electron: webSecurity won't disable same origin

Preflight Checklist

  • I have read the Contributing Guidelines for this project.
  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.

Issue Details

  • Electron Version: 5.0.4
  • Operating System: Windows 10 Latest official build x64, Linux 5.8 (Manjaro)

Expected Behavior

By disabling webSecurity allowing js to edit iframe’s variables

Actual Behavior

Console saying ‘Blocked cross-origin request to frame’

To Reproduce

in main.js disabled webSecurity win = new BrowserWindow({ width: 800, height: 600, frame: true, webPreferences: { nodeIntegration: true, nodeIntegrationInWorker: true, webSecurity: false } }) try to edit variables in iframe with id ‘frame’ document.getElementById("frame").contentWindow.settingMenuItemValues[0] = arg; (editing variable inside frame works.)

Console (chrome DevTools)

Uncaught DOMException: Blocked a frame with origin “file://” from accessing a cross-origin frame.

edit: Tested on Manjaro linux. As per comments, this looks like it’s affecting all platforms (peteringram0 has it on OSX & Linux.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 15
  • Comments: 19 (5 by maintainers)

Most upvoted comments

I found a workaround for this in another bug report, which appears to be the same issue.

app.commandLine.appendSwitch(‘disable-site-isolation-trials’)

Solved the issue for me.

+56
ghost on Jul 9, 2019

@peteringram0 just had this issue with 6.1.7. Only thing that solved it was @Joshua-Smith solution - adding app.commandLine.appendSwitch('disable-site-isolation-trials')

+4
mceIdo on Jan 2, 2020

Keep repeatedly running into this issue. Even with app.commandLine.appendSwitch('disable-site-isolation-trials').

image

Having to write an application around bugs is really tiresome. Still no update regarding this? Can anybody confirm if this issue still present in v13 too?

+2
m4heshd on Jun 28, 2021

Gotcha. Here’s an even smaller fiddle which reproduces the issue, + is also automatically testable (i.e. exits with 1 if the test fails, 0 if it passes): https://gist.github.com/10465071dd6fcd731eabfcc4608ff87a

I’ve opened a new issue to track this: https://github.com/electron/electron/issues/29970

+1
nornagon on Jun 30, 2021

Oh, I just see that your example is using window.open not iframe?

Yup. I meant to point it out on your original fiddle but completely forgot. I did try a few fiddles with window.open() combined with http:// and file:// mix but those never quite produced the same result. So that’s why I finally had to settle with that humongous “minimal” repro. 😁

+1
m4heshd on Jun 30, 2021
Read more comments on GitHub
← electron: webContents's session can not enableNetworkEmulation
electron: webview links not working →