I have a website that I am loading an iframe in. The iframe is on a different subdomain than the website itself. Let's say the website is on portal.domain and the iframe is on iframe.domain. I need to make requests to iframe.domain from portal.domain and I was hoping to use this iframe to make those requests.

I created the iframe like this:

// On portal.domain
document.domain = "domain";
var iframe = document.body.appendChild(document.createElement('iframe'));
iframe.contentWindow.onIframeLoad = function() {
    iframe.contentWindow.makeRequest();
}

var doc = iframe.contentWindow.document;
doc.open().write('<body onload="' + 
        'var s = document.createElement(\'script\');' + 
        's.onload = onIframeLoad;' +
        'document.getElementsByTagName(\'head\')[0].appendChild(s).src=\'' + "iframe.domain/content.js" + '\'">');
doc.close();

The script loaded in the iframe looks like this:

// iframe.domain/content.js
document.domain = "domain"

function makeRequest() {
  // AJAX call here
}

The AJAX call is made, but the origin gets set to portal.domain. This causes the cookies not to be sent and for the browser to block the response due to its CORS policy. Why is this happening?

I have a website that I am loading an iframe in. The iframe is on a different subdomain than the website itself. Let's say the website is on portal.domain. and the iframe is on iframe.domain.. I need to make requests to iframe.domain. from portal.domain. and I was hoping to use this iframe to make those requests.

I created the iframe like this:

// On portal.domain.
document.domain = "domain.";
var iframe = document.body.appendChild(document.createElement('iframe'));
iframe.contentWindow.onIframeLoad = function() {
    iframe.contentWindow.makeRequest();
}

var doc = iframe.contentWindow.document;
doc.open().write('<body onload="' + 
        'var s = document.createElement(\'script\');' + 
        's.onload = onIframeLoad;' +
        'document.getElementsByTagName(\'head\')[0].appendChild(s).src=\'' + "iframe.domain./content.js" + '\'">');
doc.close();

The script loaded in the iframe looks like this:

// iframe.domain./content.js
document.domain = "domain."

function makeRequest() {
  // AJAX call here
}

The AJAX call is made, but the origin gets set to portal.domain.. This causes the cookies not to be sent and for the browser to block the response due to its CORS policy. Why is this happening?

• javascript
• html
• ajax
• iframe
• cors

Share Improve this question Follow asked Feb 22, 2016 at 7:59 MaxMax 16k1919 gold badges8989 silver badges140140 bronze badges 4

• Why aren't you using JSONP? – GuyT Commented Feb 22, 2016 at 8:10
• 1 @GuyT — Why would anyone use JSONP in 2016? We have CORS now. – Quentin Commented Feb 22, 2016 at 8:13
• @Quentin I agree.. The OP has first to give the exact reason why this is necessary before we can give any good advice. – GuyT Commented Feb 22, 2016 at 8:18
• I'm not using JSONP because private data is involved. I'm not using CORS because it creates a weird dependency structure. E.g. portal.domain. depends on iframe.domain., but, if I use CORS, iframe.domain. must also know portal.domain. exists. Additionally, the CORS implementation for CXF (which is what I'm using) isn't great. – Max Commented Feb 22, 2016 at 8:33

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 2

Well,

You can not. Doing that is actually cross-domain execution, which is a huge security risk. So most of modern browsers will track you originating entry point to you script and see that it was loaded from different domain.

If you want to do it :

1. Load JavaScript from iFrame domain

2. Define an object (lets’ say window.iframeparams)

3. Populate it

4. Call “send” on the JavaScript code, loaded from iframe domain

It is actually the same proceeding as google analytics or any other tracking software

Edit :

Again, browsers will track origin of call. So, your method by creating dynamic iFrame will not work (Or may be on ie6)

This is restricted in most browser because of the "Same-Origin" policy. You can read more about this, here: https://developer.mozilla/en-US/docs/Web/Security/Same-origin_policy.

There are ways to work around this limitation, using technologies such as JSONP or html5 messaging.

You may want to look at similar questions and their answers, here:

• SO: Making ajax calls from inside of an iframe with different domain
• SO: Ajax inside iframe not working against same server

Edit: There is also a lengthy list of ways to circumvent the same-origin policy, here: Ways to circumvent the same-origin policy