IE6 iframe with no src over SSL solution

[This originally appeared on my dev2dev blog 9-Nov-2007]

The WLS Admin Console is not yet using an ajax library but it does do a few asynchronous things with an iframe. The iframe had the src attribute pointing to an empty html file. I didn’t like this wasteful and pointless round trip to the server so I removed the src attribute.

Then someone testing over SSL on IE6 rightly complained that the browser was giving a “This page contains both secure and nonsecure items” warning message.

Turns out that IE6 has a problem with iframes without the src attribute. This has been fixed in IE7. Some people recommend always using a src attribute but I’m trying to squeeze every bit of performance I can out of Console.

I thought I found the solution here. Looks like dojo solved the problem using src=”javascript:false”. This does make IE6 happy but now I get a JavaScript error in Firefox. The error I got was “Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIChannel.open]”

I started wondering if dynamically adding the iframe would solve the problem (I still don’t know). Adding to the DOM the right way means updating the DOM as soon as it is ready. All the ajax libraries support some kind of onDOMReady event but as I said we’re not yet using a library. This got me wondering how onDOMReady works so I started searching and found Dean Edwards solution and more explanation – a very interesting read. Something in one of the code snippets caught my eye – a script element with src=javascript:void(0). The intent is to use a deferred script element without actually loading an external file to detect when the DOM is ready in IE. This gave me the right incantation for my iframe problem.

The final solution that makes IE6, IE7, and Firefox happy is src=”javascript:void(0)”. The void operator returns undefined which is quite different from false. This is a standard technique for the anchor href attribute so it makes sense that it would work in this context also.

[Update 6-Feb-08 It seems a recent Microsoft security update (around Nov-07) has made the IE6 problem worse. The solution given in this article does not work after IE6 is updated. IE6, after the update, considers src=”javascript:void(0)” to be non-secure content.

Now the only solution I know of is to dynamically add the iframe to the document with a src attribute. I’m now doing this
and it works fine]