I've got a JS error when uploading a new file within the Media Browser on a site where node edit page is using https. This problem goes away when I update the securepages config to remove node/*/edit and node/add/* from the list of secure pages. However I thought I should report it here.

The error I got caused the modal to remain open after I have saved the newly added file. The modal ends with a screen saying 'Document test.txt has been updated.' and remains open, hence I am unable to continue editing the node.

The JS error is:

Error: Permission denied to access property 'document'

Occuring in media.browser.edit.js
on the line:
var $iframe = $('iframe.media-modal-frame', parent.window.document);

It seems it is probably hardcoded in the JS to use http, where it should probably use //. I haven't had a chance to look into this deeper yet.



gmclelland’s picture

victoriachan’s picture


Thanks for checking. Yes it is related to the issue in that comment (the part about SSL, not the large file icon).

As I've mentioned, I did work around this by disabling securepages on the node edit page. Before that I have already disabled securepages on media/* pages, but that didn't help. It was only when I disabled it on node/*/edit and node/add/* that fixed it.

Oh, I forgot to mention that it was all working fine when I was using 7.x-2.x-unstable3 (and had SSL disabled on media/*), but this problem only came up after I updated to 7.x-2.x-unstable7.


ohthehugemanatee’s picture

Noting that I've encountered this problem, too. My whole site is behind SSL, with securepages redirecting everything to a separate, SSL subdomain. Interestingly, the error indicates that it's correctly applying the subdomain... but not correctly applying the protocol.

Chrome's debug pane explains it best:

Unsafe JavaScript attempt to access frame with URL http://secure.foobar.com/media/browser?render=media-popup&fid=229 from frame with URL https://secure.foobar.com/node/add/page. The frame requesting access has a protocol of 'https', the frame being accessed has a protocol of 'http'. Protocols must match.

I'm not clear on where it's getting HTTP from here. The iframe is opened with a relative URL, and the submit handler redirects are also relative URLs. All the JS includes in media.module are relative URLs. Is this possibly a problem with ctools modal?

Somewhere, someone is assuming HTTP.

ohthehugemanatee’s picture

EDIT: The issue appears to be that securepages tries to redirect back to HTTP. If I disable "Switch back to http pages when there are no matches" in Securepages, and make sure the whole process is behind HTTPS, it works fine.

Jaggi’s picture

A better solution is just go to the secure pages config area and under pages add:


this fixed all the issues for me and keeps everything secure.

ohthehugemanatee’s picture

@Jaggi I just ran into this problem again, and that didn't fix the issues for me. I have extra complications on this site with multilingual paths though, so this needs more testing. The easiest solution IMO is just to make a broader blanket rule that ensures the whole process is in HTTPS. In this case I just set all authenticated users to remain in HTTPS.

rleija’s picture

Issue summary:View changes

@Jaggi solution worked for me