HOWTO: Create Cross-Frame Scripting-Capable Web Pages with HTML Applications (HTAs)

ID: Q241754

The information in this article applies to:
  • Microsoft Internet Explorer (Programming) version 5

SUMMARY

With Internet Explorer 4.0 SP1, Microsoft prevents frames whose content resides on different domains from scripting one another. Some developers wish to bypass this restriction, but cannot use the established workaround of setting document.domain to the current top-level domain for a frame's documents. In these cases, you can use HTML Applications (HTAs), a new feature of Internet Explorer 5, to enable cross-frame scripting.


MORE INFORMATION

Cross-frame scripting was disabled to prevent a Trojan Horse-style security hole called frame spoofing, in which a Web site masquerades as a frame inside of a trusted Web site in order to steal user information. The following Knowledge Base article explains how to enable cross-frame scripting using document.domain for documents from different machines on the same network:

Q167796 PRB: Permission Denied When Scripting Across Frames
However, this is not effective for machines on the same network that resolve to different top-level domains; for example, Web sites on the same machine that use different virtual hosts. It also does not work for two distinct sites that have partnered with one another and wish to interact via frames.

In these situations, developers building solutions for Internet Explorer 5 can bypass cross-frame security for a frameset they have authored by turning it into an HTML application (HTA). This involves giving the page an extension of .hta and inserting the tag <HTA:APPLICATION> at the top of the page underneath the HTML tag. Each frame that attempts to script another frame (for example, the script source) must have the attribute pair "APPLICATION=yes" inside its FRAME tag.

When a user accesses the HTA, it asks whether he or she wants to "execute" the file. If the user says yes, the HTA opens in its own window. From that point on, documents can script freely across frames whose documents come from different domains. This is considered secure because it uses trust-based security: The user must verify that he or she trusts the host will refrain from intentionally malicious programming.

To see how HTAs work, place the following HTML code into a file named Frame.hta:

<HTA:APPLICATION>

<HEAD>
<TITLE>HTML Application Sample</TITLE>
</HEAD>

<FRAMESET COLS="35%,*">

<FRAME id=fm1 src="fm1.htm" APPLICATION=yes>
<FRAME id=fm2 src="http://www.microsoft.com">

</FRAMESET>

</HTML>
Place the following code into a file named Fm1.htm:

<HTML>

<BODY>

<BUTTON id=btn1 onclick="window.external.AddFavorite(parent.fm2.document.location, parent.fm2.document.title)">
Add to Favorites &gt;&gt;
</BUTTON>

</BODY>

</HTML>
Place these files in the same directory and use Internet Explorer 5 to navigate to Frame.hta.


REFERENCES

For additional information about the cross-frame scripting issue and the document.domain workaround, click the article number below to view the article in the Microsoft Knowledge Base:

Q167796 PRB: Permission Denied When Scripting Across Frames
For more information, please see the MSDN Web Workshop:
http://msdn.microsoft.com/workshop/default.asp

Additional query words: denied cross-frame scripting

Keywords : kbCustomHTML kbDHTML kbScript kbHTA kbGrpInet kbIE500 kbDSupport kbIEFAQ
Version : WINDOWS:5
Platform : WINDOWS
Issue type : kbhowto


Last Reviewed: January 27, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.