Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Embedding the CHILI Editor and communicating using JavaScript is a trivial thing to set up.

But However, when the embedded editor is loaded from a different domain (or even sub-domain), there are security limitations to what the browsers will allow. This is due to same-origin policy, which blocks JavaScript between <iframe> and the window unless the domthey have the same origin.

You can solve all these problems by utilizing the PublisherConnector library. Please see:



CHILI publisher Online does not support REST API calls from client browser to your environment. Typically, this is called an AJAX request. Trying to do this from the client browser will cause a cross-origin resource sharing preflight request. If the origin is not the same, the request will fail, and so will your AJAX request.

This means all REST API calls must be routed from the client server to a backend system and then to CHILI.

There are security reasons why this behavior is not currently supported.

There are three possibilities here:

1: The portal and CHILI are hosted on the same full domain (as different sub-applications/folders)

For example:


In this case, there is no issue at all. However, but this is not possible with CHILI publish Online without having a reverse proxy. We do not officially support reverse proxies.

2. The portal and CHILI are hosted on the same main domain, but different sub-domains

For example:


In this case, a workaround exists (see lower), to allow cross-frame should use PublisherConnector.

3. The portal and CHILI are hosted on completely different domains

For example:


In this case, cross-frame scripting is only possible by setting up a URL forwarding rule (see lower)you should use PublisherConnector.



For the situations listed above, you should use the PublisherConnector library. This library uses postMessage() to allow communication between the window and the <iframe>. However, below we list two historical solutions. Keep in mind that these solutions are not officially supported.

Working on different sub-domains

titleClick to see this content


The document.domain setting has been listed by Monzilla as deprecated. It is strongly suggested you do not use this solution. If you wish to use a sub-domain, we suggest using the PublisherConnector library to communicate with the <iframe>.

There are possibilities for communication when both pages are on different sub-domains:

To allow access across sub-domains (browser version permitting), you'll need to follow some additional steps. Both pages need to execute the following javascript:

Code Block
document.domain = '';

In your own page you can of course add this yourself. As for the "editor.aspx" page, you can append the domain to be set using a "d" argument in the querystring.
For example:

Code Block
        string res =, docID, wsID,vpID,cID, chkViewer.Checked,chkAnonymous.Checked);
        XmlDocument resXml = new XmlDocument();

        string url = resXml.DocumentElement.GetAttribute("url");
        url += "&";

The document.domain value will be set to the value of this querystring argument.

URL Forwarding

titleClick to see this content


CHILI does not officially support setting up a proxy both in support and in functionality. There are some security reasons a solution might consider a proxy. However, it strongly suggested to avoid this method unless 100% necessary.

As the limitations on security are client-based (within the local browser), you can get around them by providing the client with a single domain (even though internally the portal and CHILI are hosted on different servers/domains).

 Essentially, you will set up a sub-directory of your main URL (the one your users log in to), which gets resolved on your network (or that of your service provider) to the URL of CHILI. For example:

User logs in to:

This portal needs to connect to CHILI on:

To allow JavaScript communication across iframes, you set up a URL forwarding rule to (internally)  rewrite:

Now, CHILI (and the url you can use in iframes) is available on the domain.

See Reverse Proxy on Apache for a sample configuration for Apache

See Reverse Proxy on NGINX for a sample configuration for NGINX

See Reverse Proxy setup for IIS for WIndows webservers