Direct Javascript calls between frames and/or windows are only allowed if they conform to the same-origin policy. If your window and iframe share a common parent domain you can set document.domainto "domain lower") one or both such that they can communicate. Otherwise you'll need to look into something like the postMessage() API.

框架和/或窗口之间的直接 Javascript 调用只有在符合同源策略时才被允许。如果您的窗口和 iframe 共享一个共同的父域，您可以将其中一个或两个设置document.domain为“域较低”，以便它们可以进行通信。否则，您将需要查看类似postMessage() API 的内容。

This is a security update. If an attacker can modify some file in the web server (the JS one, for example), he can make every loaded pages to download another script (for example to keylog your password or steal your SessionID and send it to his own server).

这是一个安全更新。如果攻击者可以修改 Web 服务器中的某些文件（例如 JS 文件），他可以使每个加载的页面下载另一个脚本（例如，键入您的密码或窃取您的 SessionID 并将其发送到他自己的服务器）。

To avoid it, the browser check the Same-origin policy

为了避免它，浏览器检查同源策略

Your problem is that the browser is trying to load something with your script (with an Ajax request) that is on another domain (or subdomain). To avoid it (if it is on your own website) you can:

您的问题是浏览器正在尝试使用位于另一个域（或子域）上的脚本（使用 Ajax 请求）加载某些内容。为了避免它（如果它在您自己的网站上），您可以：

• Copy the element on your own server (but it will be static).
• You can change your HTTP header to accept Cross-Origin content. See the Access-Control-Allow-Origin documentationfor more information.

• 在您自己的服务器上复制元素（但它将是静态的）。
• 您可以更改 HTTP 标头以接受跨域内容。有关更多信息，请参阅Access-Control-Allow-Origin 文档。