Disclaimer: Im not sure this a bug discovery...couldn't find anything that resembled it after a couple of minutes of googling, or a super silly security restriction.

I've been coding some javascript ajax code that inserts an iframe, and into the created iframe, inserts a form and submits the form to a (cross domain) server. This is an old cross-domain ajax technique by now, but while implementing it I came across this ridiculously annoying bug in IE. The line in red below will result in an "Access Denied" exception being thrown...again, only in IE. Tried this with IE6 under WinXP Media Center Edition SP2, IE7 under WinXP Home Edition SP2, and IE7 Windows Vista Home. Needless to say...it works just fine in FireFox.

Try it by clicking the button below.

Try it!

This page should be served off http://waelchatila.com. As you can see, the document.domain is explicitly set to the domain the page was served from. The iframe src is also from the same server. I've tried it with a whole variety of variations, none of the demonstrated here but tested for.

• iframe's document.domain = 'waelchatila.com';
• iframe src is empty
• iframe src is "javascript:false"

There should be no problem accessing the iframe's content in either case.

Now, if the document.domain = 'waelchatila.com'; line is removed, it works. In order for this to work, you'll need to reload this page if you clicked the previous button since document.domain has now already been assigned.

Try it!

The same results present itself if the iframe is created with document.createElement('iframe') and document.appendChild(...)

I've yet to find a workaround for this issue. I'll be positing another entry if I found out how. Please let me know if you know of one!