I have a page on a domain:
.cfm which holds an iframe, loading a domain .
This page has a script reference to .js
This somescript is a tracking script like google Analytics, which loads with each request of www.anotherdomain.
At a certain stage, the script .js in the page www.anotherdomain will try to call window.top.aFunction(); or parent.aFunction();
to make the parent window do something.
I know about the X-Frame-Options and the Access-Control-Allow-Origin header and tried both, but still when I browse in my iframe on www.anotherdomain I get a error message in Firebug telling me:
Error: Permission denied to access property 'relocate'window.top.aFunction();
In my web.config on the main.domain site i have the following rules:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="" />
<add name="X-Frame-Options" value="ALLOW-FROM " />
</customHeaders>
</httpProtocol>
Which in my opinion should grant the sub.mydomain access to the script on main.mydomain.
I am testing this with all the domains except the www.anotherdomain locally on my pc with host reference in place.
Any idea what I am missing here?
I have a page on a domain:
http://main.mydomain./frame.cfm which holds an iframe, loading a domain http://www.anotherdomain..
This page http://www.anotherdomain. has a script reference to http://sub.mydomain./somescript.js
This somescript is a tracking script like google Analytics, which loads with each request of www.anotherdomain..
At a certain stage, the script http://sub.mydomain./somescript.js in the page www.anotherdomain. will try to call window.top.aFunction(); or parent.aFunction();
to make the parent window do something.
I know about the X-Frame-Options and the Access-Control-Allow-Origin header and tried both, but still when I browse in my iframe on www.anotherdomain. I get a error message in Firebug telling me:
Error: Permission denied to access property 'relocate'window.top.aFunction();
In my web.config on the main.domain site i have the following rules:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="http://sub.mydomain." />
<add name="X-Frame-Options" value="ALLOW-FROM http://sub.mydomain." />
</customHeaders>
</httpProtocol>
Which in my opinion should grant the sub.mydomain. access to the script on main.mydomain..
I am testing this with all the domains except the www.anotherdomain. locally on my pc with host reference in place.
Any idea what I am missing here?
Share Improve this question asked Nov 9, 2012 at 17:32 MattijsMattijs 3,4603 gold badges40 silver badges38 bronze badges1 Answer
Reset to default 3You can't access the parent window function's methods through a cross domain iFrame. It goes against the Same Origin Policy . The X-Frame http header response tells the browser whether it is allowed to render a page in the iFrame and does not help your situation.
The solution I remend is to use window.postMessage() to municate between the two frames. Look at http://ejohn/blog/cross-window-messaging/