访问iframe文档对象时“拒绝访问”错误

时间:2023-01-28 15:56:37

For posting AJAX forms in a form with many parameters, I am using a solution of creating an iframe, posting the form to it by POST, and then accessing the iframe's content. specifically, I am accessing the content like this:

对于以包含许多参数的表单发布AJAX表单,我使用的解决方案是创建一个iframe,通过POST向其发布表单,然后访问iframe的内容。具体来说,我访问的内容如下:

$("some_iframe_id").get(0).contentWindow.document

I tested it and it worked.

我测试了它,它成功了。

On some of the pages, I started getting an "Access is denied" error. As far as I know, this shouldn't happen if the iframe is served from the same domain.

在一些页面上,我开始出现“访问被拒绝”错误。据我所知,如果iframe来自相同的域中,那么这种情况就不会发生。

I'm pretty sure it was working before. Anybody have a clue?

我很确定它以前是有效的。有人知道吗?

If I'm not being clear enough: I'm posting to the same domain. So this is not a cross-domain request. I am testing on IE only.

如果我不够清楚:我将发布到同一个域名。这不是一个跨域请求。我正在IE上测试。

P.S. I can't use simple ajax POST queries (don't ask...)

附注:我不能使用简单的ajax POST查询(不要问…)

7 个解决方案

#1


48  

Solved it by myself!

自己解决!

The problem was, that even though the correct response was being sent (verified with Fiddler), it was being sent with an HTTP 500 error code (instead of 200).

问题是,尽管发送了正确的响应(通过Fiddler验证),但是发送的却是HTTP 500错误代码(而不是200)。

So it turns out, that if a response is sent with an error code, IE replaces the content of the iframe with an error message loaded from the disk (res://ieframe.dll/http_500.htm), and that causes the cross-domain access denied error.

因此,如果用错误代码发送响应,IE用从磁盘加载的错误消息(res://ieframe.dll/http_500.htm)替换iframe的内容,这会导致跨域访问拒绝错误。

#2


5  

Beware of security limitations associated to iFrames, like Cross domain restriction (aka CORS). Below are 3 common errors related to CORS :

注意与iframe相关的安全限制,如跨域限制(又名CORS)。以下是与CORS相关的3个常见错误:

  1. Load an iFrame with a different domain. (Ex: opening "www.foo.com" while top frame is "www.ooof.com")

    加载具有不同域的iFrame。(例如:打开“www.foo.com”,顶部为“www.ooof.com”)

  2. Load an iFrame with a different port: iFrame's URL port differs from the one of the top frame.

    加载具有不同端口的iFrame: iFrame的URL端口与顶部框架的URL端口不同。

  3. Different protocols : loading iFrame resource via HTTPS while parent Frame uses HTTP.

    不同的协议:通过HTTPS加载iFrame资源,而父框架使用HTTP。

#3


2  

My issue was the X-Frame-Options HTTP header. My Apache configuration has it set to:

我的问题是X-Frame-Options HTTP头。我的Apache配置设置为:

Header always append X-Frame-Options DENY

Removing it allowed it to work. Specifically in my case I was using iframe transport for jQuery with the jQuery file upload plugin to upload files in IE 9 and IE 10.

去掉它就可以工作了。特别是在我的例子中,我使用了jQuery iframe传输和jQuery文件上传插件来上传ie9和ie10中的文件。

#4


1  

I know this question is super-old, but I wanted to mention that the above answer worked for me: setting the document.domain to be the same on each of the pages-- the parent page and the iframe page. However in my search, I did find this interesting article:

我知道这个问题由来已久,但我想说的是,上面的答案对我很有用:设置文档。域在每个页面上都是相同的——父页面和iframe页面。但是在我的搜索中,我发现了这篇有趣的文章:

http://softwareas.com/cross-domain-communication-with-iframes

http://softwareas.com/cross-domain-communication-with-iframes

#5


1  

Note if you have a iframe with src='javascript:void(0)' then javascript like frame.document.location =... will fail with Access Denied error in IE. Was using a javascript library that interacts with a target frame. Even though the location it was trying to change the frame to was on the same domain as parent, the iframe was initially set to javascript:void which triggered the cross domain access denied error.

注意,如果你有一个带有src='javascript:void(0)'的iframe,那么javascript就像frame.document。位置=…在IE中访问被拒绝时将失败。使用与目标帧交互的javascript库。尽管它试图将框架更改为与父框架位于同一域中,但iframe最初被设置为javascript:void,这触发了跨域访问拒绝错误。

To solve this I created a blank.html page in my site and if I need to declare an iframe in advance that will initially be blank until changed via javascript, then I point it to the blank page so that src='/content/blank.html' is in the same domain.

为了解决这个问题,我创建了一个空白。在我的站点中有一个html页面,如果我需要预先声明一个最初是空白的iframe,直到通过javascript进行更改,那么我将它指向空白页面,这样src='/content/blank。html在同一个域中。

Alternatively you could create the iframe completely through javascript so that you can set the src when it is created, but in my case I was using a library which reqired an iframe already be declared on the page.

