I am converting code from using signed JAR files to using an XULRunner based applications. I am having trouble with code that loads an iframe with html content stored in a javascript variable.
The code looks like this:
var doc = iframe.contentDocument;
doc.open();
doc.write(html);
doc.close();
The iframe has type="content". As is, in XULRunner I get an exception in the doc.open() call:
[Exception... "The operation is insecure."
code: "18"
nsresult: "0x80530012 (SecurityError)"
location: "chrome://ec4main/content/apps/newsfeedtest/lib.js Line: 938"]
If I change the iframe to type="chrome", then it works but this seems like a bad idea because the HTML is not always trusted content.
You should use data URLs instead of document.write() (which is indeed insecure and not recommendable):
var wnd = iframe.contentWindow;
wnd.location.href = "data:text/html;charset=utf-8," + encodeURIComponent(html);