0

Are there any requirements / specs regarding the src attribute of a FRAME, especially if I have to URI-encode (percentage encoding) its value by myself (within HTML)?

It looks like Internet Explorer does a faulty encoding for some characters (0x encoding instead of percentage encoding) here (resulting in a 400 Bad Request server response), while chrome/firefox encode such a 'frame src'-URL properly and work.

Example HTML code which reproduces a 400 response on IE 11 but works on other browsers (you might need to bypass some browser security protections due to same-origin/cross-site restrictions):

<!DOCTYPE html>
<html>
<FRAMESET>
<FRAME src="https://www.stackoverflow.com?param=ÖÄÜ"/>
</FRAMESET>
</html>
MRalwasser
  • 15,605
  • 15
  • 101
  • 147
  • HTML is designed to be resilient and browsers are expected to try and fix everything wrong they find. So your coding does not **need** to be correct. However, relying on browsers being able to recover from error conditions makes things less predictable. – Álvaro González Jan 12 '21 at 08:46

1 Answers1

3

The 400 response in IE 11 is due to IE doesn't encode the url parameter correctly. In IE 11 the parameter sent is like below which is not right: enter image description here

The encoded parameter which is right in Chrome should be like this: enter image description here

I also find that if we check Send UTF-8 query strings in Internet Options, the parameter will be encoded correctly and the example will work in IE 11:

enter image description here

So the issue is that param=ÖÄÜ is not encoded to UTF-8 in IE 11. I think it will be better if we encode all the urls for IE. Besides, <frameset> is deprecated, you could use <iframe> instead. The working sample code in IE 11 is like below:

<!DOCTYPE html>
<html>
<body>
    <iframe src="https://www.stackoverflow.com?param=ÖÄÜ"></iframe>
    <script>
        var mysrc = "https://www.stackoverflow.com?param=ÖÄÜ";
        document.getElementsByTagName("iframe")[0].src = encodeURI(mysrc);
    </script>
</body>
</html>

Edit:

I also try to find some official docs about this, but there seems nothing. But I find some related threads:

encoding of query string parameters in IE10

Internet Explorer having problems with special chars in querystrings

If you refer to the threads, you'll find that EricLaw also says:

The behavior isn't fully documented anywhere.

We cannot reliably use URLs which are not properly encoded in Internet Explorer.

As we can't control if the users has checked the Send UTF-8 query strings in IE and I refer to the threads above, I came up with the solution: The best approach is to encode all the urls in IE.

Yu Zhou
  • 11,532
  • 1
  • 8
  • 22
  • Interessting, especially that IE setting. Why I get 400 in IE, is perfectly clear to me. However, your answer is still lacking whether a src attribute can or must be percentage-encoded (ideally, by citing more or less official specs) in order to fix that properly (or to realize that the IE is buggy if it's not). – MRalwasser Jan 12 '21 at 07:59
  • Hi @MRalwasser I think you need to percentage-encoded the urls in IE. Please see my edit. – Yu Zhou Jan 12 '21 at 09:03