I have two areas:
sub1.domain.org contains an iframe with its src pointing to another: sub2.domain.org
On sub2:
//triggers a cross-domain security error alert(window.parent.location.href); //executes just fine on FF, IE, Chrome, and Safari. window.parent.location.href = new_url;
So it looks like I'm allowed to write the URL of the parent window, but I'm not allowed to read it. Is this really a standard? I just need to know why this works as it is.
I found one answer here: Why can a child redirect a parent frame?
The same rule of origin does not apply here. By changing the URL in the address bar in the browser window, you change the window.top.location.href property too. If there was the same origin of restrictions there, the Internet would be dead. You do not send the request to another place, you do not receive data from a third-party resource and upload it to your page, you redirect the browser to another place that closes and clears the DOM.
But this answer prompts other subsequent questions.
When we change the parent URL, do we still technically modify the parent DOM (even if it closes it) and therefore violates a policy of the same origin?
, ? , URL- , .
, , , . - , ?
iframe, URL- . ( iframe, ). .
IFrame ( ) , .
FYI, . iframe .src , , , . , , . , , , .
.src
FYI, , "" , URL- , " ", , - , , . , , , - .