Blocked a frame with origin from accessing a cross-origin frame

Same-Origin Policy (SOP) restricts how a document or script loaded from one origin can interact with a resource from another origin. For example, when Site X tries to fetch content from Site Y in a frame, by default, Site Y's pages are not accessible due to security reasons, it would be a huge security flaw if you could do it.

Origin is considered different if at least one of the following parts of the address isn't maintained:

Protocol, hostname and port must be the same of your domain if you want to access a frame.

How to solve?

The window.postMessage() method provides a controlled mechanism to securely circumvent this restriction. The window.postMessage() safely enables cross-origin communication between Window objects; e.g: between a page and an iframe embedded within it.


  1. targetOrigin - specifies what the origin of targetWindow must be for the event to be dispatched, either as the literal string "*" (indicating no preference) or as a URI.


Main Page source

The second argument to postMessage() can be '*' to indicate no preference about the origin of the destination. Always provide a specific targetOrigin, not '*' , if you know where the other window's document should be located. Failing to provide a specific target discloses the data you send to any interested malicious site.

The dispatched event

In your ‹iframe› contained in the main page, a window can listen for dispatched messages by executing the following JavaScript:

blocked frame

Disabling same-origin policy in your browser

Running a browser with same-origin security settings disabled grants any website access to cross-origin resources.

For Windows:

Go into the command prompt and go into the folder where Chrome.exe is and type:

For Linux :

Also if you're trying to access local files for development purposes like AJAX or JSON, you can use this flag too.

NOTE: Disabling same-origin policy is very unsafe and should NEVER be done if you do not know exactly what you are doing.
 (C) 2022    Founded by raps mk
All Rights Reserved. All other trademarks are property of their respective owners.
SiteMap  | Terms  | About