There is a way. When the page in the iframe loads, have it do the following parent.childGetElementById = function (id) {return document.getElementById(id);} parent.childLoaded(); This will make a function in the global scope of the parent page (that contains the iframe). Then in the parent, just have the following function childLoaded() {var dom = childGetElementById(‘someid’);} This … Read more
There are 3 ways to allow cross domain origin (excluding jsonp): Set the header in the page directly using a templating language like PHP. Keep in mind there can be no HTML before your header or it will fail. Modify the server configuration file (apache.conf) and add this line. Note that “*” represents allow all. … Read more
Yes you can set this in Internet Options: Go to the Security tab. For the current zone click the “Custom level…” button. In the next window, scroll about a third of the way down to “Miscellaneous > Access data sources across domains” and set it to “Enable”. If the current zone is Internet, then you … Read more
Google had just recently enabled this feature. It has been under a ‘feature request’ status for quite a long time. Link here You can now explicitly define X-Frame-Options. To allow embedding under another domain, the option should be HtmlService.XFrameOptionsMode.ALLOWALL Google documentation on the subject: https://developers.google.com/apps-script/reference/html/html-output#setXFrameOptionsMode(XFrameOptionsMode) Example: function doGet() { return HtmlService.createTemplateFromFile(‘form.html’) .evaluate() // evaluate MUST … Read more
The important thing to note here is that if the user is signed in to a site http://example.com/ and the request http://example.com/delete?id=1 deletes a post by the user, then the following code will delete the user’s post: <script src=”http://example.com/delete?id=1″ /> This is called a CSRF/XSRF attack (cross-site request forgery). This is why most server-side web … Read more
If you want to disable the same-origin policy on Safari (I have 9.1.1), then you only need to enable the developer menu, and select “Disable Cross-Origin Restrictions” from the develop menu.
The default behavior of web browsers that initiate requests from a page via JavaScript (AKA AJAX) is that they follow the same-origin policy. This means that requests can only be made via AJAX to the same domain (or sub domain). Requests to an entirely different domain will fail. This restriction exists because requests made at … Read more
As David Dorward mentioned, JSON-P is the simplest and fastest; however, there is another trick, specifically using two iframes. Two get around this issue without using JSONP, you can do the following. This technique assumes that you have some sort of development access to the parent page. There are three pages on two domains/sites. Parent … Read more
I’m sorry to say you that I’ve tried during weeks to solve this issue (I needed it for a project) and my conclusion is that it’s not possible. There are a lot of problems arround local access through javascript with chrome, and some of them can be solved using –allow-file-access-from-files and –disable-web-security, including some HTML5 … Read more
Update 2021-10-18 As of Chrome 95, on MacOS and Windows, –disable-site-isolation-trials remains a required flag in order to disable web security, so the command-line arguments to Chrome seen below are still valid. (Some of the arguments are not formally supported by Chrome, as it will warn you.) To test whether you’ve successfully launched Chrome with … Read more