问题
I have a outer HTML-document (subdomain1.server-a.de) with an iFrame and inner HTML-document (subdomain2.server-a.de). The inner script should send & receive AJAX-requests to subdomain2.server-a.de. I've set the document.domain-value for both documents to "server-a.de" - so far, so good, works well in all tested browsers (FF/Chrome/Opera). Now I move the scripts to server-b.de with same subdomains and set the document.domain on both documents to "server-b.de". That still works in FF and Chrome, but Opera gives me a "Security error: attempted to read protected variable: xy" when trying to call my AJAX function from the outer document.
My conclusion so far: I can't violate the same domain policy, because then FF and Chrome wouldn't communicate with the inner document from outside either. I've also tried the solution from Focus with Cross-domain Ajax in Opera with the interval function, same issue.
Thanks a lot in advance for every hint.
UPDATE: I have set up a testing site for this. If you go to this site, you'll see, it works even with Opera (a dialog pops up with "Test called" after a few seconds). Now, if you copy the outer frame files "operatest.html" and jquery to another server - so it has to work in my case - you'll see, that FF and Chrome don't have a problem, but Opera has.
Is Opera comparing server details in order to fulfill the same origin policy? Or will it deny access, if ip adresses of both subdomains don't match?
回答1:
Sounds like it might be a timing issue, i.e. the outer document tries to initiate the request before the inner document has run the script that sets document.domain?? Or perhaps Opera has cached the IFRAME contents and you initially loaded a version where the script inside the IFRAME was wrong and didn't set document.domain correctly?
回答2:
I suggest you forget the document.domain approach and use window.postMessage() (AKA HTML5-style cross-document messaging) instead. http://www.whatwg.org/specs/web-apps/current-work/multipage/comms.html#web-messaging
回答3:
Had the same absurd issue with JS calls between parent and an iframe on a different subdomain - worked everywhere, but failed under Opera with the above mentioned error.
Removing ~/.opera folder (Opera settings folder in Linux) solved this, and another one very weird problem.
Cheers.
来源:https://stackoverflow.com/questions/5500548/js-security-issue-with-opera-11-01-after-moving-from-server-a-to-b