CertEnroll control won't work when hosted inside a frame/iframe in IE8

Hi all,

You may get errors like the following when using CertEnroll control in a web page hosted inside another page's frame/iframe:

CertEnroll::CX509EnrollmentWebClassFactory::CreateObject: Unspecified error 0x80004005 (-2147467259)

CertEnroll::CX509EnrollmentWebClassFactory::CreateObject: The operation was canceled by the user. 0x800704c7 (WIN32: 1223)

This happens when accessing the web site with IE8 on a Windows 7.

This is a known issue on Windows 7, and many people already talked about it in this post of mine: How to create a certificate request with CertEnroll (JavaScript). We currently have the following ways to workaround the issue:

1) Don't use frames.

2) Put <object> tag for CertEnroll in parent frame and access it from the child frame using window.parent.g_objClassFactory_Proxy (assuming g_objClassFactory_Proxy is the name of the object, and as long as both urls are in the same domain. If they are in different subdomains then you must use document.domain = "x.com" in both the child and parent frames).

3) A solution based in #2 which will work if the page is within the frame of a parent page and also if we access the page directly:

The idea is again to create the class factory object on the parent web page, and then use it from the pages in the frames. But that requires us to change the parent web page. Now, there is way to dynamically add that object in the parent web page from the page in the frame.

We can add the following code in the page within the frame before using the class factory object:
"
    objCertEnrollClassFactory = top.document.getElementById("g_objClassFactory_Proxy");
    if (objCertEnrollClassFactory == null)
    {
        top.document.body.insertAdjacentHTML("afterBegin","<object id=\"g_objClassFactory_Proxy\" classid=\"clsid:884e2049-217d-11da-b2a4-000e7bbb2b09\" height=0 width=0></object>");
    objCertEnrollClassFactory = top.g_objClassFactory_Proxy;
    }
"
Then we can remove this from that page:
"
  <object id="objCertEnrollClassFactory" classid="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"></object>   
"

Note this solution suffers from the same limitation as #2: urls must be on the same domain, otherwise we will get an Access Denied when accessing the object from the parent frame.

 

I hope this helps.

Regards,

 

Alex (Alejandro Campos Magencio)