Cross-origin iframes.

Nov. 13, 2025, 7:00 p.m. GMT-5

I learned a trick to detect if a frame is cross-origin.

window.top.location.href throws a SecurityError when when being evaluated from a cross-origin iframe.

This is similar in practice to window.frameElement, except that it handles the case of nested iframes with an intermediate same-origin iframe.

For example:

top (site.com)
- iframe1 (other.site.dev/iframe.html)
  - iframe2 (other.site.dev)

You can test this by switching contexts in the browser inspector console, and evaluating some of the expressions below.

// Select between different windows in the browser inspector
// and try evaluating some of these expressions:

window.top.location.href
// throws SecurityError if evaluating in a cross-origin iframe

window.top == window.parent
// true, if first-level iframe
// false, if nested iframe

window.frameElement
// returns the iframe element if same-origin
// returns null if cross-origin or if not in an iframe

Switching Contexts

In Chrome, you can visit the Console tab, and change the context via the dropdown immediately beflow the tab.

In Safari and Firefox, the context selector should be right beside the console input.

Below are some iframes to this site itself.

Same-origin

Cross-origin