http://waelchatila.com:80/tags/ie/ Notes on Software, Engineering and Science en Wael Chatila Thu, 11 Mar 2010 03:23:48 GMT Pebble (http://pebble.sourceforge.net) http://backend.userland.com/rss http://waelchatila.com:80/2007/10/31/1193851500000.html <b>Disclaimer:</b> Im not sure this a bug discovery...couldn't find anything that resembled it after a couple of minutes of googling, or a super silly security restriction. <p> I've been coding some javascript ajax code that inserts an iframe, and into the created iframe, inserts a form and submits the form to a (cross domain) server. This is an old cross-domain ajax technique by now, but while implementing it I came across this ridiculously annoying bug in IE. The line in red below will result in an "Access Denied" exception being thrown...again, only in IE. Tried this with IE6 under WinXP Media Center Edition SP2, IE7 under WinXP Home Edition SP2, and IE7 Windows Vista Home. Needless to say...it works just fine in FireFox. <div class="codeSample"> &lt;script type="text/javascript"&gt; document.domain = 'waelchatila.com'; var new_html = '&lt;iframe id="frm" name="frm" src="http://waelchatila.com"&gt;&lt;/iframe&gt;'; document.body.innerHTML+=new_html; try { var iframe_doc = <font color="red">document.getElementById("frm").contentWindow.document;</font> } catch (e) { alert(e); } &lt;/script&gt; </div> <div id="frm1"></div> <script type="text/javascript"> function insertIframe() { document.domain = 'waelchatila.com'; var new_html = '<iframe id="frm" name="frm" src="http://waelchatila.com"></iframe>'; document.getElementById('frm1').innerHTML+=new_html; var bError = false; try { var iframe_doc = document.getElementById("frm").contentWindow.document; } catch (e) { bError = true; } alert(bError?"Exception thrown":"No exceptions thrown"); } </script> Try it by clicking the button below. <p> <button onclick="insertIframe();return false;">Try it!</button> <p> This page should be served off of <i>http://waelchatila.com</i>. As you can see, the document.domain is explicitly set to the domain the page was served from. The iframe src is also from the same server. I've tried it with a whole variety of variations, none of the demonstrated here but tested for. <ul> <li>iframe's document.domain = 'waelchatila.com';</li> <li>iframe src is empty</li> <li>iframe src is "javascript:false"</li> </ul> There should be no problem accessing the iframe's content in either case. <p>Now, if the <i>document.domain = 'waelchatila.com';</i> line is removed, it works. In order for this to work, you'll need to reload this page if you clicked the previous button since document.domain has now already been assigned. <p> <div id="frm2"></div> <script type="text/javascript"> function insertIframe2() { var new_html = '<iframe id="frm" name="frm" src="http://waelchatila.com"></iframe>'; document.getElementById('frm2').innerHTML+=new_html; var bError = false; try { var iframe_doc = document.getElementById("frm").contentWindow.document; } catch (e) { bError = true; } alert(bError?"Exception thrown":"No exceptions thrown"); } </script> <button onclick="insertIframe2();return false;">Try it!</button> <p> The same results present itself if the iframe is created with <i>document.createElement('iframe')</i> and <i>document.appendChild(...)</i> <p> I've yet to find a workaround for this issue. I'll be positing another entry if I found out how. Please let me know if you know of one! AJAX Windows Web http://waelchatila.com:80/2007/10/31/1193851500000.html#comments http://waelchatila.com:80/2007/10/31/1193851500000.html Wed, 31 Oct 2007 17:25:00 GMT