或者,您可以完全通过javascript创建iframe,以便您可以在创建src时设置它,但是在我的例子中,我使用了一个库,该库对已经在页面上声明的iframe进行reqired。

#6


-1  

Basically, this error occurs when the document in frame and outside of ii have different domains. So to prevent cross-side scripting browsers disable such execution.

基本上,这个错误发生在框架和外部的文档有不同的域的时候。因此,为了防止越界脚本编程浏览器禁用这种执行。

#7


-1  

if it is a domain issue (or subdomain) such as www.foo.com sending a request to www.api.foo.com

如果是域问题(或子域),如www.foo.com向www.api.foo.com发送请求

on each page you can set the

您可以在每个页面上设置

document.domain = www.foo.com

to allow for "cross-domain" permissions

允许“跨域”权限

#1


48  

Solved it by myself!

自己解决!

The problem was, that even though the correct response was being sent (verified with Fiddler), it was being sent with an HTTP 500 error code (instead of 200).

问题是,尽管发送了正确的响应(通过Fiddler验证),但是发送的却是HTTP 500错误代码(而不是200)。

So it turns out, that if a response is sent with an error code, IE replaces the content of the iframe with an error message loaded from the disk (res://ieframe.dll/http_500.htm), and that causes the cross-domain access denied error.

因此,如果用错误代码发送响应,IE用从磁盘加载的错误消息(res://ieframe.dll/http_500.htm)替换iframe的内容,这会导致跨域访问拒绝错误。

#2


5  

Beware of security limitations associated to iFrames, like Cross domain restriction (aka CORS). Below are 3 common errors related to CORS :

注意与iframe相关的安全限制,如跨域限制(又名CORS)。以下是与CORS相关的3个常见错误:

  1. Load an iFrame with a different domain. (Ex: opening "www.foo.com" while top frame is "www.ooof.com")

    加载具有不同域的iFrame。(例如:打开“www.foo.com”,顶部为“www.ooof.com”)

  2. Load an iFrame with a different port: iFrame's URL port differs from the one of the top frame.

    加载具有不同端口的iFrame: iFrame的URL端口与顶部框架的URL端口不同。

  3. Different protocols : loading iFrame resource via HTTPS while parent Frame uses HTTP.

    不同的协议:通过HTTPS加载iFrame资源,而父框架使用HTTP。

#3


2  

My issue was the X-Frame-Options HTTP header. My Apache configuration has it set to:

我的问题是X-Frame-Options HTTP头。我的Apache配置设置为:

Header always append X-Frame-Options DENY

Removing it allowed it to work. Specifically in my case I was using iframe transport for jQuery with the jQuery file upload plugin to upload files in IE 9 and IE 10.

去掉它就可以工作了。特别是在我的例子中,我使用了jQuery iframe传输和jQuery文件上传插件来上传ie9和ie10中的文件。

#4


1  

I know this question is super-old, but I wanted to mention that the above answer worked for me: setting the document.domain to be the same on each of the pages-- the parent page and the iframe page. However in my search, I did find this interesting article:

我知道这个问题由来已久,但我想说的是,上面的答案对我很有用:设置文档。域在每个页面上都是相同的——父页面和iframe页面。但是在我的搜索中,我发现了这篇有趣的文章:

http://softwareas.com/cross-domain-communication-with-iframes

http://softwareas.com/cross-domain-communication-with-iframes

#5


1  

Note if you have a iframe with src='javascript:void(0)' then javascript like frame.document.location =... will fail with Access Denied error in IE. Was using a javascript library that interacts with a target frame. Even though the location it was trying to change the frame to was on the same domain as parent, the iframe was initially set to javascript:void which triggered the cross domain access denied error.

注意,如果你有一个带有src='javascript:void(0)'的iframe,那么javascript就像frame.document。位置=…在IE中访问被拒绝时将失败。使用与目标帧交互的javascript库。尽管它试图将框架更改为与父框架位于同一域中,但iframe最初被设置为javascript:void,这触发了跨域访问拒绝错误。

To solve this I created a blank.html page in my site and if I need to declare an iframe in advance that will initially be blank until changed via javascript, then I point it to the blank page so that src='/content/blank.html' is in the same domain.

为了解决这个问题,我创建了一个空白。在我的站点中有一个html页面,如果我需要预先声明一个最初是空白的iframe,直到通过javascript进行更改,那么我将它指向空白页面,这样src='/content/blank。html在同一个域中。

Alternatively you could create the iframe completely through javascript so that you can set the src when it is created, but in my case I was using a library which reqired an iframe already be declared on the page.

或者,您可以完全通过javascript创建iframe,以便您可以在创建src时设置它,但是在我的例子中,我使用了一个库,该库对已经在页面上声明的iframe进行reqired。

#6


-1  

Basically, this error occurs when the document in frame and outside of ii have different domains. So to prevent cross-side scripting browsers disable such execution.

基本上,这个错误发生在框架和外部的文档有不同的域的时候。因此,为了防止越界脚本编程浏览器禁用这种执行。

#7


-1  

if it is a domain issue (or subdomain) such as www.foo.com sending a request to www.api.foo.com

如果是域问题(或子域),如www.foo.com向www.api.foo.com发送请求

on each page you can set the

您可以在每个页面上设置

document.domain = www.foo.com

to allow for "cross-domain" permissions

允许“跨域”权限