SecurityError: Blocked a frame with origin from accessing a cross-origin frame

javascript jquery security iframe same-origin-policy

I am loading an <iframe> in my HTML page and trying to access the elements within it using JavaScript, but when I try to execute my code, I get the following error:

SecurityError: Blocked a frame with origin "http://www.example.com" from accessing a cross-origin frame.

How can I access the elements in the frame?

I am using this code for testing, but in vain:

$(document).ready(function() {
    var iframeWindow = document.getElementById("my-iframe-id").contentWindow;

    iframeWindow.addEventListener("load", function() {
        var doc = iframe.contentDocument || iframe.contentWindow.document;
        var target = doc.getElementById("my-target-id");

        target.innerHTML = "Found it!";
    });
});

window.postMessage() developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

Stephen Ostermiller

Same-origin policy

You can't access an <iframe> with different origin using JavaScript, it would be a huge security flaw if you could do it. For the same-origin policy browsers block scripts trying to access a frame with a different origin.

Origin is considered different if at least one of the following parts of the address isn't maintained:

protocol://hostname:port/...

Protocol, hostname and port must be the same of your domain if you want to access a frame.

^{NOTE: Internet Explorer is known to not strictly follow this rule, see here for details.}

Examples

Here's what would happen trying to access the following URLs from http://www.example.com/home/index.html

URL                                             RESULT
http://www.example.com/home/other.html       -> Success
http://www.example.com/dir/inner/another.php -> Success
http://www.example.com:80                    -> Success (default port for HTTP)
http://www.example.com:2251                  -> Failure: different port
http://data.example.com/dir/other.html       -> Failure: different hostname
https://www.example.com/home/index.html:80   -> Failure: different protocol
ftp://www.example.com:21                     -> Failure: different protocol & port
https://google.com/search?q=james+bond       -> Failure: different protocol, port & hostname

Workaround

Even though same-origin policy blocks scripts from accessing the content of sites with a different origin, if you own both the pages, you can work around this problem using window.postMessage and its relative message event to send messages between the two pages, like this:

In your main page: const frame = document.getElementById('your-frame-id'); frame.contentWindow.postMessage(/*any variable or object here*/, 'http://your-second-site.example'); The second argument to postMessage() can be '*' to indicate no preference about the origin of the destination. A target origin should always be provided when possible, to avoid disclosing the data you send to any other site.

