This error occurs when an iframe is called on a site with Cross Origin Resource Sharing (CORS) rules configured, which blocks the frame. Below is an example of a JavaScript iframe injection, with dummy text subbed in for the iframe call:
let injectIframe = function(url) {
let iframe = document.createElement('iframe');
iframe.addEventListener("load", function() {
console.log(iframe.contentWindow);
console.log(iframe.contentWindow.document);
});
iframe.src = url;
document.body.appendChild(iframe);
};
let scriptUrl = "https://www.iframedummyurl.com"; // This can be any URL. The issue is the iframe call itself not the website.
if (document.readyState !== "loading" && document.body) {
injectIframe(scriptUrl);
} else {
document.addEventListener("DOMContentLoaded", function() {
injectIframe(scriptUrl);
});
}
This script waits for the page to load before calling the iframe function. The iframe function then appends a new inline frame to the body of the page. Copy and paste this script into your browser on this page to see this script throw the error.
The solution usually lays in your site's CORS configuration. Please not that this may not be an option in newer Safari browsers.
Learn more about Illegal Invocation Errors.