IE 8 script injection and http[S]

[Richard Maher]

Hi,

Can anyone confirm that IE 8 prevents a page that was loaded via httpS from
injecting a script (createElement, appendChild etc) by throwing an
"Operation aborted" exception when trying to set the src attribute to a
HTTP*no*S URL?

I know it's probably a very sensible thing to do and this is only happening
at the moment as we haven't teed-up a certificate for our test server, but
if someone could just confirm the behaviour (or other explanation then
that'd be great.

BTW. Chrome, FF, IE<8 and IE 8 in compatibility mode all do not have an
issue.

Cheers Richard Maher

PS. My colleague found the ONERROR event handler today which is a very
useful, yet seldom talked about, weapon in the injection/callback arsenal.

 

[David Mark]

Hi,

Can anyone confirm that IE 8 prevents a page that was loaded via httpS from
injecting a script (createElement, appendChild etc) by throwing an
"Operation aborted" exception when trying to set the src attribute to a
HTTP*no*S URL?

I cannot, but I haven't tried. I wouldn't put anything past MS.

I know it's probably a very sensible thing to do and this is only happening
at the moment as we haven't teed-up a certificate for our test server, but
if someone could just confirm the behaviour (or other explanation then
that'd be great.

I don't know how sensible it is.

BTW. Chrome, FF, IE<8 and IE 8 in compatibility mode all do not have an
issue.
[...]


PS. My colleague found the ONERROR event handler today which is a very
useful, yet seldom talked about, weapon in the injection/callback arsenal..

It certainly is _not_.

 

[Richard Maher]

Hi David,

arsenal.
It certainly is _not_.

Seeing as it's coming up to pantomime season in the UK, let me just say "Oh
yes it is!" Unless of course you like polling, don't care whether a
script loaded or not, or are cunningly clever enough to have found another
way (outside of IE) to tell wehn a script failed to load.

Cheers Richard Maher

Hi,

Can anyone confirm that IE 8 prevents a page that was loaded via httpS from
injecting a script (createElement, appendChild etc) by throwing an
"Operation aborted" exception when trying to set the src attribute to a
HTTP*no*S URL?

I cannot, but I haven't tried. I wouldn't put anything past MS.

I know it's probably a very sensible thing to do and this is only happening
at the moment as we haven't teed-up a certificate for our test server, but
if someone could just confirm the behaviour (or other explanation then
that'd be great.

I don't know how sensible it is.

BTW. Chrome, FF, IE<8 and IE 8 in compatibility mode all do not have an
issue.
[...]


PS. My colleague found the ONERROR event handler today which is a very
useful, yet seldom talked about, weapon in the injection/callback arsenal.

It certainly is _not_.

 

[David Mark]

Hi David,




Seeing as it's coming up to pantomime season in the UK, let me just say "Oh
yes it is!" Unless of course you like polling, don't care whether a
script loaded or not, or are cunningly clever enough to have found another
way (outside of IE) to tell wehn a script failed to load.

It is very easy to determine if a script has loaded (in any browser)
and it certainly doesn't involve the onerror property. Use callbacks.

 

[Richard Maher]

Hi David,

It is very easy to determine if a script has loaded (in any browser)
and it certainly doesn't involve the onerror property. Use callbacks.

Umm, the "callback" doesn't get called because there was some error loading
the script (or SiteMinder SSO etc substitutes a logon screen) how do you
discover that has happened?

Cheers Richard Maher

Hi David,




Seeing as it's coming up to pantomime season in the UK, let me just say "Oh
yes it is!" Unless of course you like polling, don't care whether a
script loaded or not, or are cunningly clever enough to have found another
way (outside of IE) to tell wehn a script failed to load.

It is very easy to determine if a script has loaded (in any browser)
and it certainly doesn't involve the onerror property. Use callbacks.

 

[David Mark]

Hi David,


Umm, the "callback" doesn't get called because there was some error loading
the script (or SiteMinder SSO etc substitutes a logon screen) how do you
discover that has happened?

You don't. So you design your app accordingly.

What happens when a firewall strips out one or more of your scripts?
If your design is sound, nothing. If not, disaster. Same concept
here.