Tracing security policy permissions in JavaScript

Question

I'm working on a glorified click-jacker which uses CNAMES for navigation (example.bit -> example.speech.is) and I want to allow cross-domain access to the contents of an iFrame. The child iframe has headers set to:

Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'self' 'unsafe-inline' *.speech.is http://bits.speech.is https://bits.speech.is http://speech.is

But I am still unable to access the iframe using iframe.windowContent.document (actually it's speech.windowContent.document). Firefox gives me:

Error: Permission denied to access property 'document'

While Chrome reports:

SecurityError: Blocked a frame with origin "http://bits.speech.is" from accessing a frame with origin "http://208.113.212.187". Protocols, domains, and ports must match.
code: 18
message: "Blocked a frame with origin "http://bits.speech.is" from accessing a frame with origin "http://208.113.212.187". Protocols, domains, and ports must match."
name: "SecurityError"
stack: "Error: Blocked a frame with origin "http://bits.speech.is" from accessing a frame with origin "http://208.113.212.187". Protocols, domains, and ports must match.↵    at <anonymous>:2:21↵    at Object.InjectedScript._evaluateOn (<anonymous>:580:39)↵    at Object.InjectedScript._evaluateAndWrap (<anonymous>:539:52)↵    at Object.InjectedScript.evaluate (<anonymous>:458:21)"

Is there anyway to trace where this security policy is getting set?

Answer 1

Access-Control-Allow-Origin:* allows certain CORS requests from XHR, but does not allow direct JS acces through the iframe. If you want to use communicate with the iframe you could use postMessage instead, and implement listeners in both the iframe and the parent. Of course you then need to control the page shown in the iframe.