Failed to execute 'postMessage' on 'DOMWindow': The target origin provided does not match the recipient window's origin ('null')

C

11

76

I have a game in heroku, now I'm trying to make it work in Facebook canvas, but, while it works in Firefox, in Chrome and IE doesn't.

IE shows a warning with a button, when clicking the button, it shows the content.

In chrome, I get this error:

Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://game.herokuapp.com') does not match the recipient window's origin ('null').

What's wrong?

Cinderella answered 5/3, 2014 at 10:1 Comment(0)

O

98

Make sure the target window that you (or Facebook) is posting a message to, has completed loading. Most of the times I've gotten this error were when an iframe I was sending messages to had failed to load.

Operator answered 13/3, 2014 at 13:22 Comment(4)

"the target window you're/FB is posting message is loaded" I am new to web dev. WHat is this supposed to mean? – Tanya 13/6, 2014 at 4:31

@PrakharMohanSrivastava good question -- the grammar makes this answer difficult to understand. – Smile 15/9, 2015 at 20:2

I think he's saying that posting to a window whose document has not finished loading (yet) causes this error. – Mairemaise 20/1, 2016 at 9:28

It sounds like Facebook's "out of the box" code doesn't work. How would I ensure the target window's loaded? – Addend 21/8, 2017 at 23:54

C

44

Another reason this could be happening is if you are using an iframe that has the sandbox attribute and allow-same-origin isn't set e.g.:

// page.html
<iframe id="f" src="http://localhost:8000/iframe.html" sandbox="allow-same-origin"></iframe> /* https://www.w3schools.com/tags/att_iframe_sandbox.asp */
<script type="text/javascript">
    var f = document.getElementById("f").contentWindow;
    // will throw exception
    f.postMessage("hello world!", 'http://localhost:8000');
</script>

// iframe.html
<script type="text/javascript">
    window.addEventListener("message", function(event) {
        console.log(event);
    }, false);
</script>

I haven't found a solution other than:

add allow-same-origin to the sandbox (didn't want to do that)
use f.postMessage("hello world!", '*');

Clunk answered 12/10, 2016 at 13:35 Comment(3)

But using both allow-scripts and allow-same-origin is unsafe (Firefox says: "Warning: Using both allow-scripts and allow-same-origin invalidates the iframe sandbox attribute."). Related to this question. So I think it is recommended to use the asterisk, since you did not allow changing the URL. – Definiendum 4/3, 2018 at 22:1

On the other side, I tried to window.postMessage from iframe, Error message in conlsoe show that the domain has to match, With window.parent.postMessage, it still complains with the same error message. window.parent.location.origin is also denied access. Then I tried '*' as origin, it works. Turns out host localhost and 127.0.0.1 doesn't match. – Leo 4/6, 2019 at 14:18

I wanted something for local development without having a server, I don't want to include any Node.js or Apache, this was the only solution that provided something for my use case. Many thanks. – Into 17/5, 2022 at 13:30

B

9

RELATED NOTE: When messaging from an iframe to the host page, you will get this error if you forget to use window.top.postMessage.

Without .top you are sending the message to iframes within the iframe.

Buy answered 11/11, 2021 at 16:25 Comment(0)

V

7

To check whether the frame have been loaded, use onload function. Or put your main function in load: I recommend to use load when creating the iframe by js

 $('<iframe />', {
   src: url,
   id:  'receiver',
   frameborder: 1,
   load:function(){
     //put your code here, so that those code can be make sure to be run after the frame loaded
   }
   }).appendTo('body');

Venessavenetia answered 11/9, 2014 at 2:3 Comment(1)

This worked for me. Without jQuery:

iframeReference.addEventListener('load', () => {     iframeReference.contentWindow?.postMessage('hello', 'https://iframe-domain.com') })

– Houlberg 16/1, 2023 at 13:44

U

2

In my case I didn't add the http:// prefix. Potentially worth checking.

Unbelievable answered 30/6, 2017 at 7:31 Comment(0)

G

1

In my case SSL certificate was invalid for iframe domain, so make sure that iframe URL you're trying to send messages to is opening w/o any issues (in case you load your iframe over https).

Grover answered 21/12, 2018 at 15:17 Comment(0)

P

1

I was tryina do cross-domain messaging between parent page and embedded iframe. Was unsuccessful using
window.postMessage('text', '*'); - the message just never got received on the iframe's side.

Changing to this nailed it:
document.querySelector('iframe').contentWindow.postMessage('text', '*');

Parmenter answered 28/11, 2021 at 18:24 Comment(1)

That's because, in the first case, the message is being sent to the parent window – Guard 3/4, 2023 at 17:19

M

0

My issue was I was instatiating the player completely from start but I used an iframe instead of a wrapper div.

Marten answered 6/11, 2018 at 11:59 Comment(0)

S

0

This also reliably happens if you try to create a player without a videoId. Looks like that's not supported.

Sigismund answered 13/3, 2021 at 19:42 Comment(0)

E

0

In my case the app was served with SSL (HTTPS) and the iframe was calling a pure HTTP page. My browser blocked the request for security reasons. I needed to disable it by clicking the padlock next to the URL or use an https link to the iframe page.

Expletive answered 18/5, 2022 at 11:55 Comment(0)

A

0

The easiest way to get this message is to forget the second "origin" argument in the call postMessage(message, origin). "origin" in this context are the origins of the pages you're happy to send your message to. (The user may have navigated away from the origin you presume. This gives you the chance to protect yourself. Put "*" to rule this out as a cause of your problem.)

Actable answered 11/1 at 14:53 Comment(0)

Recommended topics

Hot tags