Because of the Same Origin policy, content inside an iframe is not accessible to the parent context, if they are from different domains. This applies to XMLHttpRequests as well. But using CORS web developers can allow XMLHttpRequests to access cross origin content. Is there a similar way like that for iframe access too. For instance is there a response header or something which will allow a response page that is loaded inside an iframe, to be read from parent javascript? Because then, it is allowed by the owner of that response.
1 Answers
0
votes
You can't put two documents into the same scripting context unless they share a parent domain (in which case you can set document.domain on both to match).
For communicating between a frame and a parent from different domains, use the HTML5 feature window.postMessage to pass a JSON string. Support
A CORS-style header to allow same origin merging wouldn't be appropriate as it would have the effect of allowing the framed site to XSS into the framer site as well as vice-versa. That would open up any site that allowed users to post frames to XSS into it.
