Drag and drop cross domains, iframes, browsers windows

Thanks stackoverflow i solved a lot of my javascript problems, but now i stopped at the point without hope. It is hard to describe, there is clear video shows my problem with drag drop cross-domains iframe.


  • First part in Iceweasel (and FF, Opera) = iframe d&d work OK.
  • Second part in Chromium (and Chrome) = iframe d&d NOT work.

and there are links to example iframes set and iframes sources:

  • parent page: http:// msdrop.com/msdrop-jquery-test-iframe-frameset.htm
  • iframe A: http:// msdrop.com
  • iframe B: http:// nextgd.com/msdrop-jquery-test-iframe.htm

Is it Chrome bug, or security that comes under "Same origin policy"? This is strange because d&d works excellent between two windows, and want not work at all from parent window to iframe.

Thanks for suggestions. Piotr

EDIT: It's possible Chrome/Chromium security mitigation is overly broad. Issue 251718: https://code.google.com/p/chromium/issues/detail?id=251718



Now, at: http://msdrop.com/msdrop-jquery-test-iframe-frameset.htm there are 4 iframes

  • IFRAME A: the same domain as parent
  • IFRAME B: other domain
  • IFRAME C: the same domain + sandbox="allow-scripts"
  • IFRAME D: other domain + sandbox="allow-scripts"

In FF, all frames works that i expects.

In Chrome, and Chromium only on iframe A works all dragover, dragenter, dragleave, and drop events.


i think i found answer, drag and drop events works on iframe when open Chromium or Chrome without restrictions.

chromium-browser --disable-web-security

google-chrome --disable-web-security

But if it is about Google Chrome "web security", why JavaScript Console do not show any info or warrning, and why drag and drop works excellent between two windows, drag and drop works even from firefox to chrome.

edit: Google Chrome: "You are using an unsupported command-line flag: --disable-web-security. Stability and security will suffer." so flag works but is unsupported?

I do not understand.


Adding sandbox="allow-scripts" to the iframe element solves this issue for me.


<iframe sandbox="allow-scripts" src=".." />


Recent Questions

Top Questions

Home Tags Terms of Service Privacy Policy DMCA Contact Us

©2020 All rights reserved.