In your (contained in the main page): window.addEventListener('message', event => { // IMPORTANT: check the origin of the data! if (event.origin.startsWith('http://your-first-site.example')) { // The data was sent from your site. // Data sent with postMessage is stored in event.data: console.log(event.data); } else { // The data was NOT sent from your site! // Be careful! Do not use it. This else branch is // here just for clarity, you usually shouldn't need it. return; } }); </p> <p class="mb-0 text-dark "> This method can be applied in <strong>both directions</strong>, creating a listener in the main page too, and receiving responses from the frame. The same logic can also be implemented in pop-ups and basically any new window generated by the main page (e.g. using <a href="https://developer.mozilla.org/en-US/docs/Web/API/Window/open" rel="noreferrer"><code>window.open()</code></a>) as well, without any difference. </p> <p class="mb-0 text-dark "> Disabling same-origin policy in your browser </p> <p class="mb-0 text-dark "> There already are some good answers about this topic (I just found them googling), so, for the browsers where this is possible, I'll link the relative answer. However, please remember that disabling the same-origin policy will only affect your browser. Also, running a browser with same-origin security settings disabled grants any website access to cross-origin resources, so it's very unsafe and should NEVER be done if you do not know exactly what you are doing (e.g. development purposes). </p> <p class="mb-0 text-dark "> Google Chrome </p> <p class="mb-0 text-dark "> Mozilla Firefox </p> <p class="mb-0 text-dark "> Safari </p> <p class="mb-0 text-dark "> Opera: same as Chrome </p> <p class="mb-0 text-dark "> Microsoft Edge: same as Chrome </p> <p class="mb-0 text-dark "> Brave: same as Chrome </p> <p class="mb-0 text-dark "> Microsoft Edge (old non-Chromium version): not possible </p> <p class="mb-0 text-dark "> Microsoft Internet Explorer </p> <hr class="my-4"> <div> <div class="comment"> <div class="p-3 mb-2 bg-light border rounded"> Any other answer I've found <a href="http://stackoverflow.com/a/22413275">1</a>, <a href="http://stackoverflow.com/a/23363050">2</a>, suggests that CORS/<code>Access-Control-Allow-Origin</code> does not apply to iFrames, only to <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS" rel="nofollow noreferrer">XHRs, Fonts, WebGL and <code>canvas.drawImage</code></a>. I believe <code>postMessage</code> is the only option. </div> <div class="p-3 mb-2 bg-light border rounded"> @ccppjava you don't need the ===, you already know that the variable type it's a string, so === is useless here. </div> <div class="p-3 mb-2 bg-light border rounded"> @SabaAhang just check for the <code>iframe.src</code>, and if the site it's different from your domain's hostname then you can't access that frame. </div> <div class="p-3 mb-2 bg-light border rounded"> @user2568374 <b>that's a terrible idea</b>. If you check for <code>event.origin.indexOf(location.ancestorOrigins[0])</code> you are basically allowing any parent frame to access your frame, and as you can imagine, that's a very bad idea. </div> <div class="p-3 mb-2 bg-light border rounded"> @user2568374 <code>location.ancestorOrigins[0]</code> is the location of the parent frame. If your frame is running inside <i>another site</i> and you check using <code>event.origin.indexOf(location.ancestorOrigins[0])</code> you are checking if the origin of the event contains the parent's frame address, <b>which is always going to be <code>true</code></b>, therefore you are allowing <i>any parent</i> with <i>any origin</i> to access your frame, and this is obviously not something you want to do. Moreover, <code>document.referrer</code> is bad practice too, as I already explained in the comments above. </div> </div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">G</span> </span></div> <div class=" ms-3 w-100"> <small>Geert</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> Complementing Marco Bonelli's answer: the best current way of interacting between frames/iframes is using <a href="https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage" rel="noreferrer"><code>window.postMessage</code></a>, <a href="http://caniuse.com/#feat=x-doc-messaging" rel="noreferrer">supported by all browsers</a> </p> <hr class="my-4"> <div> <div class="comment"> <div class="p-3 mb-2 bg-light border rounded"> window.postMessage we can use only if we can able to access both parent(our HTML page) and children element(other domain iframe).Otherwise "THERE IS NO POSSIBILITY", it will always throws an error "Uncaught DOMException: Blocked a frame with origin "<<a href="http://yourdomainname.com" rel="nofollow noreferrer">yourdomainname.com</a>>" from accessing a cross-origin frame." </div> </div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">S</span> </span></div> <div class=" ms-3 w-100"> <small>Stephen