Can a iframe specify a whitelist of domains that can access its innerHTML, contentWindow, contentDocument etc ?
what I mean is for example
<body>
<iframe src="someotherdomain.com" id="frame"/>
</body>
<script>
console.log(document.getElementById('frame').contentWindow.someProp);
//this would fail, as its cross domain iframe
</script>
what if the iframe can specify in its response header similar to x-frame-allow, a whitelist of domains/patterns that are allowed to access its innerHTML, contentWindow etc. Is there any early stage such proposal/RFC in progress or has this been discussed before?
Try setting response headers Access-Control-Allow-Origin: *.domain.com which would allow Cross-Origin Resource Sharing (CORS)
Refer:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin