Chrome用户脚本错误:“不安全的JavaScript尝试访问框架” [英] Chrome userscript error: "Unsafe JavaScript attempt to access frame"
问题描述
//我需要访问的div的iframe
var iframe = document.getElementsByTagName(iframe)[2];
var innerDoc = iframe.contentDocument || iframe.contentWindow.document;
//在iframe中调整'player'
innerDoc.getElementById('player')。width =1000px;
innerDoc.getElementById('player')。height =650px;
// == UserScript ==
// @name _Test在Chrome和Tampermonkey中处理iFrame
// @match http:// domain_A .com / *
// @match http://domain_B.com/*
// == / UserScript ==
if(/domain_A\.com/ i.test(document.location.href)){
//主页面
document.body.style.setProperty(background,lime,important);
}
else {
// iFrame
document.body.style.setProperty(background,pink,important);
}
您可以看到主页面为柠檬绿色,而iframed页面为粉红色。
或者,您可以像这样测试:
if(window.top === window.self){
// ---当页面是主站点时运行的代码...
}
else {
// ---页面在iframe中时运行的代码...
}
对另一个答案发表评论),则可以在Chrome上禁用相同的来源策略。 不要这样做!你会开放给坏人建立的各种恶棍。除了邪恶的网站,许多名义上的好网站 - 允许用户发布内容 - 可能会追踪,剽窃或恶搞你。
// the iframe of the div I need to access
var iframe = document.getElementsByTagName("iframe")[2];
var innerDoc = iframe.contentDocument || iframe.contentWindow.document;
// resize 'player' in the iframe
innerDoc.getElementById('player').width = "1000px";
innerDoc.getElementById('player').height = "650px";
Running in a userscript for this url: http://www.free-tv-video-online.me/player/sockshare.php?id=24DA6EAA2561FD60
Why does Chrome come out with this error and fail the script?:
Unsafe JavaScript attempt to access frame with URL http://www.sockshare.com/embed/24DA6EAA2561FD60
from frame with URL http://www.free-tv-video-online.me/player/sockshare.php?id=24DA6EAA2561FD60.
Domains, protocols and ports must match.
(I'm only a basic Javascript user)
Final code, many thanks to the answerer:
// ==UserScript==
// @name Resize
// @include http://www.free-tv-video-online.me/player/sockshare.php*
// @include http://www.sockshare.com/*
// ==/UserScript==
if (!(window.top === window.self)) {
var player = document.getElementById('player');
setSize(player);
}
function setSize(player) {
player.style.setProperty("width", "1000px");
player.style.setProperty("height", "650px");
}
It's true that ordinary javascript cannot access iframe content, that's on a different domain, for security reasons. However, this by no means stops userscripts in Chrome, Tampermonkey or Greasemonkey.
You can process iframed content in a userscript because Chrome (and Firefox) process iframe'd pages just as if they were the main page. Accounting for that, scripting such pages is a snap.
For example, suppose you have this page at domain_A.com:
<html>
<body>
<iframe src="http://domain_B.com/SomePage.htm"></iframe>
</body>
</html>
If you set your @match directives like this:
// @match http://domain_A.com/*
// @match http://domain_B.com/*
Then your script will run twice -- once on the main page and once on the iframe as though it were a standalone page.
So if your script was like this:
// ==UserScript==
// @name _Test iFrame processing in Chrome and Tampermonkey
// @match http://domain_A.com/*
// @match http://domain_B.com/*
// ==/UserScript==
if (/domain_A\.com/i.test (document.location.href) ) {
//Main page
document.body.style.setProperty ("background", "lime", "important");
}
else {
//iFrame
document.body.style.setProperty ("background", "pink", "important");
}
You would see the main page in lime-green, and the iframed page in pink.
Alternatively, you can test like this:
if (window.top === window.self) {
//--- Code to run when page is the main site...
}
else {
//--- Code to run when page is in an iframe...
}
As you discovered (per comment on another answer), you can disable the same origin policy on Chrome. Don't do this! You will leave yourself open to all kinds of shenanigans set up by bad people. In addition to evil sites, many nominally "good" sites -- that allow users to post content -- could potentially track, hack, or spoof you.
这篇关于Chrome用户脚本错误:“不安全的JavaScript尝试访问框架”的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
