Home/ Questions/Q 1021201
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T11:16:31+00:00

I think I may know the answer to this question but I’m actually looking

  • 0

I think I may know the answer to this question but I’m actually looking for some hard evidence/link to a statement from Microsoft on why this occurs.

I have a domain name of “www.mycompany.com”, which is HTTP. This page soley contains HTML with an iFrame redirecting to “application.anothercompany.com”, which is HTTPS. The page that sits on “application.anothercompany.com” contains just a username and password box on the page, plus a login button.

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
    "http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Author" content="">
<meta name="ROBOTS" content="ALL">
<meta name="description" content="">
<meta name="keywords" content="">
<title>My Company Name</title>

</head>
<frameset cols="100%,*">
<frame frameborder="0" src="https://application.anothercompany.com/" >
<noframes>
<body>
Frames not supported.
</body>
</noframes>
</frameset>
</html>

When navigating to “https://application.anothercompany.com“, I can successfully login on any browser.

When visiting “http://www.mycompany.com“, I cannot login to the other site, presented in an iFrame using Internet Explorer. I can do so however with Safari and Firefox.

To me, I would say it’s a feature of Internet Explorer to stop phishing attacks – as far as the user is aware they entering information at “http://www.mycompany.com“, not “https://application.anothercompany.com“. If it’s a security feature, then fine – I can live with that.

Does this all sound correct – or is there a workaround?

To add a little more information, I’ve tried adding the “www.mycompany.com” to trusted sites on the browser, this did not correct the problem and disabling “Protected Mode” in Internet Explorer also failed to correct the issue.

The issue seems to appear in IE, IE7 and IE8.

I’ve found you can be a little cheeky with Internet Explorer, by opening a new tab, navigating to “https://application.anothercompany.com” and logging in – then returning to the “http://www.mycompany.com” site you can then successfully login! Though closing down and restarting IE resets all this.

Thanks
Stu

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is called a cross-domain request or XDR. By default it’s blocked in IE7.

    Here’s a MS doc on the feature:
    http://msdn.microsoft.com/en-us/library/ms537505(VS.85).aspx#xdomain

    And here’s a bit of (good) Yahoo documentation on the subject, with regard to JavaScript:
    http://developer.yahoo.com/javascript/howto-proxy.html

    As far as I know, there isn’t a workaround for this security feature in IE7 — you can only perform XDR requests by changing security settings in the browser.

    • 0