Ostermiller</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> Check the domain's web server for <code>http://www.example.com</code> configuration for <code>X-Frame-Options</code> It is a security feature designed to prevent clickJacking attacks, </p> <p class="mb-0 text-dark "> How Does clickJacking work? </p> <p class="mb-0 text-dark "> The evil page looks exactly like the victim page. Then it tricked users to enter their username and password. </p> <p class="mb-0 text-dark "> Technically the evil has an <code>iframe</code> with the source to the victim page. </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code><html> <iframe src='victim-domain.example'/> <input id="username" type="text" style="display: none;"/> <input id="password" type="text" style="display: none;"/> <script> //some JS code that click jacking the user username and input from inside the iframe... <script/> <html> </code></pre> <p class="mb-0 text-dark "> How the security feature work </p> <p class="mb-0 text-dark "> If you want to prevent web server request to be rendered within an <code>iframe</code> add the <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options" rel="nofollow noreferrer">x-frame-options</a> </p> <p class="mb-0 text-dark "> X-Frame-Options DENY </p> <p class="mb-0 text-dark "> The options are: </p> <p class="mb-0 text-dark "> SAMEORIGIN: allow only to my own domain render my HTML inside an iframe. DENY: do not allow my HTML to be rendered inside any iframe ALLOW-FROM https://example.com/: allow specific domain to render my HTML inside an iframe </p> <p class="mb-0 text-dark "> This is IIS config example: </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> </code></pre> <p class="mb-0 text-dark "> The solution to the question </p> <p class="mb-0 text-dark "> If the web server activated the security feature it may cause a client-side SecurityError as it should. </p> <hr class="my-4"> <div> <div class="comment"> <div class="p-3 mb-2 bg-light border rounded"> I don't think that X-Frame-Options applies here - X-Frame-Options defined by the guest (embedded) page can cause the parent to refuse to load the page, but as far as I know it doesn't affect javascript access - even with X-Frame-Options: *, I don't think you'll be able to access the DOM of a different origin guest page with javascript </div> <div class="p-3 mb-2 bg-light border rounded"> This answer didn't actually answered the question, the question didn't ask if this was safe or not. </div> </div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">Y</span> </span></div> <div class=" ms-3 w-100"> <small>Yakir Manor</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> For me i wanted to implement a 2-way handshake, meaning: - the parent window will load faster then the iframe - the iframe should talk to the parent window as soon as its ready - the parent is ready to receive the iframe message and replay </p> <p class="mb-0 text-dark "> this code is used to set white label in the iframe using <a href="https://css-tricks.com/difference-between-types-of-css-variables/" rel="noreferrer">[CSS custom property]</a><br> code:<br> <strong>iframe</strong> </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code>$(function() { window.onload = function() { // create listener function receiveMessage(e) { document.documentElement.style.setProperty('--header_bg', e.data.wl.header_bg); document.documentElement.style.setProperty('--header_text', e.data.wl.header_text); document.documentElement.style.setProperty('--button_bg', e.data.wl.button_bg); //alert(e.data.data.header_bg); } window.addEventListener('message', receiveMessage); // call parent parent.postMessage("GetWhiteLabel","*"); } }); </code></pre> <p class="mb-0 text-dark "> parent </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code>$(function() { // create listener var eventMethod = window.addEventListener ? "addEventListener" : "attachEvent"; var eventer = window[eventMethod]; var messageEvent = eventMethod == "attachEvent" ? "onmessage" : "message"; eventer(messageEvent, function (e) { // replay to child (iframe) document.getElementById('wrapper-iframe').contentWindow.postMessage( { event_id: 'white_label_message', wl: { header_bg: $('#Header').css('background-color'), header_text: $('#Header .HoverMenu a').css('color'), button_bg: $('#Header .HoverMenu a').css('background-color') } }, '*' ); }, false); }); </code></pre> <p class="mb-0 text-dark "> naturally you can limit the origins and the text, this is easy-to-work-with code<br> i found this examlpe to be helpful:<br> <a href="http://blog.teamtreehouse.com/cross-domain-messaging-with-postmessage" rel="noreferrer">[Cross-Domain Messaging With postMessage]</a> </p> <hr class="my-4"> <div> <div class="comment"> <div class="p-3 mb-2 bg-light border rounded"> i'm dealing with an issue with safari where document in iframe is executing its JS later than parent page which causes the message to be sent