frame.

  3. Different protocols : loading iFrame resource via HTTPS while parent Frame uses HTTP.

My issue was the X-Frame-Options HTTP header. My Apache configuration has it set to:

Header always append X-Frame-Options DENY

Removing it allowed it to work. Specifically in my case I was using iframe transport for jQuery with the jQuery file upload plugin to upload files in IE 9 and IE 10.

I know this question is super-old, but I wanted to mention that the above answer worked for me: setting the document.domain to be the same on each of the pages-- the parent page and the iframe page. However in my search, I did find this interesting article:

http://softwareas.com/cross-domain-communication-with-iframes

Note if you have a iframe with src='javascript:void(0)' then javascript like frame.document.location =... will fail with Access Denied error in IE. Was using a javascript library that interacts with a target frame. Even though the location it was trying to change the frame to was on the same domain as parent, the iframe was initially set to javascript:void which triggered the cross domain access denied error.

To solve this I created a blank.html page in my site and if I need to declare an iframe in advance that will initially be blank until changed via javascript, then I point it to the blank page so that src='/content/blank.html' is in the same domain.

Alternatively you could create the iframe completely through javascript so that you can set the src when it is created, but in my case I was using a library which reqired an iframe already be declared on the page.

Basically, this error occurs when the document in frame and outside of ii have different domains. So to prevent cross-side scripting browsers disable such execution.

if it is a domain issue (or subdomain) such as www.foo.com sending a request to www.api.foo.com

on each page you can set the 

document.domain = www.foo.com

to allow for "cross-domain" permissions

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top