permissions to load a local Html file into iFrame


  • Hello,

    I would like to know what permissions and other settings I have to put in the manifest file to make my app able to load a local Html file into a iFrame.

    Thanks in advance.

    Sunday, April 01, 2012 12:59 PM

All replies

  • Reference your local html file like this:

     <iframe id="myIframe" src="ms-appx-web:///myLocalPage.html"></iframe>

    The default manifest capability (Internet (Client)) seems to work.

    Sunday, April 01, 2012 5:15 PM
  • I create the iFrame programmatically from javascript code:

     iFrame = document.createElement("iFrame");
                    iFrame.id = "idframe";
                    iFrame.src = "file:///" + basePath + fileName;

    I get the following error:
    APPHOST9607: The App Host can't launch the URI at file:///I:/...........filename.html due to the following error: -2147024846.

    Sunday, April 01, 2012 5:41 PM
  • This works for a file that is local to your application:

    var iFrame = document.createElement("iFrame");
            iFrame.id = "iFrame";
            iFrame.src = "ms-appx-web:///"+fileName;

    • Edited by jrboddie Sunday, April 01, 2012 10:04 PM
    • Proposed as answer by The Mighty Duck Monday, April 02, 2012 10:10 PM
    • Marked as answer by Bob_Bao Monday, April 30, 2012 8:18 AM
    • Unmarked as answer by Bob_Bao Monday, April 30, 2012 8:19 AM
    Sunday, April 01, 2012 9:59 PM
  • Thank you.

    Unfortunately I need to load a local html file from the user. So I need to ask for permissions, I think, and then put the file in a suitable place (Documents?)

    Monday, April 02, 2012 7:47 AM
  • I could not do it either.

    It is either a security restriction or some magic is required that, if documented, is deeply hidden.

    Monday, April 02, 2012 5:53 PM
  • For what it's worth, I just tried this for iframing content inside your app's data directory:

    function foo() {
        WinJS.Application.local.writeText("foo.html", "hello world").then(function (c) {
            var iframe = document.createElement("iframe");
            iframe.src = WinJS.Application.local.folder.path + "\\foo.html";

    But got a host security error in the JS Console when I ran it. I think it's pretty safe to say that you can't directly iframe anything that's not in your package or on the web. This sorta makes sense, as even if you did load the content inside the web context for safety, the local HTML file would still have the chance to execute arbitrary JS code.

    I'm guessing you have documentation or something on the local machine you want the user to be able to see inside the app itself?



    Monday, April 02, 2012 8:13 PM
  • Hi, thank you.

    Excuse me but I think that it would be enough that the iFrame is somehow sandboxed. I think it is already so. I read somewhere about a sort of isolation between iFrame and the parent document; that is: the javascript in the iFrame can only act on the iFrame's content (in modern browsers). Am I wrong?

    Monday, April 02, 2012 8:41 PM
  • according to http://msdn.microsoft.com/en-us/library/windows/apps/hh465380.aspx it is possile to load HTML in unsafe mode (Do it judiciously because you open your app as a potential security hole for a customer)

    (see also http://social.msdn.microsoft.com/Forums/en-US/winappswithhtml5/thread/54bd101e-b816-46db-bee2-91e7c9988b49/ )


    var someElement = document.getElementById('someElementID');
        function() { someElement.innerHTML = '<div onclick="console.log(\"hi\");">hi</div>' }

    I just wonder if the following works:

                function (file) {
                    var sampleFile = file;
        function() { myIFrame.src=sampleFile.path; }

    Monday, April 09, 2012 4:00 PM
  • Local files have always been problematic for security, since they don't have a domain. Back in the old days they would have the "domain" of the local file system, which meant that any HTML file you run off of your hard drive could access any other file on your hard drive. There is some discussion about this here: http://blogs.msdn.com/b/ieinternals/archive/2011/03/23/understanding-local-machine-zone-lockdown-restricted-this-webpage-from-running-scripts-or-activex-controls.aspx

    I think the closest thing you could do today is read the HTML as a string using WinRT file APIs and then inline the markup.



    Monday, April 09, 2012 5:49 PM
  • Isn't 


    just to perform that kind of operation like loading a local HTML as source for iFrame, or doesn't it work even in unsafe code?

    Tuesday, April 10, 2012 8:11 AM
  • execUnsafeLocalFunction() only suppresses the exception caused by assigning "unsafe" HTML via innerHTML and other mechanisms and then appending it to the DOM. The criteria for "Unsafe" is basically anything that toStaticHTML would strip out. It doesn't have any other capability such as changing the behavior of what you can iframe.



    Thursday, April 12, 2012 5:47 PM