earlier than document in iframe is listening to messages; which is exactly opposite from what chrome and firefox do - have you tested your code in safari on ios? btw postMessage with second parameter of value "*" is not quite safe, you should always specify domain </div> <div class="p-3 mb-2 bg-light border rounded"> Your first block of code, is that on the iframe in the parent or is it on the page that gets loaded into the iframe ? </div> </div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">S</span> </span></div> <div class=" ms-3 w-100"> <small>Stephen Ostermiller</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> There is a workaround, actually, for specific scenarios. </p> <p class="mb-0 text-dark "> If you have two processes running on the same domain but different ports, the two Windows can interact without limitations. (i.e. <code>localhost:3000</code> & <code>localhost:2000</code>). To make this work, each window needs to change their domain to the shared origin: </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code>document.domain = 'localhost' </code></pre> <p class="mb-0 text-dark "> This also works in the scenario that you are working with different subdomains on the same second-level domain, i.e. you are on <code>john.site.example</code> trying to access <code>peter.site.example</code> or just <code>site.example</code> </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code>document.domain = 'site.example' </code></pre> <p class="mb-0 text-dark "> By explicitily setting <code>document.domain</code>; the browser will ignore the hostname difference and the Windows can be treated as coming from the 'same-origin'. Now, in a parent window, you can reach into the iframe: <code>frame.contentWindow.document.body.classList.add('happyDev')</code> </p> <hr class="my-4"> <div> <div class="comment"> <div class="p-3 mb-2 bg-light border rounded"> Chrome will disable modifying document.domain from version 106. See <a href="https://developer.chrome.com/blog/immutable-document-domain/" rel="nofollow noreferrer">developer.chrome.com/blog/immutable-document-domain</a> </div> </div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">s</span> </span></div> <div class=" ms-3 w-100"> <small>ssp</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> I would like to add Java Spring specific configuration that can effect on this. </p> <p class="mb-0 text-dark "> In Web site or Gateway application there is a contentSecurityPolicy setting </p> <p class="mb-0 text-dark "> in Spring you can find implementation of WebSecurityConfigurerAdapter sub class </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code>contentSecurityPolicy(" script-src 'self' [URLDomain]/scripts ; style-src 'self' [URLDomain]/styles; frame-src 'self' [URLDomain]/frameUrl... </code></pre> <p class="mb-0 text-dark "> ... </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code>.referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN) </code></pre> <p class="mb-0 text-dark "> Browser will be blocked if you have not define safe external contenet here. </p> <hr class="my-4"> <div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">Z</span> </span></div> <div class=" ms-3 w-100"> <small>Zhanwen Chen</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> If you have control over the content of the iframe - that is, if it is merely loaded in a cross-origin setup such as on Amazon Mechanical Turk - you can circumvent this problem with the <code><body onload='my_func(my_arg)'></code> attribute for the inner html. </p> <p class="mb-0 text-dark "> For example, for the inner html, use the <code>this</code> html parameter (yes - <code>this</code> is defined and it refers to the parent window of the inner body element): </p> <p class="mb-0 text-dark "> <code><body onload='changeForm(this)'></code> </p> <p class="mb-0 text-dark "> In the inner html : </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code> function changeForm(window) { console.log('inner window loaded: do whatever you want with the inner html'); window.document.getElementById('mturk_form').style.display = 'none'; </script> </code></pre> <hr class="my-4"> <div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">N</span> </span></div> <div class=" ms-3 w-100"> <small>Nick K9</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> I experienced this error when trying to embed an iframe and then opening the site with Brave. The error went away when I changed to "Shields Down" for the site in question. Obviously, this is not a full solution, since anyone else visiting the site with Brave will run into the same issue. To actually resolve it I would need to do one of the other things listed on this page. But at least I now know where the problem lies. </p> <hr class="my-4"> <div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">A</span> </span></div> <div class=" ms-3 w-100"> <small>Amsakanna</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> Open the start menu </p> <p class="mb-0 text-dark "> Type windows+R or open "Run </p> <p class="mb-0 text-dark "> Execute the following command. </p> <p class="mb-0 text-dark "> <code>chrome.exe --user-data-dir="C://Chrome dev session" --disable-web-security</code> </p> <hr class="my-4"> <div> <div class="comment"> <div class="p-3 mb-2 bg-light border rounded"> Terrible for anything that is not a quick and dirty test … and already address in the accepted answer. </div> <div class="p-3 mb-2 bg-light border rounded"> Even with the command, it doesn´t work because Chrome avoids disabling the web security this way </div> </div> </div> </div> </div> </div> </div> </div> </p> </div> </div> <div class="col-xl-3"> <div class="d-flex flex-row justify-content-start align-items-center bg-light mb-3 mt-8 py-2 rounded"> <div class="flex-fill"> <span class="avatar avatar-xl "> <img src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/images/brand/qrcode_for_gh.jpg?t=20230125' class="rounded w-100 mx-2" alt="关注公众号,不定期副业成功案例分享"/> </span> </div> <div class="flex-fill text-left"> <div class="mx-1"> <h5 class="mb-2 mt-3 ">Follow WeChat</h5> <p>Success story sharing</p> </div> </div> </div> <div class="card card-bordered mb-0 card-hover cursor-pointer"> <div class="card-body"> <h4 class="py-2"> Want to <span class="text-danger">stay one step ahead</span> of the latest teleworks? </h4> <a type="button" class="btn btn-sm btn-outline-primary rounded-pill w-100" href="/admin/payments.html" >Subscribe Now</a> </div> </div> <div class="mt-2 cursor-pointer"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-8339074668991438" crossorigin="anonymous"></script>  <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-8339074668991438" data-ad-slot="7889891166" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script> </div> <div class="card mb-4 mt-4 border"> <div>  <div class="card-header"> <h4 class="mb-0">相似问题</h4> </div> <ul class="list-group list-group-flush"> <li class="list-group-item bg-transparent"> <a href="/qa/ZPWlx">Chrome Extension - Uncaught DOMException: Blocked a frame with origin from accessing a cross-origin frame</a> </li> <li class="list-group-item bg-transparent"> <a href="/qa/9oX7a">Blocked a frame with origin "file://" from accessing a cross-origin frame</a> </li> </ul> </div> </div> </div> </div> </div> </div>  <div class="pt-lg-5 pt-3 footer bg-white"> <div class="container"> <div class="row"> <div class="col-lg-4 col-md-6 col-12"> <div class="mb-4"> <img src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/images/brand/logo/logo.png?t=20230125' style="width:30%"> <div class="mt-4"> <p> HuntsBot,a one-stop outsourcing task, remote job, product ideas sharing and subscription platform, which supports DingTalk, Lark, WeCom, Email and Telegram robot subscription. The platform will push outsourcing task requirements, remote work opportunities, product ideas to every subscribed user with timely, stable and reliable. </p> <div class="fs-4 mt-4"> <div class="btn-group dropup"> <button type="button" class="btn btn-primary dropdown-toggle fe fe-globe " data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> English </button> <div class="dropdown-menu"> <a class="dropdown-item" href="https://www.huntsbot.com/qa/6Knd?lang=zh_CN"> 简体中文 </a> <a class="dropdown-item" href="https://www.huntsbot.com/qa/6Knd?lang=en_US"> English </a> </div> </div> </div> </div> </div> </div> <div class="offset-lg-1 col-lg-2 col-md-3 col-6 hidden-less750"> <div class="mb-4"> <h3 class="fw-bold mb-3"> Platform </h3> <ul class="list-unstyled nav nav-footer flex-column nav-x-0"> <li> <a href="/telework.html" class="nav-link"> Outsource </a> </li> <li> <a href="/remote-job.html" class="nav-link"> Remote Job </a> </li> <li> <a href="/products.html" class="nav-link"> Products </a> </li> <li> <a href="/weekly.html" class="nav-link"> Newsletter </a> </li> <li> <a href="/pages/price.html" class="nav-link"> Pricing </a> </li> </ul> </div> </div> <div class="col-lg-2 col-md-3 col-6 hidden-less750"> <div class="mb-4"> <h3 class="fw-bold mb-3"> Support </h3> <ul class="list-unstyled nav nav-footer flex-column nav-x-0"> <li> <a href="/pages/about.html" class="nav-link"> About </a> </li> <li> <a href="/pages/faq.html" class="nav-link"> Frequently Asked Questions </a> </li> <li> <a href="/pages/faq.html" class="nav-link"> How to subscribe </a> </li> </ul> <h3 class="fw-bold my-3"> Links </h3> <ul class="list-unstyled nav nav-footer flex-column nav-x-0"> <li> <a href="https://tlr.xinbeitime.com/" class="nav-link" target="_blank"> 网球实时排名 </a> </li> <li> <a href="https://snapvideotools.com/" class="nav-link" target="_blank"> SnapVideoTools </a> </li> <li> <a href="https://tennisliveranking.com/" class="nav-link" target="_blank"> ATP/WTA/ITF Live Ranking </a> </li> </ul> </div> </div> <div class="col-lg-3 col-md-12 hidden-less750">  <div class="mb-4"> <h3 class="fw-bold mb-3"> Contact US </h3> <p> Any