问题
Is it possible for a page opened with window.open to allow itself to be examined by a cross-origin opener? (This is for use in internal applications, so security is not a significant concern.) And if so, how? I've tried replacing all of the CORS and Same-Origin policies I can find and I still get Access Denied on all properties for a child window.
In particular I am trying to use Internet Explorer 11
Headers
These are all of the headers I've tried so far
Access-Control-Allow-Origin: http://web1.corp.local
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Cache-Control,Content-Language,Content-Type,Expires,Last-Modified,Pragma
Access-Control-Expose-Methods: GET,POST,OPTION,PUT,DELETE,HEAD
X-Content-Security-Policy: default-src *;script-src *
Content-Security-Policy: default-src *;script-src *
X-XSS-Protection: 0
X-Permitted-Cross-Domain-Policies: all
What I'm trying to do...
I want web1.corp.local to execute some JavaScript on a page on web2.corp.local. I control both domains; I just some way for web2 to tell the browser its okay for web1 to read and execute things on web2.
Request on http://web1.corp.local
I'm trying to call javascript functions on the opened window from the opener.
document.domain = "corp.local";
var web2 = window.open('http://web2.corp.local');
web2.document; //Throw "Access Denied"
web2.MyApp; // undefined
Javascript on http://web2.corp.local
document.domain = "corp.local";
var myapp = window.MyApp = {
doWork: function() {
alert('Hello World!');
}
};
Note: I have a solution using an iframe proxy and window.postMessage but the app hosted on web2 doesn't work correctly from within an iframe.
Update: The issue was the two pages were not using the document.domain and I missed the exception on the opened window.
回答1:
The issue was the document.domain. The second site was not in the same domain as the first. As soon as I changed the FQDN of web1 and used document.domain = corp.local the problem was solved.
I missed the exception being thrown by one of the javascript files on document.domain.
回答2:
Apparently it is indeed broken in IE if it's cross-domain and between windows (not frames).
Have a look at this question: Is cross-origin postMessage broken in IE10?
Especially the answer by brunolau at the bottom looks promising and may be just what you need. There is hope in IE11, but they also mention an update breaking it again. It's strange to be honest, I can't see a security reason to make it not work with the constraints and considerations already worked out for frames.
On the other hand, I know it doesn't answer your question, but you may want to implement communication through the server anyway, which would remove dependence on browser pecularities (but that may be less of a concern for you if you only wanted to support IE 11).
来源:https://stackoverflow.com/questions/39456825/when-page-is-opened-with-window-open-how-can-the-opened-page-allow-the-opener-t