iframe src允许所有来源，但仍收到跨域错误 [英] iframe src allows all origins but still receiving Cross-Origin Errors

问题描述

我管理siteA的前端，并在页面上放置一个iframe，其中的src指向来自siteB的资源.这意味着是其他供应商&所使用的可嵌入资源(嵌入了视频).客户端，因此siteB的响应标头设置为Access-Control-Allow-Origin *.并且所有涉及的URL都是https.

I manage the frontend of siteA and have an iframe on the page with a src pointing to a resource from siteB. This is meant to be an embeddable resource (its a video embed) used by other vendors & clients so the response headers of siteB are set to Access-Control-Allow-Origin *. And all URLs involved are https.

我在开发工具中的src url上有标题的屏幕截图:

I have a screenshot here of the headers here from the src url in dev tools:

但是，当我尝试查询iframe文档以检查是否存在特定元素时，我仍然收到跨域错误.

我不是要修改任何内容，而是要根据内容做出简单的UI决定.

I’m not trying to modify any content but want to make simple UI decisions depending on the content.

无济于事，我尝试过:

• 标准jQuery方法，例如$('iframe').contents().find()
• $.get请求以检索html响应，并查看它是否包含特定的字符串

我错过了什么吗?克服这一障碍将是我们项目的重大胜利.

Am I missing something? Getting over this hurdle would be a major win for our project.

推荐答案

您可以应用Access-Control-Allow-Origin标头，该标头将允许您从其他域读取ajax响应，例如:

You could apply the Access-Control-Allow-Origin header which will allow you to read ajax responses from another domain, eg:

Access-Control-Allow-Origin: *

但是由于

But this header will NOT allow you to access a rendered iframe from another domain due to the Same Origin Policy. But it would allow you to make a new ajax (GET) request to the iFrame's domain and then work with the response.

此 stackoverflow问题探索了相同来源的一些方法-policy可以绕开，一些建议可能会对您有所帮助，但这取决于您要实现的目标.

This stackoverflow question explores some ways that the same-origin-policy can be bypassed, some of the suggestions might help you, but it depends what you're trying to achieve.

这篇关于iframe src允许所有来源，但仍收到跨域错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！