Microsoft KB Archive/241754

= How To Create Cross-Frame Scripting-Capable Web Pages with HTML Applications (HTAs) =

Article ID: 241754

Article Last Modified on 9/1/2005

-

APPLIES TO


 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer (Programming) 5.5

-



This article was previously published under Q241754



SUMMARY
With Internet Explorer 4.0 SP1, Microsoft prevents frames whose content resides on different domains from scripting one another. Some developers wish to bypass this restriction, but cannot use the established workaround of setting document.domain to the current top-level domain for a frame's documents. In these cases, you can use HTML Applications (HTAs), a new feature of Internet Explorer 5, to enable cross-frame scripting.



MORE INFORMATION
Cross-frame scripting was disabled to prevent a Trojan Horse-style security hole called frame spoofing, in which a Web site masquerades as a frame inside of a trusted Web site in order to steal user information. The following Knowledge Base article explains how to enable cross-frame scripting using document.domain for documents from different machines on the same network:

167796 PRB: Permission Denied When Scripting Across Frames

However, this is not effective for machines on the same network that resolve to different top-level domains; for example, Web sites on the same machine that use different virtual hosts. It also does not work for two distinct sites that have partnered with one another and wish to interact via frames.

In these situations, developers building solutions for Internet Explorer 5 can bypass cross-frame security for a frameset they have authored by turning it into an HTML application (HTA). This involves giving the page an extension of .hta and inserting the tag  at the top of the page underneath the HTML tag. Each frame that attempts to script another frame (for example, the script source) must have the attribute pair "APPLICATION=yes" inside its FRAME tag.

When a user accesses the HTA, it asks whether he or she wants to "execute" the file. If the user says yes, the HTA opens in its own window. From that point on, documents can script freely across frames whose documents come from different domains. This is considered secure because it uses trust-based security: The user must verify that he or she trusts the host will refrain from intentionally malicious programming.

To see how HTAs work, place the following HTML code into a file named Frame.hta:



 HTML Application Sample 



 



 Place the following code into a file named Fm1.htm:





<BUTTON id=btn1 onclick="window.external.AddFavorite(parent.fm2.document.location, parent.fm2.document.title)"> Add to Favorites >> </BUTTON>

</BODY>

</HTML> Place these files in the same directory and use Internet Explorer 5 to navigate to Frame.hta.

<div class="references_section">