错误:权限被拒绝访问属性“文档” [英] Error: Permission denied to access property "document"
问题描述
我有一个包含 iframe
的HTML文档。每当我尝试使用JS访问或修改这个 iframe
时,我得到错误:权限被拒绝访问属性document
。
我正在使用 frame.contentWindow.document.body.innerHTML
或 frame.contentWindow .document.body.onload
或类似的属性来访问或修改 iframe
。 (在给定的代码中, iframe
被称为 frame
。)
对于我正在开发的网络应用程序,访问这些属性是必要的,我不能没有这些(或类似的选择)。
访问并修改 iframe
其他网站的网页被称为跨站点脚本或 XSS ,它是恶意黑客用来捕获毫无戒心的受害者的技术。 b
$ b
一个名为同源策略的策略是由浏览器制造商实施的,以防止这种行为和JS代码的任意执行。
通过将父文档和文档托管在同一个域和子域中的 iframe
中,并确保使用相同的域和子域加载文档,可以防止此错误协议。
Incompati的例子ble页数:
-
http://www.example.org
&http://www.example2.com
-
http://abc.example.org code>&
http://xyz.example.com
-
http://www.example.org
code>&
https://www.example.com
跨源资源共享是针对此问题的解决方案。
例如:
如果 http://www.example.com
想分享 http://www.example.com/hello
与 http://www.example.org
,一个标题可以发送的文档如下所示:
Access-Control-Allow-Origin:http://www.example .org
使用HTML发送它只需将它放在< META HTTP-EQUIV =...>
标记,如下所示:
< head> ;
...
< META HTTP-EQUIV =Access-Control-Allow-OriginCONTENT =http://www.example.org>
...
< / head>
I have a HTML Document which contains an iframe
. Whenever I try to access or modify this iframe
with JS I get Error: Permission denied to access property "document"
.
I am using frame.contentWindow.document.body.innerHTML
or frame.contentWindow.document.body.onload
or similar such attributes to access or modify the iframe
. (In the given code the iframe
is referred to as frame
.)
For the web-app I am developing, access to these attributes are necessary and I can't do without these (or similar alternatives).
Accessing and then modifying webpages in iframe
s of other websites is known as Cross-site scripting or XSS and it is a technique used by malicious hackers to prey on unsuspecting victims.
A policy by the name of "Same-Origin Policy" is implemented by browser makers to prevent such behaviour and arbitrary execution of JS code.
This error can be prevented by hosting the parent document and the document in the iframe
in the same domain and subdomain, and making sure that the documents are loaded using the same protocol.
Examples of Incompatible Pages:
http://www.example.org
&http://www.example2.com
http://abc.example.org
&http://xyz.example.com
http://www.example.org
&https://www.example.com
Cross-Origin Resource Sharing is a solution to this problem.
For Example:
If http://www.example.com
would like to share http://www.example.com/hello
with http://www.example.org
, a header can be sent with the document which looks like the following:
Access-Control-Allow-Origin: http://www.example.org
To send it with HTML just put it in a <META HTTP-EQUIV="...">
tag, like this:
<head>
...
<META HTTP-EQUIV="Access-Control-Allow-Origin" CONTENT="http://www.example.org">
...
</head>
这篇关于错误:权限被拒绝访问属性“文档”的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!