I have a page on a domain:

.cfm which holds an iframe, loading a domain .

This page has a script reference to .js

This somescript is a tracking script like google Analytics, which loads with each request of www.anotherdomain.

At a certain stage, the script .js in the page www.anotherdomain will try to call window.top.aFunction(); or parent.aFunction();

to make the parent window do something.

I know about the X-Frame-Options and the Access-Control-Allow-Origin header and tried both, but still when I browse in my iframe on www.anotherdomain I get a error message in Firebug telling me:

Error: Permission denied to access property 'relocate'window.top.aFunction();

In my web.config on the main.domain site i have the following rules:

<httpProtocol>
     <customHeaders>
    <add name="Access-Control-Allow-Origin" value="" />
        <add name="X-Frame-Options" value="ALLOW-FROM " />
     </customHeaders>
</httpProtocol>

Which in my opinion should grant the sub.mydomain access to the script on main.mydomain.

I am testing this with all the domains except the www.anotherdomain locally on my pc with host reference in place.

Any idea what I am missing here?

I have a page on a domain:

http://main.mydomain./frame.cfm which holds an iframe, loading a domain http://www.anotherdomain..

This page http://www.anotherdomain. has a script reference to http://sub.mydomain./somescript.js

This somescript is a tracking script like google Analytics, which loads with each request of www.anotherdomain..

At a certain stage, the script http://sub.mydomain./somescript.js in the page www.anotherdomain. will try to call window.top.aFunction(); or parent.aFunction();

to make the parent window do something.

I know about the X-Frame-Options and the Access-Control-Allow-Origin header and tried both, but still when I browse in my iframe on www.anotherdomain. I get a error message in Firebug telling me:

Error: Permission denied to access property 'relocate'window.top.aFunction();

In my web.config on the main.domain site i have the following rules:

<httpProtocol>
     <customHeaders>
    <add name="Access-Control-Allow-Origin" value="http://sub.mydomain." />
        <add name="X-Frame-Options" value="ALLOW-FROM http://sub.mydomain." />
     </customHeaders>
</httpProtocol>

Which in my opinion should grant the sub.mydomain. access to the script on main.mydomain..

I am testing this with all the domains except the www.anotherdomain. locally on my pc with host reference in place.

Any idea what I am missing here?

• javascript
• iframe
• same-origin-policy

Share Improve this question Follow asked Nov 9, 2012 at 17:32 MattijsMattijs 3,46033 gold badges4040 silver badges3838 bronze badges

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 3

You can't access the parent window function's methods through a cross domain iFrame. It goes against the Same Origin Policy . The X-Frame http header response tells the browser whether it is allowed to render a page in the iFrame and does not help your situation.

The solution I remend is to use window.postMessage() to municate between the two frames. Look at http://ejohn/blog/cross-window-messaging/