Decrypt my World

Cryptography, Security, Debugging and more!

CertEnroll control won't work when hosted inside a frame/iframe in IE8

CertEnroll control won't work when hosted inside a frame/iframe in IE8

  • Comments 4

Hi all,

You may get errors like the following when using CertEnroll control in a web page hosted inside another page's frame/iframe:

CertEnroll::CX509EnrollmentWebClassFactory::CreateObject: Unspecified error 0x80004005 (-2147467259)

CertEnroll::CX509EnrollmentWebClassFactory::CreateObject: The operation was canceled by the user. 0x800704c7 (WIN32: 1223)

This happens when accessing the web site with IE8 on a Windows 7.

This is a known issue on Windows 7, and many people already talked about it in this post of mine: How to create a certificate request with CertEnroll (JavaScript). We currently have the following ways to workaround the issue:

1) Don't use frames.

2) Put <object> tag for CertEnroll in parent frame and access it from the child frame using window.parent.g_objClassFactory_Proxy (assuming g_objClassFactory_Proxy is the name of the object, and as long as both urls are in the same domain. If they are in different subdomains then you must use document.domain = "x.com" in both the child and parent frames).

3) A solution based in #2 which will work if the page is within the frame of a parent page and also if we access the page directly:

The idea is again to create the class factory object on the parent web page, and then use it from the pages in the frames. But that requires us to change the parent web page. Now, there is way to dynamically add that object in the parent web page from the page in the frame.

We can add the following code in the page within the frame before using the class factory object:
"
    objCertEnrollClassFactory = top.document.getElementById("g_objClassFactory_Proxy");
    if (objCertEnrollClassFactory == null)
    {
        top.document.body.insertAdjacentHTML("afterBegin","<object id=\"g_objClassFactory_Proxy\" classid=\"clsid:884e2049-217d-11da-b2a4-000e7bbb2b09\" height=0 width=0></object>");
    objCertEnrollClassFactory = top.g_objClassFactory_Proxy;
    }
"
Then we can remove this from that page:
"
  <object id="objCertEnrollClassFactory" classid="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"></object>   
"

Note this solution suffers from the same limitation as #2: urls must be on the same domain, otherwise we will get an Access Denied when accessing the object from the parent frame.

 

I hope this helps.

Regards,

 

Alex (Alejandro Campos Magencio)

  • Good news!!! There is a fix available for this already. Check this post of mine:

    CertEnroll control won't work when hosted inside a frame/iframe in IE8 (FIX)

    blogs.msdn.com/.../certenroll-control-won-t-work-when-hosted-inside-a-frame-iframe-in-ie8-fix.aspx

  • FWIW, this has nothing to do with IE8, and everything to do with the fact that the control is the version on Windows 7. See blogs.msdn.com/.../certificate-enrollment-xenroll-vs-certenroll-activex-object.aspx for discussion of other restrictions.

  • Eric, you are right. As I said in the post, this is an issue on Windows 7 itself, and not on IE8. The title of the post mentions IE8 because that is what my customers reported. To tell you the truth, I haven't tried on IE7 or earlier to see if certenroll also fails the same way. Anyway, issue is fixed now as I commented above.

    Cheers,

    Alex

  • This fix wont work anymore on IE10 and 11 on Windows 7 and 8.

    It seems that insertAdjacentHTML wont add the required object dynamically on the top frame. In fact, even if I hardcode it on the main frame, I cant access it by getElementById.

    Does anyone experienced the same problem?

Page 1 of 1 (4 items)
Leave a Comment
  • Please add 8 and 6 and type the answer here:
  • Post
Translate This Page