IE post to iframe in HTA opens a new window

Question

There are a lot of posts about this topic but most of them are because IE doesn't set the attribute name dynamically.

I'm having a different trouble: I post a form (created dynamically) with an iframe as target. The first time it works great. Then I do it for a second time and IE opens a new window with the result of form's submission. I'm pretty sure it has to do with security issues because: if I create a simple HTML file (instead of a HTA) it works great. Also, if I run the same file that doesn't work locally (http://local.host/test.hta) it works great.

Any clue of whats going on or how can I fix it? Sadly its legacy code and I can't avoid using HTA or iframes and form submiting.

Here its the simple code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <HTA:APPLICATION 
        ID="oHTAGeneral_v5" 
        APPLICATIONNAME="TEST"
        ICON='Img/icono.ico'
        SCROLL="no"
        SINGLEINSTANCE="yes"
        SELECTION='yes'
        NAVIGABLE='yes'
        SHOWINTASKBAR='Yes'
        WINDOWSTATE='normal' />
        <script type="text/javascript" src="http://code.jquery.com/jquery-1.2.6.min.js"></script>
        <script type="text/javascript">
            $(function() {

                var url = "http://www.some-url.com/",
                    first = true;

                $("#frame").unbind("load");
                $("#frame").load(function(){

                    if (first) {
                        first = false;
                        $("#frame")[0].contentWindow.document.cookie  = "testCookie=dummyValue";
                        $("<form></form>")
                            .attr("target", "frame").attr("method", "POST").attr("action", url)
                            .css("display", "none")
                            .appendTo($(document.body))
                            .append('<input type="hidden" name="dummy" value="dummy" />')
                            .submit();
                        return;
                    }

                    // Other stuff

                });

                $("<form></form>")
                    .attr("target", "frame").attr("method", "POST").attr("action", url)
                    .css("display", "none")
                    .appendTo($(document.body))
                    .append('<input type="hidden" name="dummy" value="dummy" />')
                    .submit();
            });
        </script>
    </head>
    <body>
        <iframe id="frame" name="frame" width="200" height="50"></iframe>
    </body>
</html>

Answer 1

You can try to use application="yes" attribute within iframe tag. Iframes without the said attribute are considered as unsafe in HTA, and all interaction between iframe and main window is blocked.