跨站点脚本 Iframe 权限被拒绝问题 [英] Cross Site Scripting Iframe Permission Denied issue

问题描述

我在以下代码中遇到跨站点脚本错误.

I am getting Cross Site Scripting error on the following code.

Javascript

 function resizeIframe(ifRef) 
            {
                var ifDoc;
                //alert(ifRef);

                try
                { 
                    ifDoc = ifRef.contentWindow.document.documentElement; 
                }
                catch( e )
                {
                   alert(e);
                    try
                    { 
                    ifDoc = ifRef.contentDocument.documentElement; 
                    }
                    catch( ee ){
                             alert(ee);
                          } 
                }
                //var doc = ifRef.height;
                //alert(doc);
                if(ifDoc)
                {
                    ifRef.height = 1; 
                    ifRef.style.height = ifDoc.scrollHeight+'px';               
                }
            }

iframe

<iframe onload="resizeIframe(this)" style="margin-bottom: 16px;" src="ourteamnav/first.php" frameborder="0" scrolling="no" width="597" height="240"></iframe>

错误如下

对于e":

Mozilla Firefox:错误:访问属性文档"的权限被拒绝

Mozilla Firefox : Error: Permission denied to access property 'document'

谷歌浏览器:TypeError:无法读取未定义的属性documentElement"

Internet Explorer:类型错误:权限被拒绝

Internet Explorer : TypeError: Permission denied

对于ee":

Mozilla Firefox:错误:访问属性documentElement"的权限被拒绝

Mozilla Firefox : Error: Permission denied to access property 'documentElement'

谷歌浏览器:TypeError:无法读取 null 的属性documentElement"

Internet Explorer:错误:访问被拒绝.

Internet Explorer : Error: Access is denied.

我认为它不能以一般方式解决，因为它正在发生，因为域指向另一个域.因此，有人会指导我在不使用 Javascript contentDocument.documentElement 或 contentWindow.document.documentElement 的这些属性的情况下解决它，以根据其内部内容动态调整 Iframe 内容的大小.

I think it can not be solved in general way as it s happening because of domain is pointing another domain. So will anyone guide me to solve it without using these property of Javascript contentDocument.documentElement or contentWindow.document.documentElement for re-sizing the Iframe Content dynamically according to its inner Content.

谢谢

推荐答案

除了 Christophe 的回答，我想指出(遗憾的是)postMessage 不适用于所有浏览器.

In addition to the answer of Christophe, I wanted to point out (sadly) postMessage doesn't work on all browsers.

幸运的是，Josh Fraser 已经提供了window.postMessage() 的向后兼容版本.它检查浏览器是否支持 postMessage 方法.如果是，它会使用它.如果没有，它会使用 URL(来自 iframe 和父级)来传递数据.

Luckily, Josh Fraser already provided a backwards compatible version of window.postMessage(). It checks if the browser supports the postMessage-method. If it does, it uses that. If not, it uses the URL (both from the iframe and the parent) to pass along data.

现在您可以使用以下方法让两个窗口相互交谈":

Now you can use the following methods to let both windows "talk" to eachother:

XD.postMessage(msg, src, frames[0]);
XD.receiveMessage(function(message){
    window.alert(message.data + " received on "+window.location.host);
}, 'URL');

请确保您正确阅读文档，因为必须正确设置配置.

Just make sure you read the documentation properly, since the configuration has to be set just right.

这篇关于跨站点脚本 Iframe 权限被拒绝问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！