Third-party IFrames in HTA Applications

I've posted before about setting Application = "Yes" on iframes in HTA applications, but if the iframe is rendered by a third-party component then this may not be straightforward. If the iframe runs JavaScript accessing it's parent window then somehow the iframe must be modified to pass the security rules enforced by the HTA model.

Using the onload event of the <BODY> element it's possible to set the Application attribute of an iframe, but this is not enough to make the iframe HTA-friendly.

Refreshing the contents of the iframe (using iframe.src = iframe.src) doesn't work either. I'm guessing that the security aspects of an iframe are baked into the element when the browser first renders it.

The solution is to use the onload event of the body to rebuild the entire iframe element:

if (document.getElementById('spIFrame')) {

  // get reference to the iFrame
  var iFr = document.getElementById('spIFrame');

  // set the application attribute of the iFrame (so it works in HTA)
  iFr.application = 'Yes';

  // rebuild the iFrame to make sure Application="Yes" is active
  iFr.outerHTML = iFr.outerHTML;
}
Published 22 January 2008 01:43 PM by jonsayce
Filed under:

Comments

No Comments