Chrome 用户脚本错误:“不安全的 JavaScript 尝试访问框架" [英] Chrome userscript error: "Unsafe JavaScript attempt to access frame"

问题描述

// the iframe of the div I need to access
var iframe = document.getElementsByTagName("iframe")[2];
var innerDoc = iframe.contentDocument || iframe.contentWindow.document;

// resize 'player' in the iframe
innerDoc.getElementById('player').width = "1000px";
innerDoc.getElementById('player').height = "650px";

在此网址的用户脚本中运行:http://www.free-tv-video-online.me/player/sockshare.php?id=24DA6EAA2561FD60

Running in a userscript for this url: http://www.free-tv-video-online.me/player/sockshare.php?id=24DA6EAA2561FD60

为什么 Chrome 出现这个错误并且脚本失败?:

Unsafe JavaScript attempt to access frame with URL http://www.sockshare.com/embed/24DA6EAA2561FD60 
from frame with URL http://www.free-tv-video-online.me/player/sockshare.php?id=24DA6EAA2561FD60. 
Domains, protocols and ports must match.

(我只是一个基本的 Javascript 用户)

最终代码，非常感谢回答者:

Final code, many thanks to the answerer:

// ==UserScript==
// @name       Resize
// @include    http://www.free-tv-video-online.me/player/sockshare.php*
// @include    http://www.sockshare.com/*
// ==/UserScript==

if (!(window.top === window.self)) {
    var player = document.getElementById('player');
    setSize(player);
}

function setSize(player) {
    player.style.setProperty("width", "1000px");
    player.style.setProperty("height", "650px");
}

推荐答案

出于安全原因，普通 javascript 确实无法访问位于不同域中的 iframe 内容.然而，这绝不会阻止 Chrome、Tampermonkey 或 Greasemonkey 中的用户脚本.

It's true that ordinary javascript cannot access iframe content, that's on a different domain, for security reasons. However, this by no means stops userscripts in Chrome, Tampermonkey or Greasemonkey.

您可以在用户脚本中处理 iframe 内容，因为 Chrome(和 Firefox)处理 iframe 的页面就像它们是主页面一样.考虑到这一点，编写此类页面的脚本很容易.

You can process iframed content in a userscript because Chrome (and Firefox) process iframe'd pages just as if they were the main page. Accounting for that, scripting such pages is a snap.

例如，假设您在 domain_A.com 上有这个页面:

For example, suppose you have this page at domain_A.com:

<html>
<body>
    <iframe src="http://domain_B.com/SomePage.htm"></iframe>
</body>
</html>

如果您像这样设置 @match 指令:

// @match http://domain_A.com/*
// @match http://domain_B.com/*

然后您的脚本将运行两次——一次在主页上，一次在 iframe 上，就好像它是一个独立的页面一样.

Then your script will run twice -- once on the main page and once on the iframe as though it were a standalone page.

如果你的脚本是这样的:

So if your script was like this:

// ==UserScript==
// @name  _Test iFrame processing in Chrome and Tampermonkey
// @match http://domain_A.com/*
// @match http://domain_B.com/*
// ==/UserScript==

if (/domain_A.com/i.test (document.location.href) ) {
    //Main page
    document.body.style.setProperty ("background", "lime", "important");
}
else {
    //iFrame
    document.body.style.setProperty ("background", "pink", "important");
}

您会看到浅绿色的主页，粉红色的 iframe 页面.

You would see the main page in lime-green, and the iframed page in pink.

或者，您可以这样测试:

Alternatively, you can test like this:

if (window.top === window.self) {
    //--- Code to run when page is the main site...
}
else {
    //--- Code to run when page is in an iframe...
}

如您所见(根据对另一个答案的评论)，您可以在 Chrome 上禁用同源策略.不要这样做！你会让自己对坏人设置的各种恶作剧持开放态度.除了恶意网站之外，许多名义上好"的网站(允许用户发布内容)可能会跟踪、入侵或欺骗您.

As you discovered (per comment on another answer), you can disable the same origin policy on Chrome. Don't do this! You will leave yourself open to all kinds of shenanigans set up by bad people. In addition to evil sites, many nominally "good" sites -- that allow users to post content -- could potentially track, hack, or spoof you.

这篇关于Chrome 用户脚本错误:“不安全的 JavaScript 尝试访问框架"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！