locked
permissions to load a local Html file into iFrame

    Question

  • Hello,

    I would like to know what permissions and other settings I have to put in the manifest file to make my app able to load a local Html file into a iFrame.

    Thanks in advance.

    Sunday, April 1, 2012 12:59 PM

All replies

  • Reference your local html file like this:

     <iframe id="myIframe" src="ms-appx-web:///myLocalPage.html"></iframe>


    The default manifest capability (Internet (Client)) seems to work.

    Sunday, April 1, 2012 5:15 PM
  • I create the iFrame programmatically from javascript code:

     iFrame = document.createElement("iFrame");
                    iFrame.id = "idframe";
                    iFrame.src = "file:///" + basePath + fileName;
                    document.body.appendChild(iFrame);

    I get the following error:
    APPHOST9607: The App Host can't launch the URI at file:///I:/...........filename.html due to the following error: -2147024846.

    Sunday, April 1, 2012 5:41 PM
  • This works for a file that is local to your application:

    var iFrame = document.createElement("iFrame");
            iFrame.id = "iFrame";
            iFrame.src = "ms-appx-web:///"+fileName;
            document.body.appendChild(iFrame);


    • Edited by jrboddie Sunday, April 1, 2012 10:04 PM
    • Proposed as answer by The Mighty Duck Monday, April 2, 2012 10:10 PM
    • Marked as answer by Bob_Bao Monday, April 30, 2012 8:18 AM
    • Unmarked as answer by Bob_Bao Monday, April 30, 2012 8:19 AM
    Sunday, April 1, 2012 9:59 PM
  • Thank you.

    Unfortunately I need to load a local html file from the user. So I need to ask for permissions, I think, and then put the file in a suitable place (Documents?)

    Monday, April 2, 2012 7:47 AM
  • I could not do it either.

    It is either a security restriction or some magic is required that, if documented, is deeply hidden.

    Monday, April 2, 2012 5:53 PM
  • For what it's worth, I just tried this for iframing content inside your app's data directory:

    function foo() {
        WinJS.Application.local.writeText("foo.html", "hello world").then(function (c) {
            var iframe = document.createElement("iframe");
            iframe.src = WinJS.Application.local.folder.path + "\\foo.html";
            document.body.appendChild(iframe);
        });
    }

    But got a host security error in the JS Console when I ran it. I think it's pretty safe to say that you can't directly iframe anything that's not in your package or on the web. This sorta makes sense, as even if you did load the content inside the web context for safety, the local HTML file would still have the chance to execute arbitrary JS code.

    I'm guessing you have documentation or something on the local machine you want the user to be able to see inside the app itself?

    Cheers,

    -Jeff

    Monday, April 2, 2012 8:13 PM
  • Hi, thank you.

    Excuse me but I think that it would be enough that the iFrame is somehow sandboxed. I think it is already so. I read somewhere about a sort of isolation between iFrame and the parent document; that is: the javascript in the iFrame can only act on the iFrame's content (in modern browsers). Am I wrong?

    Monday, April 2, 2012 8:41 PM
  • according to http://msdn.microsoft.com/en-us/library/windows/apps/hh465380.aspx it is possile to load HTML in unsafe mode (Do it judiciously because you open your app as a potential security hole for a customer)

    (see also http://social.msdn.microsoft.com/Forums/en-US/winappswithhtml5/thread/54bd101e-b816-46db-bee2-91e7c9988b49/ )

     like

    var someElement = document.getElementById('someElementID');
    MSApp.execUnsafeLocalFunction(
        function() { someElement.innerHTML = '<div onclick="console.log(\"hi\");">hi</div>' }
    );
    

    I just wonder if the following works:

    Windows.Storage.KnownFolders.documentsLibrary.getFileAsync(fileName).done(
                function (file) {
                    var sampleFile = file;
                    MSApp.execUnsafeLocalFunction(
        function() { myIFrame.src=sampleFile.path; }
    );
    
                }
    
    

    Monday, April 9, 2012 4:00 PM
  • Local files have always been problematic for security, since they don't have a domain. Back in the old days they would have the "domain" of the local file system, which meant that any HTML file you run off of your hard drive could access any other file on your hard drive. There is some discussion about this here: http://blogs.msdn.com/b/ieinternals/archive/2011/03/23/understanding-local-machine-zone-lockdown-restricted-this-webpage-from-running-scripts-or-activex-controls.aspx

    I think the closest thing you could do today is read the HTML as a string using WinRT file APIs and then inline the markup.

    Cheers,

    -Jeff

    Monday, April 9, 2012 5:49 PM
  • Isn't 

    execUnsafeLocalFunction

    just to perform that kind of operation like loading a local HTML as source for iFrame, or doesn't it work even in unsafe code?

    Tuesday, April 10, 2012 8:11 AM
  • execUnsafeLocalFunction() only suppresses the exception caused by assigning "unsafe" HTML via innerHTML and other mechanisms and then appending it to the DOM. The criteria for "Unsafe" is basically anything that toStaticHTML would strip out. It doesn't have any other capability such as changing the behavior of what you can iframe.

    Cheers,

    -Jeff

    Thursday, April 12, 2012 5:47 PM