Same Origin Policy

Question

I have read a bit about same origin policy over the last few hours and I understand a little bit of the idea but I have a question about my current setup.

I have a page, we will call, foo.com/home and on that page is a link that opens up an iframe with a url of foo.com/home/bar. Now while in the frame of foo.com/home/bar if I were to have a hyperlink to say www.google.com when clicked can I have it redirect the iframe to Google without breaching the same origin policy? I wouldn't see the harm in that at the least because it would be a simple redirection.

The reason I ask is because with the above set up I am unable to redirect my iframe to www.google.com. If this is, in fact, against the same origin policy could someone break it down and explain how? I would understand if I was using the iframe to submit data to another domain but I am simply just trying to get my iframe to redirect to another domain.

Answer 1

While

Or Google in your case.

Possible solution will be using a local proxy like http://developer.yahoo.com/javascript/howto-proxy.html

This might help https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript.

Answer 2

It is related to the same origin policy, but it doesn't work only because google.com explicitly prohibits embedding the page to an iframe.

If you look in the JavaScript console you'll see something like this:

Refused to display 'https://www.google.com' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

If you try some other page that doesn't have the X-Frame-Options set, like http://nytimes.com, it will work even though it's not the same domain.