问题
I have two subdomains www.example.com and api.example.com. On a page from first domain I open popup window with url api.example.com/some/url and want to use window.opener object to pass data to parent page. But I get error:
Unsafe JavaScript attempt to access frame with URL http://www.example.com/some/page from frame with URL http://api.example.com/some/url. Domains, protocols and ports must match.
Is it possible to fix the issue?
回答1:
It is possible to pass data between www.example.com and api.example.com but not with window.opener. You can set a value in a cookie with Javascript (document.cookie) on the .example.com domain (not www.example.com) and it will be readable on www.example.com and api.example.com.
On a page from www.example.com, if you execute this Javascript: (source: http://techpatterns.com/downloads/javascript_cookies.php) then the "somename" cookie will be readable from api.example.com
function Set_Cookie( name, value, expires, path, domain, secure )
{
// set time, it's in milliseconds
var today = new Date();
today.setTime( today.getTime() );
/*
if the expires variable is set, make the correct
expires time, the current script below will set
it for x number of days, to make it for hours,
delete * 24, for minutes, delete * 60 * 24
*/
if ( expires )
{
expires = expires * 1000 * 60 * 60 * 24;
}
var expires_date = new Date( today.getTime() + (expires) );
document.cookie = name + "=" +escape( value ) +
( ( expires ) ? ";expires=" + expires_date.toGMTString() : "" ) +
( ( path ) ? ";path=" + path : "" ) +
( ( domain ) ? ";domain=" + domain : "" ) +
( ( secure ) ? ";secure" : "" );
}
Set_Cookie("somename", "somevalue", 0, "/", ".example.com");
回答2:
It's not a bug, it's a security feature. Otherwise, someone else can have your site open up from theirs and inject data into your page without your users knowing.
Read: http://en.wikipedia.org/wiki/Same_origin_policy
Certainly, having the same SLD could indicate that they are from the same origin, but that isn't guaranteed to be the case, for example, hosting sites that allow free subdomains would be vulnerable.
回答3:
<script>
document.domain = 'facebook.com';
try {
try{
if (window.opener && window.opener.graphexplorer) {
window.opener.graphexplorer.authCallback(window.location.hash);
}
}catch(e){}
}
catch (e) {}
window.location.hash = '';
window.close();
</script>
回答4:
<script> document.domain = 'facebook.com'; try { try{if (window.opener && <script> document.domain = 'facebook.com'; try { try{if (window.opener && window.opener.graphexplorer) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>
回答5:
<script> document.domain = 'facebook.com'; try { try{if (window.opener && window.opener.graphexplorer) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>
来源:https://stackoverflow.com/questions/6876830/window-opener-cross-domain-call