[Dojo-interest] Mixed content error and BackgoundIframe

[James Burke]

I stumbled across this approach a few years ago on an old project,
except I was using location = "javascript:someFunction()", where
someFunction() returned a JavaScript string of HTML. Perhaps it is
similar to how data: URLs work. Unfortunately, I don't know enough
browser internals to know the true answer.

I used this approach on that old project was because we were using
document.write() to write in a complete HTML document in an iframe,
however I noticed that when I used document.write() that had HTML with
script src tags and inline script, MSIE would execute the inline
script before the script src scripts finished loading, causing errors.
Worked fine in Mozilla browsers of the day.

So for MSIE only, I did the above, then script src scripts all loaded
correctly before execution of inline script. Funny thing was when I
used that approach with Mozilla, it did MSIE's behavior with
document.write() -- it executed inline script before all the script
tags were loaded. So I stuck with document.write() for Mozilla
browsers. Safari wasn't around at the time.

BTW, has someone tried it with Safari?

I've always been curious if this trick would also allow for some sort
of XSS attack -- can XHR post to other domains with this trick? Can we
get around MSIE's 2 connection limit to a domain (instead of having to
do document.domain tricks)? Can we access content in a sub-iframe that
is on a different domain? Anyone care to try some test cases? I think
I tried some kind of hack a way back, and it didn't work, but I can't
recall for sure.

This trick was also used in this Ajaxian post, for debug purposes:

http://ajaxian.com/archives/ie-tip-cheeky-way-to-see-the-current-state-of-the-page

James

On 4/9/06, Terry Field <forum-dojo-interest at opensymphony.com> wrote:
> Yeah, it's wierd. I'm hoping James can answer this one.
>
> > Wow, that's really strange.  Obviously
> > <html><head></head><body></
> > body></html> is not javascript... how come you can do
> > that?
> >
> > Bill
> >
> > Terry Field wrote:
> > > The following code seems to work with both IE and
> > FF:
> > >
> > >     var html=
> > >             "<iframe "
> > >             +"style='position: absolute; left: 0px; top: 0px;
> > width: 100%; height: 100%;"
> > >             +        "z-index: -1;
> > filter:Alpha(Opacity=\"0\");' "
> > >             +"src=\"javascript:'<html><head></head><body></
> > body></html>'\""
> > >             +">";
> > >
> > >
> > >> I think some variation of this has been tried, but
> > I
> > >> can't recall:
> > >>
> > >> What about using
> > >>
> > >>
> > src="javascript:'<html><head></head><body></body></htm
> > >> l>'"
> > >>
> > >> Basically create an inline HTML document. If that
> > >> doesn't work would
> > >> some sort of data: URL work?
> > >>
> > >> James