5

We're creating <iframe>s dynamically (e.g. for a rich text editor or a debug window) and injecting html into the src. For years we used a javascript: url as the src similar to this answer until we ran into same-origin-policy issues with multiple independent iframes.

Our current solution is creating an object url for a blob that contains the html:

var iframe = document.createElement('iframe')
  , html = '<h1>it works!</h1>'
  , blob = new Blob([html], {type: 'text/html'})
  , url = URL.createObjectURL(blob);

iframe.src = url;
document.querySelector('body').appendChild(iframe);

This works fine in Chrome and Firefox, but not in IE11 (for browsers where URL or Blob are undefined we fallback to the javascript: solution). IE11 raises SCRIPT5: Access is denied.

Are we misusing the APIs? Is there a special API for IE? A known workaround?

Community
  • 1
  • 1
Dominik Schreiber
  • 2,629
  • 1
  • 23
  • 33
  • 1
    damn your issue is hard to figure out! I've changed the Security settings of my IE11 to the lowest possible config and I've sandboxed the iframe (http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/) still the code snippet didn't work! There is one IE bug that I saw related to this which had no update whatsoever (https://connect.microsoft.com/IE/feedback/details/797361/ie-10-treats-blob-url-as-cross-origin-and-denies-access) Apparently, IE is seeing this as an XSS even though its a Blob URL...i don't think there's anything wrong with the API as Blobs are supported in IE11 – securecodeninja Dec 07 '15 at 23:43

2 Answers2

4

Unfortunately IE does not support DATA URI's*with a few caveats. I have the same issue, but with a PDF in an embedded tag.

It looks like you can use msSaveOrOpenblob to have IE open your blob file

gh9
  • 10,169
  • 10
  • 63
  • 96
  • 1
    We came across `msSaveOrOpenBlob` as well, but it actually does not do what we want. Called with the blob url, it will open this "do you want to open or save this file?" dialog/notification. But we want the iframe to use the blob url as its src. – Dominik Schreiber Jan 14 '16 at 17:23
  • To my knowledge it cannot be done in IE11 for html templates like what you are doing. A work around if you are using some sort of server side language is to have the src directly point to a service that returns your markup. – gh9 Jan 14 '16 at 18:07
0

IE 11 does not support all the Data URI's.

It supports only images and linked resources like CSS or JS. Please note HTML files are not supported.

Shriharsha
  • 27
  • 2