Nw.js: Cross-origin iframe doesn't have accessible "parent" and "top" properties in "window.parent"
NWJS Version : sdk-0.25.0 (same in sdk-0.22.3)
Operating System : Win7, x64
Expected behavior
window.parent.parent and window.parent.top should return a Window and shouldn't throw error in cross-origin iframe. It's behavior of Google Chrome.
Actual behavior
VM346:1 Uncaught DOMException: Blocked a frame with origin "..." from accessing a cross-origin frame.
at <anonymous>:1:15
How to reproduce
- Launch nw.exe
- Open DevTools
- Run in console
var iframe = document.createElement('iframe');
iframe.src = 'https://example.com/';
document.body.appendChild(iframe);
- Switch frame selector for console from "top" to "example.com"
- Run in console
window.parent.parent(in "example.com" iframe)
Real issue
Google IMA is not working in NW.js because of exception in part of code
for (var f = 0; e != e.parent; )
f++,
e = e.parent;
where variable "e" is equal to "window".
You can check it on page: https://developers.google.com/interactive-media-ads/docs/sdks/html5/vastinspector
You will see cross-origin exceptions in console.
_Note please, that in version 0.25.0 page with Google IMA library becomes unresponsive on load, so you should use earlier versions for reproducing exactly this issue._
yss50829
All 4 comments
you can try adding this to package.json to avoid the cors error:
"chromium-args": "--disable-web-security",
fastCargo
on 8 Sep 2017
I have used it already as a temporary solution, but it adds a serious vulnerability to app. So this issue is important to be fixed.
yss50829
on 9 Sep 2017
I can reproduce this issue on Linux/Windows with nwjs-sdk-v0.25.0.
Christywl
on 11 Sep 2017
This shares the same root cause and fixed in #6099 . Please reopen if it's not.
rogerwang
on 24 Oct 2017
Related issues
Asp3ctus
路
4Comments
mmommo
路
4Comments
chino23
路
3Comments
azer
路
3Comments
sorty-zz
路
4Comments
Most helpful comment
you can try adding this to package.json to avoid the cors error:
"chromium-args": "--disable-web-security",