Same Origin Policy

2019-06-01 02:48发布

I have read a bit about same origin policy over the last few hours and I understand a little bit of the idea but I have a question about my current setup.

I have a page, we will call, foo.com/home and on that page is a link that opens up an iframe with a url of foo.com/home/bar. Now while in the frame of foo.com/home/bar if I were to have a hyperlink to say www.google.com when clicked can I have it redirect the iframe to Google without breaching the same origin policy? I wouldn't see the harm in that at the least because it would be a simple redirection.

The reason I ask is because with the above set up I am unable to redirect my iframe to www.google.com. If this is, in fact, against the same origin policy could someone break it down and explain how? I would understand if I was using the iframe to submit data to another domain but I am simply just trying to get my iframe to redirect to another domain.

2条回答
SAY GOODBYE
2楼-- · 2019-06-01 03:03
爷、活的狠高调
3楼-- · 2019-06-01 03:12

It is related to the same origin policy, but it doesn't work only because google.com explicitly prohibits embedding the page to an iframe.

If you look in the JavaScript console you'll see something like this:

Refused to display 'https://www.google.com' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

If you try some other page that doesn't have the X-Frame-Options set, like http://nytimes.com, it will work even though it's not the same domain.

查看更多
登录 后发表回答