PRB: Permission Denied Accessing Web Browser Control in HTML (176789)


The information in this article applies to:

  • Microsoft Internet Explorer (Programming) 4.0
  • Microsoft Internet Explorer (Programming) 4.01
This article was previously published under Q176789

SYMPTOMS

When scripting a WebBrowser control that has been embedded in an HTML page, attempts to use any standard WebBrowser Control methods or properties fail with a "Permission Denied" scripting error.

CAUSE

Because of cross-frame security restrictions, any attempt to access the WebBrowser control from script automatically fails after the control has been set to browse a page in a different security context from the page hosting the control.

RESOLUTION

Replace any references to the WebBrowser control with an IFRAME tag. The IFRAME, for all intents and purposes, functions in the same manner as the WebBrowser control and can be positioned on a page. See the MORE INFORMATION below for an example of how to do this.

STATUS

This behavior is by design.

MORE INFORMATION

Please note that this article discusses only the use of the WebBrowser control directly in an HTML page with the <OBJECT> tag and script.

Steps to Reproduce Behavior

The following HTML page reproduces this problem: 
   <HTML>
   <HEAD>
   <SCRIPT LANGUAGE="VBScript>
   <!--
   Sub window_onload()

      WebBrowser1.Navigate"

<WWLINK TYPE="GENERIC" VALUE="http://www.microsoft.com"">http://www.microsoft.com"</WWLINK>

   end sub
   Sub document_onmousedown()
      WebBrowser1.Navigate "<WWLINK TYPE="GENERIC" VALUE="http://testserver1"">http://testserver1"</WWLINK>
   end sub
   -->
   </SCRIPT>
   <TITLE>WebBrowser Control in HTML</TITLE>
   </HEAD>
   <BODY>
      <OBJECT ID="WebBrowser1" WIDTH=332 HEIGHT=276
         CLASSID="CLSID:8856F961-340A-11D0-A96B-00C04FD705A2">
         <PARAM NAME="ExtentX" VALUE="8784">
         <PARAM NAME="ExtentY" VALUE="7303">
         <PARAM NAME="ViewMode" VALUE="1">
         <PARAM NAME="Offline" VALUE="0">
         <PARAM NAME="Silent" VALUE="0">
         <PARAM NAME="RegisterAsBrowser" VALUE="0">
         <PARAM NAME="RegisterAsDropTarget" VALUE="0">
         <PARAM NAME="AutoArrange" VALUE="1">
         <PARAM NAME="NoClientEdge" VALUE="1">
         <PARAM NAME="AlignLeft" VALUE="0">
      </OBJECT>
   </BODY>
   </HTML>
When this example page is loaded in Internet Explorer 4.0 (IE4), the "window_onload" event handler navigates the embedded WebBrowser control to:

http://www.microsoft.com.

Assuming that this example page is stored on the local system and is accessed via "file://," the embedded WebBrowser control is now hosting a document from a domain and protocol that is different than the parent page. This is analogous to using an IFRAME inside an HTML page, where the IFRAME src property points to a document on another domain.

At this point, unlike with an IFRAME, any and all script access to the "WebBrowser1" object fails with the "Permission Denied" message box. With an IFRAME, certain properties and methods are safe to use in a cross-frame security situation. If the "document_onmousedown" event is fired in the above example by clicking the mouse button on the page, Internet Explorer 4.0 displays a "Permission Denied" message box.

Here is the preferred substitute HTML page that is roughly equivalent to the example above: 

   <HTML>
   <HEAD>
   <SCRIPT LANGUAGE="VBScript">
   <!--
   Sub window_onload()
      window.frames(0).location.href = "<WWLINK TYPE="GENERIC" VALUE="http://www.microsoft.com"">http://www.microsoft.com"</WWLINK>

   end sub
   Sub document_onmousedown()
      window.frames(0).location.href = "<WWLINK TYPE="GENERIC" VALUE="http://testserver1"">http://testserver1"</WWLINK>
   end sub
   -->
   </SCRIPT>
   <TITLE>WebBrowser Control in HTML</TITLE>
   </HEAD>
   <BODY>
      <IFRAME ID="TestFrame1" WIDTH=332 HEIGHT=276>
   </BODY>
   </HTML>
</WWCODE>
In this example, the event handler for "document_onmousedown" succeeds because cross-frame security permits setting the src property but not reading it.

REFERENCES

For additional information about Cross-Frame Security, please see the following article in the Microsoft Knowledge Base:

167796 "Permission Denied" When Scripting Across Frames

Modification Type:MinorLast Reviewed:3/16/2005
Keywords:kbDSupport kbFAQ kbprb kbWebBrowser KB176789
©2004 Microsoft Corporation. All rights reserved.