SCORM: SecurityError: Blocked a frame with origin from accessing a cross-origin frame FOR SAME ORIGIN

About

Asked 21/8, 2020 at 0:57 Answered 21/8, 2020 at 1:43

Solved javascript iframe cross-domain same-origin-policy scorm

I am aware there are plenty of similar questions, the only difference is I get this for two pages I serve from the **same ** domain. This can be seen in the example below.

    Uncaught DOMException: Blocked a frame with origin "https://content.samba.net" from accessing a cross-origin frame. 
  
at findAPI (https://content.samba.net/00/07/19-10/scorm_support/scorm_support.js:14:10)   
at getAPI (https://content.samba.net/00/07/19-10/scorm_support/scorm_support.js:61:13)   
at https://content.samba.net/00/07/19-10/SCORM.htm:200:16

Shouldn't this happen only between different domains?

============================== EDIT =======================================
Ofcourse, few seconds after I posted, I found the issue. The SCORM package has a function to locate the SCORM API. It looks at top and opener. In my case the Window Opener is in a different domain, It was trying to access that.
I'll leave it for history sake. My answer has the details.

Miserly answered 21/8, 2020 at 0:57 Comment(2)

If the iframe has the sandbox attribute, try adding allow-same-origin to the value. The reason is, without allow-same-origin included, browsers set the origin of the iframe to null — and a request from a https://content.samba.net to a null origin is a cross-origin request. See the answers at https://mcmap.net/q/1917524/-origin-header-null-for-xhr-request-made-from-lt-iframe-gt-with-sandbox-attribute and #62289603 and for a lot more details than you probably want, see https://mcmap.net/q/18432/-when-do-browsers-send-the-origin-header-when-do-browsers-set-the-origin-to-null – Platypus 21/8, 2020 at 1:10

@Platypus that is interesting to know, but my issue was actually much more trivial and simple - I edited my question to reflect it. – Miserly 21/8, 2020 at 1:11

The issue has been resolved, and it is specific to the SCORM protocol.
When you open a piece of SCORM content, which is a bunch of html,flash,js and other media files, the first thing it does is trying to find the SCORM api.
The SCORM api is JS that has to be in the window that loads the SCORM content.
In some SCORM packages, the function that looks for the API, looks recursively for the TOP window, i.e. the initial window that started the entire process.
In my case it was a window on my site, that poped the SCORM launcher on my CDN, which has a different domain name.

All I had to do to solve this issue, is cheat the browser to think the SCORM launcher (the window I poped on the CDN) is the TOP, by adding the following two js lines in it:

window.top=window;
window.opener=window;

Miserly answered 21/8, 2020 at 1:43 Comment(6)

Tried adding this on my parent page doesn't seem to work still getting the same issue – V2 13/11, 2020 at 11:37

@V2 are they the same domain? PArent page and SCORM window? – Miserly 14/11, 2020 at 5:43

Nope different domains – V2 16/11, 2020 at 7:42

@V2 the window that holds the SCORM API , I believe (although there might be a way around it) has to beon the same domain as the content - thats how I do it. – Miserly 17/11, 2020 at 14:37

@ItayMoav-Malimovka Hello, do you have any example code for this? I've tried to integrate SCORM for my project and still failed, the last error i've got is this cors things. If you manage to share me some of the example it'll be really helpful, Thank you! – Siobhansion 23/3, 2023 at 6:15

@Siobhansion enroll to this sitelms.org/catalog/course/details/… and then launch the content.... and then view source – Miserly 24/3, 2023 at 11:27

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags