Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unable to access cross domain iframes when not headless

See original GitHub issue

After updating to v1.20 I’m unable to access iframes from a foreign domain with headless: false.

Here’s a page with 4 iframes, 3 of which are cross domain:

<html>
<body>
<iframe src="https://en.wikipedia.org/wiki/IFrame"></iframe>
<iframe src="http://example.com/"></iframe>
<iframe srcdoc="<p>Frame [2]</p>"></iframe>
<iframe src="http://www.htmlhelp.com/reference/html40/special/iframe.html"></iframe>
</body>
</html>

And some code that tries to access the frames:

const puppeteer = require('puppeteer');
(async () => {
    const browser = await puppeteer.launch({ headless: false });
    const [page] = await browser.pages();
    await page.goto('http://localhost: ... ');

    console.log('childFrames count:', page.mainFrame().childFrames().length);
    console.log('pageFrames count:', page.frames().length);

    const iframeHandles = await page.$$('iframe');

    console.log('contentFrame[0] is valid:', await iframeHandles[0].contentFrame() !== null);
    console.log('contentFrame[2] is valid:', await iframeHandles[2].contentFrame() !== null);

    await browser.close();
})();

Output with headless false:

childFrames count: 1
pageFrames count: 2
contentFrame[0] is valid: false
contentFrame[2] is valid: true

Output with headless true:

childFrames count: 4
pageFrames count: 9
contentFrame[0] is valid: true
contentFrame[2] is valid: true

What is the expected result? I’d expect to be able to access cross domain iframes whether running headless or not (this was the case as of ~v1.15) Am I missing something?

Issue Analytics

State:
Created 4 years ago
Reactions:24
Comments:9

Top GitHub Comments

20reactions

jiriyaocommented, Oct 11, 2019

–disable-features=site-per-process does seem to fix the problem. but my chormium is crashed by add this item when handless is false

14reactions

tshmitcommented, Sep 27, 2019

Thanks for your reply, @hi-ogawa. You’re right --disable-features=site-per-process does seem to fix the problem.

I’m perplexed as to why my code ran without flag until updating to 1.20, but that’s ok, I’ll take it! 😃

Top Results From Across the Web

Bypass Cross-Domain-Policy to access iframe's HTML with ...

One possible solution was to try to get the src of the iframe tag with javascript, call a server-side script to get the...

Configuring Cypress to work with iFrames & cross-origin sites.

Display insecure content; Navigate to any superdomain without cross origin errors; Access cross origin iframes that are embedded in your application.

Web Security - Cypress Documentation

Display insecure content; Navigate to any superdomain without cross-origin errors with or without cy.origin; Access cross-origin iframes that are embedded in ...

Making your website "cross-origin isolated" using COOP and ...

You can enable cross-origin isolation on a document embedded within an iframe by applying allow="cross-origin-isolated" feature policy to the <iframe> tag and ...

Cross domain and cross window communication in JavaScript

Security #sameoriginpolicy #JavaScript The same- origin policy is a critical security mechanism that restricts how a document or script ...