I have two subdomains www.example and api.example. On a page from first domain I open popup window with url api.example/some/url and want to use window.opener object to pass data to parent page. But I get error:
Unsafe JavaScript attempt to access frame with URL from frame with URL . Domains, protocols and ports must match.
Is it possible to fix the issue?
I have two subdomains www.example. and api.example.. On a page from first domain I open popup window with url api.example./some/url and want to use window.opener object to pass data to parent page. But I get error:
Unsafe JavaScript attempt to access frame with URL http://www.example./some/page from frame with URL http://api.example./some/url. Domains, protocols and ports must match.
Is it possible to fix the issue?
Share Improve this question asked Jul 29, 2011 at 17:32 Eugene ManuilovEugene Manuilov 4,3618 gold badges34 silver badges48 bronze badges5 Answers
Reset to default 6It's not a bug, it's a security feature. Otherwise, someone else can have your site open up from theirs and inject data into your page without your users knowing.
Read: http://en.wikipedia/wiki/Same_origin_policy
Certainly, having the same SLD could indicate that they are from the same origin, but that isn't guaranteed to be the case, for example, hosting sites that allow free subdomains would be vulnerable.
It is possible to pass data between www.example. and api.example. but not with window.opener. You can set a value in a cookie with Javascript (document.cookie) on the .example. domain (not www.example.) and it will be readable on www.example. and api.example..
On a page from www.example., if you execute this Javascript: (source: http://techpatterns./downloads/javascript_cookies.php) then the "somename" cookie will be readable from api.example.
function Set_Cookie( name, value, expires, path, domain, secure )
{
// set time, it's in milliseconds
var today = new Date();
today.setTime( today.getTime() );
/*
if the expires variable is set, make the correct
expires time, the current script below will set
it for x number of days, to make it for hours,
delete * 24, for minutes, delete * 60 * 24
*/
if ( expires )
{
expires = expires * 1000 * 60 * 60 * 24;
}
var expires_date = new Date( today.getTime() + (expires) );
document.cookie = name + "=" +escape( value ) +
( ( expires ) ? ";expires=" + expires_date.toGMTString() : "" ) +
( ( path ) ? ";path=" + path : "" ) +
( ( domain ) ? ";domain=" + domain : "" ) +
( ( secure ) ? ";secure" : "" );
}
Set_Cookie("somename", "somevalue", 0, "/", ".example.");
<script>
document.domain = 'facebook.';
try {
try{
if (window.opener && window.opener.graphexplorer) {
window.opener.graphexplorer.authCallback(window.location.hash);
}
}catch(e){}
}
catch (e) {}
window.location.hash = '';
window.close();
</script>
<script> document.domain = 'facebook.'; try { try{if (window.opener && <script> document.domain = 'facebook.'; try { try{if (window.opener && window.opener.graphexplorer) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>
<script> document.domain = 'facebook.'; try { try{if (window.opener && window.opener.graphexplorer) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>