Can someone please provide me more information on this error and how 'allow-same-origin' flag works? I am getting following error in Chrome for iframe Sandboxing:

Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Sandbox access violation: Blocked a frame at "http://192.168.0.169" from accessing a frame at "http://192.168.0.169". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.

I am little confused as why I would need 'allow-same-origin' flag when frame from 192.168.0.169 is accessing another frame from same ip address. Thank you very much.

Can someone please provide me more information on this error and how 'allow-same-origin' flag works? I am getting following error in Chrome for iframe Sandboxing:

Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Sandbox access violation: Blocked a frame at "http://192.168.0.169" from accessing a frame at "http://192.168.0.169". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.

I am little confused as why I would need 'allow-same-origin' flag when frame from 192.168.0.169 is accessing another frame from same ip address. Thank you very much.

• javascript
• jquery
• html
• iframe
• sandbox

• On chrome, try to set the flag --disable-web-security. – Rakesh_Kumar Commented May 12, 2015 at 6:28
• 1 @Rakesh_Kumar I will try that. But note that I am working on a web application. I can't ask the end user to disable this flag on their browsers. Can you please explain me the reason for this error? – hshantanu Commented May 12, 2015 at 6:33

2 Answers 2

You probably have a sandbox attribute in your iframe:

The sandbox attribute enables an extra set of restrictions for the content in the iframe, and it is a whitelist of enabled permissions,

so You could either remove the attribute, or edit it to fit the permissions You need.

optional permissions could be found here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

and some more info here: http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

Old question, but worth an answer for those that follow (like me!). Don't --disable-web-security as suggested in the comment above.

The “Same Origin” policy states that:

• if we have a reference to another window, e.g. a popup created by window.open or a window inside , and that window comes from the same origin, then we have full access to that window.
• otherwise, if it comes from another origin, then we can’t access the content of that window: variables, document, anything. The only exception is location: we can change it (thus redirecting the user). But we cannot read location (so we can’t see where the user is now, no information leak).

Like molow said you probably have a sandbox attribute on your iframe, the default is not to allow communication between even the same origin (in your case http://192.168.0.169).

Rather than allow-cross-origin and open up the app to attack you should be using postMessage like so here https://web.dev/sandboxed-iframes/#safely-sandboxing-eval to communicate to the parent of the iframe, something like this for eval (just a postMessage and eventListener)

<!-- frame.html -->
<!DOCTYPE html>
<html>
    <head>
    <title>Evalbox's Frame</title>
    <script>
        window.addEventListener('message', function (e) {
        var mainWindow = e.source;
        var result = '';
        try {
            result = eval(e.data);
        } catch (e) {
            result = 'eval() threw an exception.';
        }
        mainWindow.postMessage(result, event.origin);
        });
    </script>
    </head>
</html>