科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - AJAX request from iframe, why is the origin the parent's URL? - Stack Overflow

    javascript - AJAX request from iframe, why is the origin the parent's URL? - Stack Overflow

    programmeradmin3浏览0评论

    I have a website that I am loading an iframe in. The iframe is on a different subdomain than the website itself. Let's say the website is on portal.domain and the iframe is on iframe.domain. I need to make requests to iframe.domain from portal.domain and I was hoping to use this iframe to make those requests.

    I created the iframe like this:

    // On portal.domain
document.domain = "domain";
var iframe = document.body.appendChild(document.createElement('iframe'));
iframe.contentWindow.onIframeLoad = function() {
    iframe.contentWindow.makeRequest();
}

var doc = iframe.contentWindow.document;
doc.open().write('<body onload="' + 
        'var s = document.createElement(\'script\');' + 
        's.onload = onIframeLoad;' +
        'document.getElementsByTagName(\'head\')[0].appendChild(s).src=\'' + "iframe.domain/content.js" + '\'">');
doc.close();

    The script loaded in the iframe looks like this:

    // iframe.domain/content.js
document.domain = "domain"

function makeRequest() {
  // AJAX call here
}

    The AJAX call is made, but the origin gets set to portal.domain. This causes the cookies not to be sent and for the browser to block the response due to its CORS policy. Why is this happening?

    I have a website that I am loading an iframe in. The iframe is on a different subdomain than the website itself. Let's say the website is on portal.domain. and the iframe is on iframe.domain.. I need to make requests to iframe.domain. from portal.domain. and I was hoping to use this iframe to make those requests.

    I created the iframe like this:

    // On portal.domain.
document.domain = "domain.";
var iframe = document.body.appendChild(document.createElement('iframe'));
iframe.contentWindow.onIframeLoad = function() {
    iframe.contentWindow.makeRequest();
}

var doc = iframe.contentWindow.document;
doc.open().write('<body onload="' + 
        'var s = document.createElement(\'script\');' + 
        's.onload = onIframeLoad;' +
        'document.getElementsByTagName(\'head\')[0].appendChild(s).src=\'' + "iframe.domain./content.js" + '\'">');
doc.close();

    The script loaded in the iframe looks like this:

    // iframe.domain./content.js
document.domain = "domain."

function makeRequest() {
  // AJAX call here
}

    The AJAX call is made, but the origin gets set to portal.domain.. This causes the cookies not to be sent and for the browser to block the response due to its CORS policy. Why is this happening?

    • javascript
    • html
    • ajax
    • iframe
    • cors
    Share Improve this question asked Feb 22, 2016 at 7:59 MaxMax 16k19 gold badges89 silver badges140 bronze badges 4
    • Why aren't you using JSONP? – GuyT Commented Feb 22, 2016 at 8:10
    • 1 @GuyT — Why would anyone use JSONP in 2016? We have CORS now. – Quentin Commented Feb 22, 2016 at 8:13
    • @Quentin I agree.. The OP has first to give the exact reason why this is necessary before we can give any good advice. – GuyT Commented Feb 22, 2016 at 8:18
    • I'm not using JSONP because private data is involved. I'm not using CORS because it creates a weird dependency structure. E.g. portal.domain. depends on iframe.domain., but, if I use CORS, iframe.domain. must also know portal.domain. exists. Additionally, the CORS implementation for CXF (which is what I'm using) isn't great. – Max Commented Feb 22, 2016 at 8:33
    Add a ment  | 

    2 Answers 2

    Reset to default 2

    Well,

    You can not. Doing that is actually cross-domain execution, which is a huge security risk. So most of modern browsers will track you originating entry point to you script and see that it was loaded from different domain.

    If you want to do it :

    1. Load JavaScript from iFrame domain

    2. Define an object (lets’ say window.iframeparams)

    3. Populate it

    4. Call “send” on the JavaScript code, loaded from iframe domain

    It is actually the same proceeding as google analytics or any other tracking software

    Edit :

    Again, browsers will track origin of call. So, your method by creating dynamic iFrame will not work (Or may be on ie6)

    This is restricted in most browser because of the "Same-Origin" policy. You can read more about this, here: https://developer.mozilla/en-US/docs/Web/Security/Same-origin_policy.

    There are ways to work around this limitation, using technologies such as JSONP or html5 messaging.

    You may want to look at similar questions and their answers, here:

    • SO: Making ajax calls from inside of an iframe with different domain
    • SO: Ajax inside iframe not working against same server

    Edit: There is also a lengthy list of ways to circumvent the same-origin policy, here: Ways to circumvent the same-origin policy

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论