1

I'm working on a glorified click-jacker which uses CNAMES for navigation (example.bit -> example.speech.is) and I want to allow cross-domain access to the contents of an iFrame. The child iframe has headers set to:

Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'self' 'unsafe-inline' *.speech.is http://bits.speech.is https://bits.speech.is http://speech.is

But I am still unable to access the iframe using iframe.windowContent.document (actually it's speech.windowContent.document). Firefox gives me:

Error: Permission denied to access property 'document'

While Chrome reports:

SecurityError: Blocked a frame with origin "http://bits.speech.is" from accessing a frame with origin "http://208.113.212.187". Protocols, domains, and ports must match.
code: 18
message: "Blocked a frame with origin "http://bits.speech.is" from accessing a frame with origin "http://208.113.212.187". Protocols, domains, and ports must match."
name: "SecurityError"
stack: "Error: Blocked a frame with origin "http://bits.speech.is" from accessing a frame with origin "http://208.113.212.187". Protocols, domains, and ports must match.↵    at <anonymous>:2:21↵    at Object.InjectedScript._evaluateOn (<anonymous>:580:39)↵    at Object.InjectedScript._evaluateAndWrap (<anonymous>:539:52)↵    at Object.InjectedScript.evaluate (<anonymous>:458:21)"

Is there anyway to trace where this security policy is getting set?

Indolering
  • 852
  • 6
  • 21

1 Answers1

3

Access-Control-Allow-Origin:* allows certain CORS requests from XHR, but does not allow direct JS acces through the iframe. If you want to use communicate with the iframe you could use postMessage instead, and implement listeners in both the iframe and the parent. Of course you then need to control the page shown in the iframe.

Erlend
  • 2,235
  • 1
  • 15
  • 13
  • I know about postMessage, but [I was told that this was possible](http://security.stackexchange.com/questions/41802/child-iframe-hash-verification-of-parent-iframe-content). Is this only any issue for parent->child or is child->parent manipulation possible? – Indolering Nov 06 '13 at 00:18
  • 1
    @Indolering The linked answer states "**an iFrame cannot read the contents of another iFrame unless they are on the same domain.**" – SilverlightFox Nov 06 '13 at 09:56
  • Thanks for pointing that out Silverlight. I think there was a communication error in a later exchange. – Indolering Nov 07 '13 at 03:04