本地html+js进行调试的时候, 我们会面临一个安全策略问题, 也就是你不能用js拿到iframe里面的内容.

Cross origin security error although the iframe is on the same domain, 这个需要把服务器搭起来, 本地文件, 不许乱掉内容. 这也是安全策略, 防止本地漏洞. 比如病毒什么的.

Stack Overflow大神的回答: https://stackoverflow.com/questions/25098021/securityerror-blocked-a-frame-with-origin-from-accessing-a-cross-origin-frame

Same-origin security policy

You can't access an <iframe> with Javascript, it would be a huge security flaw if you could do it. For the same-origin policy browsers block scripts trying to access a frame with a different origin.

Origin is considered different if at least one of the following parts of the address isn't maintained:

<protocol>://<hostname>:<port>/path/to/page.html 
Protocol, hostname and port must be the same of your domain, if you want to access a frame.

所以, 解决方案就是弄个静态服务, node做这事还是很靠谱的, connect库就可以, 参考隔壁文章