PRB: Permission Denied Error Message When Scripting Across Frames

Script code that attempts to access a script or an object in a different frame may get the following script error message:

Internet Explorer 4.0 implements cross-frame security. A script or object in one frame is not allowed to access scripts or objects in another frame when the documents referenced by the SRC attribute of the frames specify Web servers in different second-level domains. This corresponds to the "domain- name.XXX" portion of the full server name syntax "server.domain-name.XXX".

The Internet Explorer 4.0 Dynamic HTML object model allows a certain subset of safe actions to be scripted. For example, the window.location property of a frame of the remote server can be set to allow navigation, but it cannot be read to prevent one frame from snooping on the contents of another frame.

For example, it is valid for a document retrieved from "http://test.microsoft.com" to manipulate another document retrieved from http://test.microsoft.com." It is not valid for a document retrieved from "http://server1.some-domain-name.org" to manipulate a document located retrieved from "http://server2" or "http://server3.microsoft.com."

The intention of cross-frame security is to prevent one Web page designer from potentially misusing or snooping on the trusted objects authored by a different Web page designer. Only those pages hosted in the same domain can be trusted to safely script the contents of a particular page. This should also prevent unwanted communication between documents on opposite sides of a corporate firewall.

To prevent this error, documents that interact with each other must be hosted by servers on the same domain.

To allow two documents hosted on the same second-level domain to interact, both documents must set the document.domain property to their shared second-level domain. For example, one document on "http://example.microsoft.com" could script and access another document on "http://test.microsoft.com" if both documents used the following line of script code: Under Internet Explorer 4, if the page with the cross-frame script resides on a different server from the frameset source, the above script that sets document.domain needs to be included in the framset source as well.

This behavior is by design.

For example, given the following FRAMESET: Script in the "Server1Frame" frame is not permitted to access script or objects in the "Server2Frame" frame, and vice versa.

The following example script code in server1.html causes the "Permission Denied" error, given that RemoteTextBox is an object created on the server2.html document: Cross-Frame Security uses the concept of a "security context" to make cross-frame scripting decisions. Security context takes into account the protocol, domain, and zone of Internet documents. Any differences in these three between the document containing the script and the document in another frame or window that the script is trying to manipulate causes a cross-frame security violation. For example, HTTP documents cannot script HTTPS documents, and sites in the Restricted Sites zone cannot script sites in the Local intranet zone.

Internet Explorer ultimately appeals to the Security Manager when script attempts to access another document. Technically, Internet Explorer uses the IInternetSecurityManager::GetSecurityId() function to help it make security context decisions. The security identification returned must match exactly for both URLs in a cross-frame situation. See the following references for more information on the Internet Security Manager.

For more information about developing Web-based solutions for Microsoft Internet Explorer, visit the following Microsoft Web sites:
- Dynamic HTML; DHTML Object Model; Cross-Frame Scripting and Security
- RFC 1591: "Domain Name System Structure and Delegation"
- RFC 1034: "DOMAIN NAMES - CONCEPTS AND FACILITIES"
- Security & Cryptology; Networking protocols & Data formats