Why can't IE allow a page to login using frames (multiple domains)?

Question

I think I may know the answer to this question but I'm actually looking for some hard evidence/link to a statement from Microsoft on why this occurs.

I have a domain name of "www.mycompany.com", which is HTTP. This page soley contains HTML with an iFrame redirecting to "application.anothercompany.com", which is HTTPS. The page that sits on "application.anothercompany.com" contains just a username and password box on the page, plus a login button.

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
    "http://www.w3.org/TR/html4/frameset.dtd"&gt;
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Author" content="">
<meta name="ROBOTS" content="ALL">
<meta name="description" content="">
<meta name="keywords" content="">
<title>My Company Name</title>

</head>
<frameset cols="100%,*">
<frame frameborder="0" src="https://application.anothercompany.com/" >
<noframes>
<body>
Frames not supported.
</body>
</noframes>
</frameset>
</html>

When navigating to "https://application.anothercompany.com", I can successfully login on any browser.

When visiting "http://www.mycompany.com", I cannot login to the other site, presented in an iFrame using Internet Explorer. I can do so however with Safari and Firefox.

To me, I would say it's a feature of Internet Explorer to stop phishing attacks - as far as the user is aware they entering information at "http://www.mycompany.com", not "https://application.anothercompany.com". If it's a security feature, then fine - I can live with that.

Does this all sound correct - or is there a workaround?

To add a little more information, I've tried adding the "www.mycompany.com" to trusted sites on the browser, this did not correct the problem and disabling "Protected Mode" in Internet Explorer also failed to correct the issue.

The issue seems to appear in IE, IE7 and IE8.

I've found you can be a little cheeky with Internet Explorer, by opening a new tab, navigating to "https://application.anothercompany.com" and logging in - then returning to the "http://www.mycompany.com" site you can then successfully login! Though closing down and restarting IE resets all this.

Thanks Stu

Answer 1

As you noted this is a security feature. The user believes they are at one domain, and you are "secretly" using their credentials at another domain. (even if you aren't trying to be shady... IE plays it safe and presumes you might be phishing or similar)

Since one page is on HTTP and the other on HTTPS your users will likely get a "Mixed Content" security warning dialog. (siderant: in which the default buttons switch between versions of IE)

Answer 2

This is called a cross-domain request or XDR. By default it's blocked in IE7.

Here's a MS doc on the feature: http://msdn.microsoft.com/en-us/library/ms537505(VS.85).aspx#xdomain

And here's a bit of (good) Yahoo documentation on the subject, with regard to JavaScript: http://developer.yahoo.com/javascript/howto-proxy.html

As far as I know, there isn't a workaround for this security feature in IE7 -- you can only perform XDR requests by changing security settings in the browser.