questions or suggestions during use, you can contact us in the following ways: </p> <p> Email: <a href="mailto:huntsbot@xinbeitime.com"> huntsbot@xinbeitime.com </a> </p> </div> </div> </div> <div class="row align-items-center g-0 border-top py-2 mt-6">  <div class="col-lg-8 col-md-7 col-12"> <span class="fs-5"> Copyright© 2022-2023 www.huntsbot.com <a href="https://beian.miit.gov.cn/" rel="noindex,nofollow" target="_blank" class="text-reset">浙ICP备2022000860号-4</a> All Rights Reserved. </span> </div>  <div class="col-lg-4 col-md-5 col-12 d-md-flex justify-content-end hidden-less750"> <nav class="nav nav-footer"> <a class="nav-link ps-0" href="/pages/disclaimer.html" target="_blank"> Disclaimer </a> <a class="nav-link px-2 px-md-3" href="/pages/privacy_policy.html" target="_blank"> Privacy Policy </a> <a class="nav-link px-2 px-md-3" href="/pages/terms_of_ervice.html" target="_blank"> Terms of Service </a> </nav> </div> </div> </div> </div>  <div class="modal fade" id="showQrCodeModel" tabindex="-1" role="dialog" aria-labelledby="exampleModalLabel" aria-hidden="true"> <div class="modal-dialog modal-sm" role="document"> <div class="modal-content "> <div class="modal-header"> <h5 class="modal-title " id="exampleModalLabel">微信公众号</h5> <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"> </button> </div> <div class="modal-body"> <img src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/images/brand/qrcode_for_gh.jpg?t=20230125' class="rounded w-100" title="火星来客微信公众号" alt="火星来客微信公众号"> </div> </div> </div> </div> <div class="modal fade" id="modal-alert" tabindex="-1" role="dialog" aria-hidden="true"> <div class="modal-dialog modal-dialog-centered " role="document"> <div class="modal-content"> <div class="modal-header"> <h5 class="modal-title" id="modal-alert-title" >Tips</h5> <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button> </div> <div class="modal-body" id="modal-alert-body"> </div> </div> </div> </div> <button type="button" class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#modal-alert" style="display:none" id="btn-common-alert"></button> <div class="modal fade" id="model-confirm" tabindex="-1" role="dialog" aria-hidden="true"> <div class="modal-dialog modal-dialog-centered modal-sm" role="document"> <div class="modal-content"> <div class="modal-body" id="modal-confirm-body"></div> <div class="modal-footer"> <button type="button" class="btn btn-secondary btn-sm" data-bs-dismiss="modal">No</button> <button type="button" class="btn btn-primary btn-sm" id="btn-confirm-yes" btn-type="ajaxButton">Yes</button> </div> </div> </div> </div> <button type="button" class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#model-confirm" style="display:none" id="btn-common-confirm" ></button> <script > function alertError(message){ alertError(message,"Tips"); } function alertError(message,title){ if(title){ $("#modal-alert-title").html(title); } $("#modal-alert-body").html(message); $("#btn-common-alert").trigger("click"); } function confirmDialog(confirmMessage,actionUrl,actionSuccessMsg){ $("#modal-confirm-body").html(confirmMessage); $("#btn-confirm-yes").attr("data-url",actionUrl); $("#btn-confirm-yes").attr("data-message",actionSuccessMsg); $("#btn-common-confirm").trigger("click"); } </script>   <script src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/libs/jquery/dist/jquery.min.js?t=20230125'></script> <script src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/libs/bootstrap/dist/js/bootstrap.bundle.min.js?t=20230125'></script> <script src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/libs/bootstrap-select/dist/js/bootstrap-select.min.js?t=20230125'></script> <script src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/libs/jquery.form/jquery.form.js?t=20230125'></script> <script src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/js/custom.js?t=20230125'></script> <script> var _hmt = _hmt || []; (function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?b25fc3fcffc44e8dff36dde049b4ebc1"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s); })(); </script> <script type="text/javascript"> (function(c,l,a,r,i,t,y){ c[a]=c[a]||function(){(c[a].q=c[a].q||[]).push(arguments)}; t=l.createElement(r);t.async=1;t.src="https://www.clarity.ms/tag/"+i; y=l.getElementsByTagName(r)[0];y.parentNode.insertBefore(t,y); })(window, document, "clarity", "script", "fco75ff5x7"); </script>  <script async src="https://www.googletagmanager.com/gtag/js?id=G-BTLS35QW08"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-BTLS35QW08'); </script> <script> (function(){ var el = document.createElement("script"); el.src = "https://lf1-cdn-tos.bytegoofy.com/goofy/ttzz/push.js?a01aa87a04ac652b13258f439e7407fed09ba9bea51f9e0f26ab91ccc91c1924bc434964556b7d7129e9b750ed197d397efd7b0c6c715c1701396e1af40cec962b8d7c8c6655c9b00211740aa8a98e2e"; el.id = "ttzz"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(el, s); })(window) </script> </body> </html>