Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Web and WebWorks Development

Local JavaScript files are blocked when loaded from within an iframe.

by Retired on ‎12-12-2013 08:16 AM (2,255 Views)


If you are using an iframe to load content (for example, from a secure web server, "https://"), you will notice that starting with OS 10.2, your local JavaScript files are being blocked, and the following error appears in the Web Inspector Console:


[blocked] The page at https://xxx.yyy.com/child.html ran insecure content from local:///js/custom.js"


This is by design and complies with web security standards. This happens because you are attempting to load files accross protocols (https:// to local://).


The solution is using the secure window.postMessage() function to communicate between the iframe and parent page, without stepping on the cross-protocol boundaries.



The flow is as follows:

//Load the local JS file in the parent window (typically index.html)
<script src="inject.js" type="text/javascript"></script>

//The parent window (typically index.html), listens for messages using:
window.onmessage = function(message) {
  if (message.data === "showAlert")

//Inside the window loaded by the iframe, we need to trigger a function from inject.js, this is done by passing a message to the parent
parent.postMessage("showAlert", "*");

//Note the "*" indicates that you are not bound by any origin domains.
The parent window receives the message, and triggers whatever you like, without stepping over cross-protocol boundaries.

More on window.postMessage on Mozilla's Developer Network


Attached is a sample, where a button inside the iframe triggers a function which is loaded locally.

Users Online
Currently online: 19 members 4,686 guests
Please welcome our newest community members: