"Access is denied" JavaScript error when trying to access the document object of a programmatically-created <iframe> (IE-only)

I have project in which I need to create an <iframe> element using JavaScript and append it to the DOM. After that, I need to insert some content into the <iframe>. It's a widget that will be embedded in third-party websites.

I don't set the "src" attribute of the <iframe> since I don't want to load a page; rather, it is used to isolate/sandbox the content that I insert into it so that I don't run into CSS or JavaScript conflicts with the parent page. I'm using JSONP to load some HTML content from a server and insert it in this <iframe>.

I have this working fine, with one serious exception - if the document.domain property is set in the parent page (which it may be in certain environments in which this widget is deployed), Internet Explorer (probably all versions, but I've confirmed in 6, 7, and 8) gives me an "Access is denied" error when I try to access the document object of this <iframe> I've created. It doesn't happen in any other browsers I've tested in (all major modern ones).

This makes some sense, since I'm aware that Internet Explorer requires you to set the document.domain of all windows/frames that will communicate with each other to the same value. However, I'm not aware of any way to set this value on a document that I can't access.

Is anyone aware of a way to do this - somehow set the document.domain property of this dynamically created <iframe>? Or am I not looking at it from the right angle - is there another way to achieve what I'm going for without running into this problem? I do need to use an <iframe> in any case, as the isolated/sandboxed window is crucial to the functionality of this widget.

Here's my test code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <title>Document.domain Test</title>
    <script type="text/javascript">
      document.domain = 'onespot.com'; // set the page's document.domain
    </script>
  </head>
  <body>
    <p>This is a paragraph above the &lt;iframe&gt;.</p>
    <div id="placeholder"></div>
    <p>This is a paragraph below the &lt;iframe&gt;.</p>
    <script type="text/javascript">
      var iframe = document.createElement('iframe'), doc; // create <iframe> element
      document.getElementById('placeholder').appendChild(iframe); // append <iframe> element to the placeholder element
      setTimeout(function() { // set a timeout to give browsers a chance to recognize the <iframe>
        doc = iframe.contentWindow || iframe.contentDocument; // get a handle on the <iframe> document
        alert(doc);
        if (doc.document) { // HEREIN LIES THE PROBLEM
          doc = doc.document;
        }
        doc.body.innerHTML = '<h1>Hello!</h1>'; // add an element
      }, 10);
    </script>
  </body>
</html>

I've hosted it at:

http://troy.onespot.com/static/access_denied.html

As you'll see if you load this page in IE, at the point that I call alert(), I do have a handle on the window object of the <iframe>; I just can't get any deeper, into its document object.

Thanks very much for any help or suggestions! I'll be indebted to whomever can help me find a solution to this.

Thanks, David - I appreciate what appears to be a solid suggestion, but I'd rather not take this approach unless it's a last resort. If I understand correctly, the template would need to live on the same domain as the parent page (is that right?), and that would complicate implementation for our customers. Ideally the implementation should be as simple as inserting a few lines of JavaScript in their pages' HTML.

Deniss, good suggestion, and thank you - I gave this a shot (see <troy.onespot.com/static/access_denied_jquery.html>) but got a similar error; this time it's "Permission denied" within the jQuery script. I suspect it's the same or a similar roadblock.

Sorry, that URL got mangled. Try: troy.onespot.com/static/access_denied_jquery.html

Yes, the solution does require another file on that very domain. I'm afraid that's the best I can come up with, though.

@Bungle: I think it's your only option.

Why would jQuery have magical access to the iframe's document?

@Tim Down: I don't think the assumption was that jQuery would have magical access; rather, jQuery often has some nifty tricks up its sleeve to solve cross-browser issues, and might have already implemented a workaround. I agree it didn't bode well, but I think it was a good suggestions and worth a shot.

@bobince: You're awesome! I actually did stumble upon this very approach late last night after a lot more Googling. In fact, I think I might have found an even more robust, and potentially less kludgy cross-browser solution: telerik.com/community/forums/aspnet-ajax/editor/… - notice Jeff Tucker's post from August 21. Setting the <iframe>'s "src" attribute to "javascript:void((function(){document.open();document.domain‌​=\'tld.com\';documen‌​t.close();})())" seems to do the trick, and in a cross-browser way. It also works in Safari (at least v3+).

Here's a test page illustrating my previous comment: troy.onespot.com/static/access_denied_test.html

Oh great! That's much better! Interesting that doing it directly should work... normally, a javascript: URL would be executed in the context of its parent, but that seems not to be the case with iframe src. You can probably also lose the void() call, since the function already returns undefined.

Incidentally you get an error reloading the page in IE with this, as IE tries to retain the iframe location... argh. Dunno if there's a way around that.

@bobince: Oh man, you're right. Thanks for pointing that out; I was so excited that it worked the first time that I didn't bother to reload. What do you mean by IE trying to retain the <iframe> location? I've got to find a solution to this so I'll keep you posted - please do the same if you happen to find anything.

Thanks. This seems to have fixed the problem for me.

I think you're solving a different problem.

The OP is building a third party widget. You cannot expect every visitor to follow all these steps to get the widget displayed.

@bobince - any improvement to this? see question here: stackoverflow.com/questions/14879192/…

weird thing is, this was the same thing I was using. was working fine, now all of a sudden, I keep getttig access denied errors

A solution may be to insert a different ID in the iframe's src attribute everytime you load the frame, for example new Date().getTime(). Horrible but that seems to work.

This really isn't an answer. It's only a suggestion and would probably be better as a comment on the original post.