Same-Origin Policy (SOP) restricts how a document or script loaded from one origin can interact with a resource from another origin. For example, when Site X tries to fetch content from Site Y in a frame, by default, Site Y's pages are not accessible due to security reasons, it would be a huge security flaw if you could do it.

How to solve?

The window.postMessage() method provides a controlled mechanism to securely circumvent this restriction. The window.postMessage() safely enables cross-origin communication between Window objects; e.g: between a page and an iframe embedded within it.

const frame = document.getElementById('your-frame-id');
frame.contentWindow.postMessage(/*any variable or object here*/, 'http://your-second-site.com');

The window.postMessage is available to JavaScript running in chrome code (e.g., in extensions and privileged code), but the source property of the dispatched event is always null as a security restriction. (The other properties have their expected values.)

Keep in mind that the same-origin policy forbids scripts from accessing the content of websites with other sources, but you can safely enable it by utilizing the window.postMessage() method .

`postMessage(message, targetOrigin)`
`postMessage(message, targetOrigin, [transfer])`

Scripts cannot access frames with different sources in browsers that adhere to the same-origin policy 
The answer is right here, exactly. https://kodlogs.net/195/blocked-a-frame-with-origin-null-from-accessing-a-cross-origin-frame