0.63.1 - New Error since upgrading - accessing a cross-origin frame

Hi just update to 0.63.1 and getting lots of these errors showing up

https://XXXXX.duckdns.org/frontend_latest/panels/ha-panel-hassio-ad7aa9a6055f74475fd3ba2c00bfe512.html:1:829 Uncaught SecurityError: Blocked a frame with origin “https://XXXXXX.duckdns.org” from accessing a cross-origin frame.

2 Likes

Just updated to 63.3 from 62.1 and same errors in the log. No clue what is up.

Any of you guys found the root problem of this error message? Seems like it started for me when I added MQTT in my Docker setup.

Having this same problem. Did anyone ever figure out what was wrong?

2018-06-09 13:35:19 ERROR (MainThread) [frontend.js.latest.201806080b0] https://[url]/frontend_latest/5f865e9ebd4764019c14.chunk.js:14:449 Uncaught SecurityError: Blocked a frame with origin “https://[url]” from accessing a cross-origin frame.

(sorry, posted reply to wrong item)

Same-Origin Policy (SOP) restricts how a document or script loaded from one origin can interact with a resource from another origin. For example, when Site X tries to fetch content from Site Y in a frame, by default, Site Y’s pages are not accessible due to security reasons, it would be a huge security flaw if you could do it.

How to solve?

The window.postMessage() method provides a controlled mechanism to securely circumvent this restriction. The window.postMessage() safely enables cross-origin communication between Window objects; e.g: between a page and an iframe embedded within it.

const frame = document.getElementById('your-frame-id');
frame.contentWindow.postMessage(/*any variable or object here*/, 'http://your-second-site.com');

The window.postMessage is available to JavaScript running in chrome code (e.g., in extensions and privileged code), but the source property of the dispatched event is always null as a security restriction. (The other properties have their expected values.)