I would like to create an <iframe> on the page, but then add the src later. If I make an iframe without an src attribute, then it loads the current page in some browsers. What is the correct value to set for the src so that it just loads a blank iframe?
The answers I've seen are:
about:blankjavascript:falsejavascript:void(0)javascript:"";- url to a blank page
Is there a clear winner? If not, what are the tradeoffs?
I'd like to not have mixed content warnings for HTTPS urls, nor any back-button, history, or reload weirdness in all browsers from IE6 onward.
-
possible duplicate of iFrame src something other than javascript:false but same effectPekka– Pekka2010年11月26日 10:51:46 +00:00Commented Nov 26, 2010 at 10:51
-
1You could create the iframe at the moment you have the src available, to avoid this issue. Would that work?Ioannis Karadimas– Ioannis Karadimas2010年11月26日 10:52:33 +00:00Commented Nov 26, 2010 at 10:52
-
3That question was asking for prettier way to write "javascript:false". I don't care how ugly the line is, I want the functionality. And the accepted answer was a url to a blank page which pays an HTTP round-trip which seems worse than being able to avoid that.Paul Tarjan– Paul Tarjan2010年11月26日 10:54:15 +00:00Commented Nov 26, 2010 at 10:54
-
@Ioannis no, it is a long story, but assume I need the iframe on the page, then the url will be populated later.Paul Tarjan– Paul Tarjan2010年11月26日 10:55:15 +00:00Commented Nov 26, 2010 at 10:55
10 Answers 10
Not sure if all browsers support "about:blank", so I'd just go with your own blank page then.
Another idea: Why not add the whole iframe using javascript instead of just the src?
3 Comments
Standard approach when creating an "empty" iframe (as an iframe shim, for example), is to set the src as javascript:false;. This is the method used by most of the JavaScript libraries that create iframe shims for you (e.g. YUI's Overlay).
3 Comments
Content-Security-Policy header. Therefore please don't use this in scripts that you expect other parties to include in their sites.javascript:false is being reported as an unsafe script-src directive when using Facebook SDK. (I believe that about:blank may be the preferred method to use.)What about
about:blank
4 Comments
javascript:, you can't rely on every client interpreting it correctlyRe your comment clarifying that you're planning to use the iframe as the target for a form submission:
I would use an empty document on the server that sends back a 204 no content.
It avoids
- "mixed content" warnings in IE and HTTPS mode
- Unnecessary errors because a client doesn't understand the
javascript:protocol - and other exotic shenanigans.
It's also valid HTML.
So what if it generates an extra request? Set the caching headers right, and there will be only one request for each client.
3 Comments
about:blank which works in most browsersonload event to be fired on the iframe in some browsers, so this may not be the best approach if someone is looking to hook into that event.javascript:false:
IE10 and FF (checked in v23 in Linux) will show 'false' as content.
javascript:void(0) && javascript:;:
IE will show 'cannot display the webpage' error in the iframe. Also, when setting the src from a valid url to javascript:void(0), the page will not get blank.
about:blank:
Works in all browsers but IE 9 sends an request to the server with path "null". Still the best bet IMO
Checkout http://jsfiddle.net/eybDj/1
Checkout http://jsfiddle.net/sv_in/gRU3V/ to see how iframe src changes on dynamic updation with JS
Comments
javascript:false works in modern browsers.
What I've seen is that this only "fails" when dumb spiders try to load javascript:false as a page.
Solution: Block the dumb spiders.
2 Comments
Content-Security-Policy header. Therefore please don't use this in scripts that you expect other parties to include in their sites.As I posted in this question: Is an empty iframe src valid?, it looks acceptable to just leave out the src= attribute completely.
Comments
IMO: if you don't put the src, your page won't validate. But's about it. If you put a src="", your server will log many 404 errors.
Nothing is really wrong as in "damaging". But then, is it actually not wrong to use an iframe in itself?
°-
Comments
Yes, I know I'm reviving an old thread. Sue me. I'm interested in the answer.
I don't understand why having the trigger being a form submit precludes dynamically creating the IFrame. Does this not do exactly what you want?
<html>
<head>
<script type="text/javascript">
function setIFrame(elemName, target, width, height) {
document.getElementById(elemName).innerHTML="<iframe width="+width+" height="+height+" src='"+target+"'></iframe>";
}
</script>
</head>
<body>
<div id="iframe" style="width:400px; height:200px"></div>
<form onSubmit="setIFrame('iframe', 'http://www.google.com', 400, 200); return false;">
<input type="submit" value="Set IFrame"/>
</form>
</body>
</html>
2 Comments
src will be known (see comment history to the question itself).I run into this line of code:
iframe.setAttribute("src", "javascript:false");
as well. I wanted to remove javascript:URL.
Found this note from the Web Hypertext Application Technology Working Group [Updated 2 October 2019]
The otherwise steps for iframe or frame elements are as follows:
If the element has no src attribute specified, or its value is the empty string, let url be the URL "about:blank".