Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

When page is opened with window.open, how can the opened page allow the opener to access its contents?

Tags:

javascript

cors

window.open

Is it possible for a page opened with window.open to allow itself to be examined by a cross-origin opener? (This is for use in internal applications, so security is not a significant concern.) And if so, how? I've tried replacing all of the CORS and Same-Origin policies I can find and I still get Access Denied on all properties for a child window.

In particular I am trying to use Internet Explorer 11

Headers

These are all of the headers I've tried so far

Access-Control-Allow-Origin: http://web1.corp.local
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Cache-Control,Content-Language,Content-Type,Expires,Last-Modified,Pragma
Access-Control-Expose-Methods: GET,POST,OPTION,PUT,DELETE,HEAD
X-Content-Security-Policy: default-src *;script-src *
Content-Security-Policy: default-src *;script-src *
X-XSS-Protection: 0
X-Permitted-Cross-Domain-Policies: all

What I'm trying to do...

I want web1.corp.local to execute some JavaScript on a page on web2.corp.local. I control both domains; I just some way for web2 to tell the browser its okay for web1 to read and execute things on web2.

Request on http://web1.corp.local

I'm trying to call javascript functions on the opened window from the opener. 

document.domain = "corp.local";
var web2 = window.open('http://web2.corp.local');
web2.document; //Throw "Access Denied"
web2.MyApp; // undefined

Javascript on http://web2.corp.local

document.domain = "corp.local";
var myapp = window.MyApp = {
    doWork: function() {
        alert('Hello World!');
    }
};

Note: I have a solution using an iframe proxy and window.postMessage but the app hosted on web2 doesn't work correctly from within an iframe.

Update: The issue was the two pages were not using the document.domain and I missed the exception on the opened window.

like image 314
Matthew Whited Avatar asked Dec 31 '25 15:12

Matthew Whited

1 Answers

The issue was the document.domain. The second site was not in the same domain as the first. As soon as I changed the FQDN of web1 and used document.domain = corp.local the problem was solved.

I missed the exception being thrown by one of the javascript files on document.domain.

like image 84
Matthew Whited Avatar answered Jan 03 '26 03:01

Matthew Whited
Sign in to Comment

Related questions

Kendo Grid Navigate Row From Button (First, Back, Next, Last)
Option for navigator.GetUserMedia for IE Browser
@Input angular 2 pass number or object variables
filtering an array of objects based on a contained arrays contents. Vanilla JS, lodash, some other react releated technology?
jQuery for each input change text for matching element
Use "beforeShowDay" with Bootstrap-datepicker
Remove first matching item in a collection
Removing special words from Delimitted string

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!