Saturday, May 21, 2005

Secure IFRAME gotcha

A simple caveat from an anonynmous JS whiz: when you create a new IFRAME element on a secure page, IE sets the default SRC to a non-secure blank page, thus popping a security alert dialog.

var el = document.createElement('iframe');

Since creating IFRAMEs in IE this way is already problematic, the solution might be to insert the IFRAME with innerHTML rather than using createElement. YMMV.


At 11:38 AM, Blogger wpbasti said...

An other, maybe better, solution is to set a valid source before add the created dom node to any parent. This is the solution we use in qooxdoo( Helpful and not affected by this bug for example is: "javascript:void()". So a valid code looks like the following:

var iframeNode = document.createElement("iframe");
iframeNode .src = "javascript:void()";

This should help to omit the security dialog of the internet explorer, too.

At 4:41 AM, Blogger JayJay said...

I have been breaking my head on this one too a couple of years back. I just call a blank (but existing) html page in the iframe.

At 2:25 PM, Blogger alex said...

You can (should?) usually create iframes in IE using the full tag syntax. Beleive it or don't, IE will accept something along the lines of:

document.createElement("<iframe src='foo.html' ... >");

It's how I've licked the issue in the past (wrapped in a conditional for sane browsers to ignore).


Post a Comment

<< Home