0

I´m doing an experiment locally to try to understand how the Cross Origin policy works with iframes:

  • I have a simple page served locally with an iframe pointing to http://edition.cnn.com/
  • I modified the hosts file in my computer to point localhost to mytest.cnn.com

According to the definition of the Cross Origin policy, if I try to access an element from the iframe from the page (now served from mytest.cnn.com), it should work, but I still get the same error "Blocked a frame with origin "http://mytest.cnn.com" from accessing a cross-origin frame".

I also tried changed the domain of the page to just "cnn.com", but I get the same result. Is there any special case applied because I´m serving the page from a local server?

Improve this question

1 Answer 1

Reset to default
1

The definition in the Same-origin policy description that you linked within your question says:

Two pages have the same origin if the protocol, port (if one is specified), and host are the same for both pages.

In your case the two hosts

  • edition.cnn.com
  • mytest.cnn.com

are not matching. Following the examples of the definition to different subdomains are no matching hosts.

If your iframe would point to a page on the same subdomain (i.e. mytest.cnn.com/iframe.html) everything should work.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Ah, totally true, I missed that part. On the other hand I also tried with a subdomain (my.edition.cnn.com) and it didn`t work either...
As i understand the description the domain (including all subdomains) has to match exactly. So the subdomain wont work. But if you use the domain my.edition.cnn.com you might change the origin of the page containing the iframe. Try the command "document.domain = 'edition.cnn.com';". This is described within the section "Changing origin"
Nothing, even after changing the domain in the host page to edition.cnn.com I still get the same error when trying to access the iframe: "SecurityError: Blocked a frame with origin "my.edition.cnn.com" from accessing a cross-origin frame"

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.