Unsafe JavaScript attempt to access frame in Google Chrome

Asked 14/4, 2011 at 7:49 Answered 14/4, 2011 at 14:0

Solved javascript security google-chrome iframe

Our web application (based on HTML5, SVG & JS) runs fine in all the browsers except Google Chrome.

In Google Chrome, the normal javascript events run fine, however, all the javascript events attached to the iFrame are not executed. We get the error in the console:

Unsafe JavaScript attempt to access frame

At the moment, the application is locally hosted and this problem cropped up during inhouse testing.

Googling this brings up lots of posts but none suggests any concrete solution. Any suggestions?

Qr answered 14/4, 2011 at 7:49 Comment(1)

Please provide source code of the pages and JavaScript code. It will be easier to get useful answers (and not like mine) this way :) – Foushee 14/4, 2011 at 8:20

As an additional security measure, Chrome treats every "file" path as its own origin rather than treating the entire "file" scheme as a single origin (which is what other browsers do). This behavior applies only to "file" URLs and you can force Chrome to revert to a single local origin (like other browsers) by passing the --allow-file-access-from-files switch at startup.

You can find more information on the risks associated with local origins described here: http://blog.chromium.org/2008/12/security-in-depth-local-web-pages.html

Tungsten answered 14/4, 2011 at 14:0 Comment(4)

Thanks Justin. I think you both (Vladislav) are onto something here. We are thinking its to do with file location as well. Accepting your answer. – Qr 18/4, 2011 at 1:46

This is simply google way of blocking local web apps and forcing people to use web server, google could have simply considered folder name as same origin, that would make life much easier. – Ashley 21/10, 2012 at 12:33

This is ridiculous. This security "feature" effectively prevents any possibility to have any scripting in locally stored websites. Even the command line argument to suppress this behavior itself sounds ridiculous (allow file access from files? what?) – Aurochs 21/4, 2013 at 14:34

This feature is really about security. Without such a limitation, any untrusted locally opened file could (in theory) enumerate all files in the system and access pretty much any file with latest HTML5 features. It's arguable that a single directory would be a better origin for local files but that might make the whole Downloads folder open for scripts in practice. Read the referenced article in full if you need more information. – Hiett 5/6, 2018 at 7:38

Please make sure that both the iframe and main page are using the same protocol (i.e. both https or both http, but not mixed) and are on the same domain (i.e. both www.example.com and not example.com and dev.example.com). Also there's the possibility that something tries to use the file:// protocol, which will also cause this message.

Foushee answered 14/4, 2011 at 8:19 Comment(1)

Thanks Vladislav, using same protocol and same domain as well. That file:// is interesting point. – Qr 18/4, 2011 at 1:45

Recommended topics

Hot tags