All geek questions in one place

SWFobject inside iFrame: cross domain?

I have a simple html site with an embedded Flash file and it uses SWFobject.

This site is an src iframe. If I open a site with an iframe on it, the console will tell me ...

Unsafe JavaScript attempt to access frame with URL file:///experiment/iframe- test/index.html from frame with URL http://localhost.lan/embed/GYZA. Domains, protocols and ports must match. -> swfobject.js

I wonder what parent window (with iframe in it) is associated with swfobjet inside iframe? So, as mentioned above, swfobject is used to embed flash memory on a child page loaded in an iframe. The iframe-test/index.html website only has ...

 <body> <iframe src="http://localhost.lan/embed/GYZA" width="100%" height="100%" frameborder="0" allowfullscreen></iframe> </body>

... On him. Nothing more. Why do I have unsafe javascript attempt here ?

Any ideas on this? Thank you in advance.

update: Well, I just found out that this is happening with Youtube and Vimeo, as well as for their built-in players. I use a chrome console, and the same error occurs for Youtube and Vimeo.

+6
source share
2 answers

I don’t know if it will be used now, but an error occurs because file:///experiment/iframe-test/index.html and http://localhost.lan/embed/GYZA considered by the browser as two different domains, therefore the policy The cross-domain browser considers this unsafe. Depending on the browser that the user has, it may not be safe - the deleted page you are loading may have malicious scripts that can destabilize the current page you are viewing or trying to steal various pieces of information. You can find more information here .

0
source

I just confirmed Matt's question.

Whenever a Flash object is embedded in a cross-domain iframe, it throws a cross-domain exception. This is true for Youtube and Vimeo.

For example check this jsfiddle with built-in iFrame: http://jsfiddle.net/bkCdB/

 <object width="420" height="315"><param name="movie" value="http://www.youtube.com/v/6V_DsL1x1uY?version=3&amp;hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/6V_DsL1x1uY?version=3&amp;hl=en_US" type="application/x-shockwave-flash" width="420" height="315" allowscriptaccess="always" allowfullscreen="true"></embed></object>
0
source

Source: https://habr.com/ru/post/916224/

More articles:


All Articles