Its been a while time since my last post, I have been busy playing with a bunch of beta bits from Microsoft and building great XRM solutions on Microsoft Dynamics CRM.

Recently I noticed that a few of our developers were in the habit of defaulting the URLs of custom CRM Form IFRAMEs  to “about:blank” and then programmatically setting the URL using Java Script based on some business rules.  This approach makes perfect sense when the URL must be calculated and the “about:blank” has the slight performance benefit of not making any unneeded requests to the server.  This is actually a very common practice, I think even some samples from Microsoft make reference to this.  Unfortunately, this approach doesn’t work so well when your CRM site is being served over HTTPS.  Let me explain why and what I consider to be a much better “best practice”.

Some background – What is “About:Blank”?

Traditionally, the About:Blank feature should load an empty HTML document into the browser.  This should be done without a hit to the local cache or the remote server.  (A Fiddler log will simply show HTTP – 200).  Once upon a time, since the About URI Scheme came from the browser itself, the pages it loaded were generally trusted and would not trigger security warnings.  Unfortunately, over the years hackers, malware applications and the like exploited this feature and as such browsers are rightfully not so trusting any more.

Why is this a problem?

The problem here is that when you page, say “/sfa/accts/edit.aspx” is being served over HTTPS and it loads and IFRAME that tries to call “about:blank”, the two sites load in different Internet Explorer Zones.  The CRM site over HTTPS is probably in the “Trusted Sites” zone, while (depending on your customer’s configuration) About:Blank will show up in “Restricted Sites” or at least something that isn’t HTTPS.  Either way you, your users are going to get some kind of warning about mixed zones or mix encryption levels.  The error might look something like this:

What is the workaround?

So, for those situations where you want to default your IFRAME to “nothing” so you can set it later programmatically; I recommend is that you point your IFRAMEs to use this instead:  /_static/blank.htm

Notice that the path here is relative and rooted, so it will work regardless of how your CRM site is hosted (HTTPS vs. HTTP or even qa.crm.company.com vs. dev.crm.company.com) and since CRM has enabled HTTP Content-Expiration on this file, it will only be downloaded once.

Cheers,

This posting is provided "AS IS" with no warranties, and confers no rights.