<div class="Layout-main"><p>Maybe someone set the <a href="https://developer.mozilla.org/en-US/docs/Web/API/Document/domain"><code>document.domain</code></a>, it used by the <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy">same-origin policy</a>. Only both the parent and the iframe don't set <code>document.domain</code> or both of them set the same <code>document.domain</code>, the iframe can access the parent content.</p>
<blockquote>
<p>Note that setting <code>document.domain</code> to its current value is not a no-op. It
still changes the origin. For example, if one page sets</p>
<div class="highlight highlight-js"><div class="highlight-header"><div class="highlight-language">js</div></div><pre><code tabindex="0"><span class="line"><span class="pl-c1">document</span>.<span class="pl-smi">domain</span> <span class="pl-k">=</span> <span class="pl-c1">document</span>.<span class="pl-smi">domain</span>;</span>
</code></pre></div>
<p>then it will be counted as cross-origin from any other normally-same-origin pages that
have not done the same thing.</p>
</blockquote>
<p>Since Chrome 115 set <code>document.domain</code> has no effect by default, so we will not meet this problem in most case.</p>
<p>Below is some test case, we can try those examples in Firefox:</p>
<table>
<thead>
<tr>
<th>parent set <code>blog.zjffun.com</code></th>
<th>parent set <code>zjffun.com</code></th>
<th>iframe set <code>blog.zjffun.com</code></th>
<th>iframe set  <code>zjffun.com</code></th>
<th>accessible</th>
</tr>
</thead>
<tbody>
<tr>
<td>❌</td>
<td>❌</td>
<td>❌</td>
<td>❌</td>
<td>✅  <a href="https://blog.zjffun.com/blogs/demo/iframe-can-not-access-parent-content-although-in-the-same-domain/parent.html" target="_blank">example</a></td>
</tr>
<tr>
<td>✅</td>
<td>❌</td>
<td>✅</td>
<td>❌</td>
<td>✅ <a href="https://blog.zjffun.com/blogs/demo/iframe-can-not-access-parent-content-although-in-the-same-domain/parent.html?set-parent-domain-1=true&set-iframe-domain-1=true" target="_blank">example</a></td>
</tr>
<tr>
<td>❌</td>
<td>✅</td>
<td>❌</td>
<td>✅</td>
<td>✅ <a href="https://blog.zjffun.com/blogs/demo/iframe-can-not-access-parent-content-although-in-the-same-domain/parent.html?set-parent-domain-2=true&set-iframe-domain-2=true" target="_blank">example</a></td>
</tr>
<tr>
<td>✅</td>
<td>✅</td>
<td>❌</td>
<td>✅</td>
<td>✅ <a href="https://blog.zjffun.com/blogs/demo/iframe-can-not-access-parent-content-although-in-the-same-domain/parent.html?set-parent-domain-1=true&set-parent-domain-2=true&set-iframe-domain-2=true" target="_blank">example</a></td>
</tr>
<tr>
<td>✅</td>
<td>❌</td>
<td>❌</td>
<td>❌</td>
<td>❌ <a href="https://blog.zjffun.com/blogs/demo/iframe-can-not-access-parent-content-although-in-the-same-domain/parent.html?set-parent-domain-1=true" target="_blank">example</a></td>
</tr>
<tr>
<td>❌</td>
<td>❌</td>
<td>✅</td>
<td>❌</td>
<td>❌ <a href="https://blog.zjffun.com/blogs/demo/iframe-can-not-access-parent-content-although-in-the-same-domain/parent.html?&set-iframe-domain-1=true" target="_blank">example</a></td>
</tr>
<tr>
<td>❌</td>
<td>❌</td>
<td>❌</td>
<td>✅</td>
<td>❌ <a href="https://blog.zjffun.com/blogs/demo/iframe-can-not-access-parent-content-although-in-the-same-domain/parent.html?&set-iframe-domain-2=true" target="_blank">example</a></td>
</tr>
</tbody>
</table></div><nav class="Layout-sidebar"><ol class="toc-level toc-level-1"></ol></nav>

zjffun blog

Iframe can not access parent content although in the same domain

parent set `blog.zjffun.com`	parent set `zjffun.com`	iframe set `blog.zjffun.com`	iframe set `zjffun.com`	accessible
❌	❌	❌	❌	✅ example
✅	❌	✅	❌	✅ example
❌	✅	❌	✅	✅ example
✅	✅	❌	✅	✅ example
✅	❌	❌	❌	❌ example
❌	❌	✅	❌	❌ example
❌	❌	❌	✅	❌ example