Attempting to access iframe contents (different subdomain); tried setting up CORS

Question

I am hosting a file at domain.com, which contains an iframe whose document is hosted on s3.domain.com. I am attempting to access the contents of the iframe, however am receiving the following:

Unsafe JavaScript attempt to access frame with URL http://s3.domain.com.s3.amazonaws.com/file.html from frame with URL http://domain.com/. Domains, protocols and ports must match.

I understand the reason for this. I've found two work arounds.

1. Since I own both documents, I can set the domain property to allow access like so: document.domain = 'domain.com';
2. Use CORS to allow access to the document, which is hosted within an S3 bucket

I would prefer to do this, however am having trouble doing so. My CORS configuration file for the bucket currently looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
    </CORSRule>
</CORSConfiguration>

This is still, however, resulting in the error. I'm sure I'm missing something, however am not sure what.

Any advice would be appreciated. Thanks.

Answer 1

With CORS browsers will usually do a preflight request (OPTIONS method). Probably you will have to allow all headers as well to ensure proper preflight request handling:

<AllowedHeader>*</AllowedHeader>

See also here.