javascript - Error: Permission denied to access property "document"

Question

I have a HTML Document which contains an iframe. Whenever I try to access or modify this iframe with JS I get Error: Permission denied to access property "document".

I am using frame.contentWindow.document.body.innerHTML or frame.contentWindow.document.body.onload or similar such attributes to access or modify the iframe. (In the given code the iframe is referred to as frame.)

For the web-app I am developing, access to these attributes are necessary and I can't do without these (or similar alternatives).

Answer 1

Accessing and then modifying webpages in iframes of other websites is known as Cross-site scripting or XSS and it is a technique used by malicious hackers to prey on unsuspecting victims.

A policy by the name of "Same-Origin Policy" is implemented by browser makers to prevent such behaviour and arbitrary execution of JS code.

This error can be prevented by hosting the parent document and the document in the iframe in the same domain and subdomain, and making sure that the documents are loaded using the same protocol.

Examples of Incompatible Pages:

1. http://www.example.org & http://www.example2.com
2. http://abc.example.org & http://xyz.example.com
3. http://www.example.org & https://www.example.com

---

Cross-Origin Resource Sharing is a solution to this problem.

For Example:
If http://www.example.com would like to share http://www.example.com/hello with http://www.example.org, a header can be sent with the document which looks like the following:

Access-Control-Allow-Origin: http://www.example.org

To send it with HTML just put it in a <META HTTP-EQUIV="..."> tag, like this:

<head>
    ...
    <META HTTP-EQUIV="Access-Control-Allow-Origin" CONTENT="http://www.example.org">
    ...
</head>