RSS RSS feed | Atom Atom feed
Popular Articles: Tom Riddle's Magical Diary | AJAX Lego Robot | AJAX CAPTCHA | SQL Multisets

Internet Explorer 6 & 7 document.domain bug

Disclaimer: Im not sure this a bug discovery...couldn't find anything that resembled it after a couple of minutes of googling, or a super silly security restriction.

I've been coding some javascript ajax code that inserts an iframe, and into the created iframe, inserts a form and submits the form to a (cross domain) server. This is an old cross-domain ajax technique by now, but while implementing it I came across this ridiculously annoying bug in IE. The line in red below will result in an "Access Denied" exception being thrown...again, only in IE. Tried this with IE6 under WinXP Media Center Edition SP2, IE7 under WinXP Home Edition SP2, and IE7 Windows Vista Home. Needless to say...it works just fine in FireFox.

<script type="text/javascript"> document.domain = 'waelchatila.com'; var new_html = '<iframe id="frm" name="frm" src="http://waelchatila.com"></iframe>'; document.body.innerHTML+=new_html; try { var iframe_doc = document.getElementById("frm").contentWindow.document; } catch (e) { alert(e); } </script>
Try it by clicking the button below.

This page should be served off of http://waelchatila.com. As you can see, the document.domain is explicitly set to the domain the page was served from. The iframe src is also from the same server. I've tried it with a whole variety of variations, none of the demonstrated here but tested for.

  • iframe's document.domain = 'waelchatila.com';
  • iframe src is empty
  • iframe src is "javascript:false"
There should be no problem accessing the iframe's content in either case.

Now, if the document.domain = 'waelchatila.com'; line is removed, it works. In order for this to work, you'll need to reload this page if you clicked the previous button since document.domain has now already been assigned.

The same results present itself if the iframe is created with document.createElement('iframe') and document.appendChild(...)

I've yet to find a workaround for this issue. I'll be positing another entry if I found out how. Please let me know if you know of one!

slashdot digg del.icio.us technorati [more]



Re: Internet Explorer 6 & 7 document.domain bug

This is a feature in IE7 - cross-domain access is completely disabled

Re: Internet Explorer 6 & 7 document.domain bug

In this case it's the same domain (waelchatila.com). There's something else going on.

Re: Internet Explorer 6 & 7 document.domain bug

for newer versions of IEs, if u decided to set document.domain in one of the pages, u will have to do the same for all the other pages u wish to communicate from/to the page.

Re: Internet Explorer 6 & 7 document.domain bug

Yep, Im aware of that. Have tried it aswell.

Re: Internet Explorer 6 & 7 document.domain bug

Hi, I'm facing the same issue. Did you find any solution ?

Re: Internet Explorer 6 & 7 document.domain bug

unfortunately not

Re: Internet Explorer 6 & 7 document.domain bug

http://msdn.microsoft.com/en-us/library/ms533028(VS.85).aspx fyi~

Re: Internet Explorer 6 & 7 document.domain bug

I am also facing the same issue. Has anyone find it?

Re: Internet Explorer 6 & 7 document.domain bug

Apparently, once you set document.domain you have to wait until any child iframes are loaded until you can communicate with them.

Re: Internet Explorer 6 & 7 document.domain bug

has anyone resolved this issue. no issues in firefox but IE6/7 are throwing the access denied errors.

Re: Internet Explorer 6 & 7 document.domain bug

I've run into the same issue, and I got around it this way... Rather than writing content to the iframe, just leave it empty and set the target of the form to the iframe. I can confirm that this works in IE 6/7, Firefox 2/3, Safari 3, and Opera 9. It's a bit tricky because IE 6/7 won't let you add the "name" attribute to the frame with JavaScript (and you need it in order to target it). In truth, you can add it, but you have to do it when you initially create the iframe element (this is the same bug that input elements have). More details here: http://terminalapp.net/submitting-a-form-with-target-set-to-a-script-generated-iframe-on-ie/

Re: Internet Explorer 6 & 7 document.domain bug

For me both buttons work even on 1st try with IE7. I havn't verified this but I read in another blog the following: "Even if you use the clever JavaScript "document.domain" to change the domain of all frames involved in the page, you must either add ALL or NONE of the specific URLs to the Trusted Sites in IE. In other words, this technique works flawlessly and universally in Firefox, but if you have, for example, a parent page coming from x.company.com, and an IFRAME containing a page from y.company.com that are trying to share content, and x.company.com is in your Trusted Sites (but NOT y.company.com), you get a Permission Denied error."

Re: Internet Explorer 6 & 7 document.domain bug

I noticed recently that this is a race condition. The new iframe (or window) doesn't have its document.domain set prior to when the permission denied error occurs. I was able to work around this by using setInterval to retry until the error no longer occurs. For example, here's some code to create the iframe and retry accessing inside it until it works:

  <script>
    document.domain = 'adp.com';
    var iframe = document.createElement("iframe");
    iframe.src = 'http://test.adp.com/newIframe.html';
    document.body.appendChild(iframe);
  
    var timer = setInterval(resumeCode, 100);
  
    function resumeCode()
    {
      if(iframe.contentWindow.okToResumeParent)      {
        clearInterval(timer);
        alert("iframe document body content is: " + iframe.contentWindow.document.body.innerHTML);
      }
    }
  </script>

And here's the HTML inside the iframe:
<html>
<head>
  <script>
    document.domain='adp.com';
    var okToResumeParent = true;
  </script>
</head>
<html>
<body>
  This is the body content of the new iframe.
</body>
</html>

Re: Internet Explorer 6 & 7 document.domain bug

Hi! You might want to have a look at similar trouble I had with Opera. Please consider it at http://stackoverflow.com/questions/4113439/focus-with-cross-domain-ajax-in-opera

Re: Internet Explorer 6 & 7 document.domain bug

There are a couple workarounds.
As mentioned above, this is a race conditions. While the iframe is being created and loaded, the document.domain is not explicitly set, so any parent document that does have it explicitly set will not be able to communicate with it immediately.
The workaround I use the most often is to point the iframe (or frame, or window) src to a "blank" html page that includes the setting of the document.domain value, plus a callback call to top.parent.loadContent() where the parent (whoever created the iframe) has dfined loadContent() and that function reaches into the iframe to access or overwrite it with whatever it wants.
The other workaround is a variation on that mentioned above, to create a setInterval loop that keeps checking to see if the frame is loaded. There is a cross browser hack that'll let you detect if the iframe/frame/window is loaded without reaching into it that looks like this.
document.domain = "my.domain"; // this is where the problem starts in IE
var iframe_loaded = false;
function createIframe() {
var myframe = ... create iframe object here
myframe.src = "URL to empty html page with document.domain set properly";
// We have to detect when the empty frame content has loaded
// Following 5 lines are cross browser compatible.
if (myframe.attachEvent) {
myframe.attachEvent("onload", function() {iframeFinish()});
} else {
myframe.onload = function() {iframeFinish()};
}
}
// New method added to HTMLEditor class to set iframe_loaded state
function iframeFinish() {
iframe_loaded = true;
}

Now after you call createIframe() start a setInterval loop that looks for iframe_loaded to be true, before proceeding to the next step that needs to reach into the iframe for some value, or to change its contents.
If you change the iframe's contents, be sure to set the document.domain *every* time or you'll lose contact with it again.

Re: Internet Explorer 6 & 7 document.domain bug

also see comments at http://dev.ckeditor.com/changeset/3269

Add a comment Send a TrackBack