The code above shows errors for any operations except: Iframe.onload = null // clear the handler, not to run it after the location change we can WRITE into location (and thus load something else into the iframe)! Can't read URL from the Location object also we can't READ the URL of the page in iframe Let doc = ntentDocument // ERRORĪlert(e) // Security Error (another origin) we can get the reference to the inner window If that’s not so then the access is denied (writing to location is an exception, it’s still permitted).įor instance, let’s try reading and writing to from another origin: When we access something inside the embedded window, the browser checks if the iframe has the same origin. ntentDocument to get the document inside the, shorthand for.ntentWindow to get the window inside the.But we cannot read location (so we can’t see where the user is now, no information leak).Īn tag hosts a separate embedded window, with its own separate document and window objects. The only exception is location: we can change it (thus redirecting the user). otherwise, if it comes from another origin, then we can’t access the content of that window: variables, document, anything.a popup created by window.open or a window inside, and that window comes from the same origin, then we have full access to that window. if we have a reference to another window, e.g.Two URLs are said to have the “same origin” if they have the same protocol, domain and port. So, the purpose of the “Same Origin” policy is to protect users from information theft. The idea is that if a user has two pages open: one from, and another one is, then they wouldn’t want a script from to read our mail from. The “Same Origin” (same site) policy limits access of windows and frames to each other.
0 kommentar(er)
