"Access is denied" error on accessing iframe document object

Solved it by myself!

The problem was, that even though the correct response was being sent (verified with Fiddler), it was being sent with an HTTP 500 error code (instead of 200).

So it turns out, that if a response is sent with an error code, IE replaces the content of the iframe with an error message loaded from the disk (res://ieframe.dll/http_500.htm), and that causes the cross-domain access denied error.

Beware of security limitations associated to iFrames, like Cross domain restriction (aka CORS). Below are 3 common errors related to CORS :

1. Load an iFrame with a different domain. (Ex: opening "www.foo.com" while top frame is "www.ooof.com")

2. Load an iFrame with a different port: iFrame's URL port differs from the one of the top frame.

3. Different protocols : loading iFrame resource via HTTPS while parent Frame uses HTTP.

My issue was the X-Frame-Options HTTP header. My Apache configuration has it set to:

Header always append X-Frame-Options DENY

Removing it allowed it to work. Specifically in my case I was using iframe transport for jQuery with the jQuery file upload plugin to upload files in IE 9 and IE 10.