I just changed my blog from wordpress to django-zinnia. Zinnia uses a WYMeditor (https://github.com/wymeditor/wymeditor) iframe within django-admin for blog post text and content entry, and right now I can't access the iframe due to a same-origin issue. The error I'm seeing in browser console is:
Blocked a frame with origin "http://www.mydomain.com" from accessing a frame with origin "http://mybucket.s3.amazonaws.com".
Protocols, domains, and ports must match.
WYMeditor.WymClassSafari.initIframe
onload
Is there a parameter I can update in my CORS configurations for the bucket to allow the iframe to load cross-origin? I already have
<AllowedOrigin>http://www.mydomain.com</AllowedOrigin>
within my current CORS rules:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>http://mydomain.herokuapp.com</AllowedOrigin>
<AllowedOrigin>http://mydomain.com</AllowedOrigin>
<AllowedOrigin>http://www.mydomain.com</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>Content-*</AllowedHeader>
<AllowedHeader>Host</AllowedHeader>
<AllowedHeader>Authorization</AllowedHeader>
</CORSRule>
</CORSConfiguration>
The CORS headers do not affect the same-origin policy for iframes in Safari.
You can communicate between the frames using postMessage or you could attach a subdomain from mydomain.com to your S3 bucket and relax the same-origin policy by setting document.domain (this method only works to communicate between subdomains of the same domain, it doesn't work between different domains).
You can learn more about iframes communication from this answer on StackOverflow: