Unsafe JavaScript attempt to initiate navigation for frame with URL

Question

This is a bit complicated, please bear with me. Website A has a iframe that contains website B and website B has a iframe that contain website C.

There is a button on website C, when clicked, I want to refresh url of website B. below is the javascript called to do the refresh of website B from website C, which is in an iframe

function url_update(id){
   var host = 'https://websiteb.com ';
   var myHost = host.split('/'); 
   if (id != "" && myHost != ""){
    try {
        if (id.substring(0,1) != '/'){
            id = '/' + id;
        }
        var dft_url = myHost[0] + '//' + myHost[2] + id;
        window.parent.location.href = dft_url;
    } catch(e){alert("Cannot go to the desired url location: " + dft_url);}
   } 
 }

but when the line "window.parent.location.href = dft_url;" gets executed, I received the following error:

 Unsafe JavaScript attempt to initiate navigation for frame with URL  
 'https://websiteB.com' from frame with URL
 'https://websiteC.com'. The frame attempting navigation is 
  neither same-origin with the target, nor is it the target's parent or    
  opener.

I don't understand why this happening and how to fix it. Any help will be appreciated.

I did some research, most claimed this is an origin problem, but if I take out website A, meaning only have website B with an iframe that contains website C, then the above code works. Even though they have different domains

Answer 1

You can find an explanation of this behavior in a comment of the Chromium source code. See here:

https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/frame/Frame.cpp&sq=package:chromium&rcl=1438193817&type=cs&l=202

Basically top-level windows have less restrictions regarding navigation than other windows. See restrictions for non top windows:

A document can navigate its decendant frames, or, more generally, a document can navigate a frame if the document is in the same origin as any of that frame's ancestors (in the frame hierarchy).

Where as for top window:

Specifically, a document can navigate a top-level frame if that frame opened the document or if the document is the same-origin with any of the top-level frame's opener's ancestors (in the frame hierarchy).

Reason for that is:

Top-level frames are easier to navigate than other frames because they display their URLs in the address bar (in most browsers).

So basically, for a non top window, it absolutely needs to be same origin to allow navigation, but for top windows, a frame that was opened by that window can navigate even if it's not same-origin. Which seems to be the problem you're facing, when B is top, the same origin doesn't apply, but when it's not top, then it applies.

According to this, I'm not sure there's a straightforward, or any at all, solution.

Answer 2

I know this old, but I came here because I have same issue. I solved mine using sandbox attribute in my iframe :

var iframe = document.createElement('iframe');
iframe.setAttribute("sandbox", "allow-scripts allow-top-navigation");
var html = '<body><script>window.top.location="https://redirectDomain.tld";</script></body>';
iframe.src = 'data:text/html;charset=utf-8,' + encodeURI(html);
document.body.appendChild(iframe);

You can read more from sources :
Creating an iframe with given HTML dynamically
Frames and Windows