Skip to content
June 2, 2009 / edeustace

document.domain breaks flex history javascript in internet explorer

On my current project, we had one bug that had us puzzled for a while. The history mechanism in our Flex application wasn’t working for Internet Explorer. When we loaded the page we’d get the dreaded warning icon down the bottom left of the screen. Clicking this we could see that we were getting a “Permission Denied” error, which indicates a security issue.

We spent alot of time debugging the flex history code (history.js and historyFrame.html). However one thing that I noticed was that I wasn’t getting the error if I tried to recreate it with a standard Flex application.

This led me to a little piece of javascript in our offending html file:

document.domain = “mydomain.com”; //domain changed to protect the innocent.

The reason we have this code is because we lauch various iframes within our application that come from related servers, for example our application is on

portal.mydomain.com

and the iframe’s source would be

news.mydomain.com

Setting the document.domain to mydomain.com allows us to open up cross site scripting between the two pages served from these servers so long as they share the same document.domain.

All well and good, the question is how does this impact Flex’s history mechanism? In history.js the code programmatically adds an iframe to the main page, setting its source as “history/historyFrame.html”. This html makes calls to the parent. This is where the error occurs. Internet Explorer doesn’t pass on the document.domain property on to the created iframe, resulting in a “Permission Denied” javascript error.

The fix for us, was to add the document.domain to the historyFrame.html.

For more info on IE cross site scripting see:

http://msdn.microsoft.com/en-us/library/ms533028(VS.85).aspx

http://waelchatila.com/2007/10/31/1193851500000.html

Advertisements

One Comment

Leave a Comment
  1. david / Sep 12 2009 12:30 am

    Thanks, I wish I would have found this a month ago.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: