Saturday, October 21, 2006 2:46 PM
The default disabling of "Navigate sub-frames across different domains" setting is causing numerous web sites to stop functioning.
This issue has been discussed most lately at "IE 7 and Frames" by raghava66 on Oct 19, 2006, but the problem was actually reported as early as RC1. Since it is a long established browser default setting, many frameset-based public and intranet sites have grown to rely on the ability for one subframe to navigate the URL of another subframe, e.g. in a tree/list view - reading pane layout. Asking end users to manually change their default security options here is not a viable option.
In addition, many new AJAX applications are built to rely on cross-frame cross-domain messaging (not scripting) to provide application interoperability.
For a discussion on this, please read:
We have a page based on similar idea demonstrating the exact problem.
It works on the default "medium" security setting of IE6 and leading versions of other browsers. But the default security setting of IE 7 causes it to stop working.
Here are some suggestions:
- A compromise might be enhancing the "security" attribute of IFRAME so that the iframe-hosting page can override this default behavior.
- An alternative is to make it "prompt" by default. I am sure there are also other alternatives that require minimal user interaction.
Sunday, October 22, 2006 10:22 AM
This unannounced change to a default setting will be costing many developers problems when they are implementing cross site domain navigation.
With the time taken to trace where the problem is coming from and and the realisation that only IE7 is the problem it could cause them to post notices on their sites instructing users to use another browser or an earlier version of Internet Explorer.
As browser compatibility issues should be coming less of a problem, I think this should be addressed and resolved quickly. If it isn't IE7 may become less popular. If it cant be used with formally successful web apps then the simple solution will be to use one of the many other browsers that do not have this problem.
It is extremely annoying having developed a successful application only to find that it has to be extensively redesigned because of a simple default browser setting!
Tuesday, October 24, 2006 9:07 PM
Just replying to voice my support for Gideon's post, and to say that for an application I have written I will likely be recommending against IE7 specifically due to this change in IE7's default setting. Of course, I can always provide detailed instructions for enabling cross-domain sub-frame navigation to users, but I suspect most will just continue to use IE6 out of convenience. This is a disappointing discovery, to be sure.
The fact that cross-domain sub-frame navigation is disabled in the default security setting even for Trusted Sites makes it that much more difficult to work with.
Thursday, December 14, 2006 9:02 AM
I just wanted to chime in that this problem has caused a lot of problems for my site too. I finally had to disable all dynamic functionality, since I depended on AJAX to perform intra-site messaging. The fact this behavior just suddenly started right around the release time of the new Internet Explorer 7 only made it more difficult (and frustrating) to track down. It took me till now to even discover that I wasn't not alone. Yes, I actually spent weeks on Google paging through KB articles on microsoft.com, without any solutions at all. At first, I thought I was going crazy.
I think this was a really, really, really, really poor judgment call on the part of Microsoft. I mean,does Microsoft now condone releasing new versions of software that will knowingly break production code without ever informing developers months beforehand about the implementation changes required to ensure continued compatibility with their products?
Will the next release of Windows cause 10% of Windows XP software to just stop functioning because Microsoft thought it was in the best interest of their entire userbase to rename the A drive to the B drive by default.
Thankfully there's now a workaround for the issue. But that came a little too late if you ask me. There's nothing more delightful than a software company that pulls the carpet out from under their own developers, and then has to do damage control afterwards because of an inability to assess the widespread impact of such poor design decisions in the first place.
My two cents,
Friday, December 22, 2006 2:19 AM
My site does NOT refer to a different domain but subframes within the site
Works well on IE6, also in IE7
EXCEPT for one client who runs Nortons Internet Security 2005 where the move from IE6 to IE7 causes a crash.
Totally mystified as why that should be a discriminating factor...
Wednesday, January 30, 2008 8:37 AM
R Krause wrote "Thankfully there's now a workaround for the issue."
Can you please direct me to the workaround? I can't find a way to get sub frames across different domains to work.
Sunday, February 27, 2011 12:04 AM
Now I understand more about it, Thanks for your explanation!