[将youtube-iframe嵌入另一个被沙盒化的iframe(以防止XSS时,播放器在所有主流浏览器中都会保持黑色。
请参见https://jsfiddle.net/ms9fwLbk/
<!DOCTYPE html><html lang='en'><head><title>Sandbox iframe youtube problem</title></head><body>
<iframe sandbox='allow-scripts allow-presentation' width='600' height='400' srcdoc='
<!DOCTYPE html><html lang="en"><head><title>iframe</title></head><body>
<!-- original source-code shared from youtube: -->
<iframe width="560" height="315"
src="https://www.youtube.com/embed/QwS1r1mc888?controls=0"
frameborder="0"
allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture"
allowfullscreen></iframe>
</body></html>
'></iframe></body></html>
浏览器的控制台日志显示以下错误,因为youtube-api无法使用CORS(此处不允许使用allow-same-origin,因为启用了allow-scripts会使cookie容易受到攻击)
Uncaught DOMException: Failed to read the 'cookie' property from 'Document':
The document is sandboxed and lacks the 'allow-same-origin' flag.
at Vb.m.get (https://www.youtube.com/yts/jsbin/www-embed-player-vflwaq4V_/www-embed-player.js:142:47)
Access to XMLHttpRequest at 'https://www.youtube.com/error_204?...'
from origin 'null' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
它对not没有帮助
如何使youtube忽略Cookie的访问限制或preflight来源限制?
(Vimeo在这样的沙盒iframe中没有问题,但某些视频仅在youtube中可用。)>>
[将youtube-iframe嵌入另一个被沙盒化的iframe(以防止XSS)时,播放器在所有主流浏览器中都保持黑色。参见https://jsfiddle.net/ms9fwLbk/
我只是玩这个。如您所说,allow-same-origin允许子iframe访问父文档及其cookie!但是,如果将srcdoc属性更改为嵌入式HTML src属性(如下所示),则所有浏览器对此都更加严格,因此父文档和cookie是安全的。 (使用YouTube!)我可以在Mac上的Chrome / FF / Safari中成功为我工作: