How to work around the access denied cross-domain frame issue in ASP.NET Ajax 1.0

Some users have run into an issue when hosting ASP.NET Ajax applications in a frame or iframe that's in a different domain from the top-level window. If you try to do that and browse to the page using IE, you'll receive an "access denied" error client-side any time a DOM event is raised in the frame. The code that's responsible for that is Sys.UI.getLocation. This is a tricky piece of code that determines the pixel coordinates of a DOM element relative to the top-left corner of the page, so that an absolutely positioned child of the body using these coordinates would exactly cover the element you measured. This is useful for drag & drop, popup scenarios like auto-complete and when an event is raised to get mouse coordinates relative to the event source. This is this last piece that explains the problem. The code in this method is different for each of the browsers that we support because each one of them has its own behavior that cannot be determined as we usually do by dynamically looking at capabilities. You just have to know for example that browser X is not counting an element's scroll position if it's absolutely positioned and a direct child of body (names changed to protect the guilty). That's the kind of problem we had to work around. Luckily, IE has two very handy methods to retrieve this kind of coordinates that enables us to bypass completely a number of bugs that we just couldn't efficiently work around: getClientRects, which gets all rectangles the element occupies on the page, and getBoundingClientRect, which returns a single rectangle that bounds the whole element. In the method that we shipped, we've been using getClientRects and getting the first rectangle because we wanted to have consistent behavior across browsers even if the element is a wrapping element such as a span: in this case, the top-left corner of the element is the top-left corner of the first bounding rectangle, which is different from the top-left corner of the global bounding rectangle:

And this is where we made a mistake, unfortunately too late. There is a subtle difference between getClientRects and getBoundingClientRect, which is that getClientRects, when in an iframe, gives coordinates that include the offset of that frame in the top window, whereas getBoundingClientRect gives the right coordinates directly. Both need to include the frameborder to be perfectly accurate. To correct the behavior of getClientRects, we had to look at the coordinates of the frame relative to the top window, to subtract them, and this is the operation that is not allowed if the frames are in different domains.

The fix is to use getBoundingClientRect instead, which will introduce a small inconsistency across browsers in the case of wrapping elements but is a lot better than just failing. The new version of the function still needs to try/catch around the code that fixes the frameborder, so for cross-domain frames you may get a 2 pixel offset in the coordinates but this is the best you can get.

How to apply the fix

First, you’ll need to use the external script files instead of the resource-based ones. You do this by setting a general ScriptPath on the ScriptManager. The external script files can be found in the Microsoft Ajax Library ( which is under the MSPL (which allows you to modify the files). Copy the System.Web.Extensions folder found in the Library zip into the folder you pointed ScriptPath to.

Alternatively, if you don't want to have all your script references path-based, you can point only the core framework to a file and leave the others to use web resources as usual. This makes things easier when using other resource-based libraries such as the toolkit. This is easily done by adding the following script reference to your script manager:

    Name="MicrosoftAjax.js" ScriptMode="Auto"
Path="~/[Your Script Directory]/System.Web.Extensions/1.0.61025.0/MicrosoftAjax.js"/>

Of course, don't forget to replace the part of the path between the brackets with the name of the script directory you chose. Don't set a ScriptPath on the script manager if you choose to use this script reference. 

Once you’ve done that, you can check that the application still works and loads the script from the new location using a network monitoring tool such as Fiddler.

The second step is to patch the files. You’ll need to patch the debug and release versions.

The debug version is MicrosoftAjax.debug.js. Look for the following code:

switch(Sys.Browser.agent) {
    case Sys.Browser.InternetExplorer:

then replace everything between that and "case Sys.Browser.Safari:" with the following code:

Sys.UI.DomElement.getLocation = function(element) {
    if (element.self || element.nodeType === 9) return new Sys.UI.Point(0,0);
    var clientRect = element.getBoundingClientRect();
    if (!clientRect) {
        return new Sys.UI.Point(0,0);
    var ownerDocument = element.document.documentElement;
    var offsetX = clientRect.left - 2 + ownerDocument.scrollLeft,
        offsetY = - 2 + ownerDocument.scrollTop;
    try {
        var f = element.ownerDocument.parentWindow.frameElement || null;
        if (f) {
            var offset = 2 - (f.frameBorder || 1) * 2;
            offsetX += offset;
            offsetY += offset;
    catch(ex) {
    return new Sys.UI.Point(offsetX, offsetY);

For the release version (MicrosoftAjax.js), the process is pretty much the same except that the file is a little more difficult to manipulate. Look for "switch(Sys.Browser.agent){case Sys.Browser.InternetExplorer:" and replace everything between that and "case Sys.Browser.Safari:" with the following:

Sys.UI.DomElement.getLocation=function(a){if(a.self||a.nodeType===9)return new Sys.UI.Point(0,0);var b=a.getBoundingClientRect();if(!b)return new Sys.UI.Point(0,0);var c=a.document.documentElement,d=b.left-2+c.scrollLeft,;try{var g=a.ownerDocument.parentWindow.frameElement||null;if(g){var f=2-(g.frameBorder||1)*2;d+=f;e+=f}}catch(h){}return new Sys.UI.Point(d,e)};break;

(no line breaks)

The site should now work without the exceptions.

Known issues with that fix

  • Coordinates returned by Sys.UI.DomElement.getLocation may be off by two pixels in some scenarios involving frames from different domains.
  • The patched implementation returns the upper left coordinates of the bounding box around the element instead of the upper left corner of the first rectangle of the element, which can be different for wrappable elements. This is inconsistent with what the function returns on other browsers.
  • If you enable script localization on the script manager, it will generate a request for a localized version of the Ajax script, which will not exist because we haven't shipped localized versions of the standalone script files yet. You can work around this by renaming the files MicrosoftAjax.en.js and MicrosoftAjax.debug.en.js and adding ResourceUICultures="en" to the script reference. Don't change the path or name.

Important disclaimer

This fix implies that you stop using the resource-based scripts and use the static file versions instead.  I expect this is the fix that will be in the next service release, so when the next release of System.Web.Extensions happens, you will want to revert to using the resource-based scripts to get any other fixes or changes that are made.

UPDATE: added a way to replace just the core framework file.

UPDATE 2: The toolkit had a similar bug, and now provides a similar workaround:

UPDATE 3: made the release patching procedure clearer based on Atanu's comment. Apologies to everyone who hit this and thanks to Atanu for pointing it out.

UPDATE 4: added known issue with localization and how to work around it.

UPDATE 5: this is fixed in ASP.NET 3.5.


  • Good article. Hopefully Microsoft will fix this ASAP. Let's wait together

  • Hm, applying this workaround confuses me a bit, because somehow, if i begin to add global path to script manager, i need to collect all scripts into one folder, which i do not want to do.
    Best way is to have just core framework script modified, it looks like .net2 then wants every single script &quot;pathed&quot; as well... why it does not take the rest from default resources as usual?? I&#39;m puzzled
    many thanks if you can help,

  • (this is Alex again :)
    Have managed to make this error gone for a while. A thing why the rest of script did not want to load was because VWD Express test server wants addresses in ~/path/path format, while IIS consumes /path/path . So this is fixed.
    However, same &quot;access denied&quot; reappeared when autocomplete textbox (living inside frame) calls webservice to fill a list.
    PS. Site has same as yours structure- parent page has frame with my [other domain] ajax site...

  • Bertrand, you seem to be my only hope :)
    2 my previous posts are rather chaotic, so excuse me.
    To summarise, not just your pointed framework script fails in iframe on IE, but Common script for toolbox as well:
    [...] when autocomplete tries to place results, it uses this part of code of this script:
    getLocation : function(element) {
    [...]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;b&gt;if (element.ownerDocument.parentWindow.frameElement)&lt;/b&gt; {
    Bold line already fails and i believe, what follows will fail as well.
    So, my prob is how to correct script and where to specify path to consume corrected version? (similar to yours task)...
    Many thanks!

  • Alex: the code you posted is the *old, unpatched* code. So you either did not correctly set up your script reference or you didn't patch the file. You can drop me e-mail through the contact form if necessary.

  • I am having the same issue as Alex. Your patch corrected the issue with the inital page load, but now I get the same Access Denied message when any AjaxToolkit control is used. The AjaxToolkit has it's own getLocation definition, which eventually calls the Framework's getLocation but, is failing before it gets to the call. The AjaxToolkit getLocation is defined in Common.js.

  • Nice article, but I could never get approval to implement it this way. I hope MS can fix this soon. I was trying to use the AjaxControlToolkit to mask some textboxes in an iframe that was embedded on a Micrsoft CRM form. For now, I commented out the Extenders until this can be fixed. Still, keep up the good work.

  • Mike: the next version of the toolkit will contain the fix, which may be your best best as I see you're using it.

  • Alpesh: If you're trying to set-up an event for an element that is in a different window/frame, there is a known issue with that. Please contact me to check if that's the same problem you're hitting and how to work around it. You can use the contact form to drop me e-mail.

  • The following error occurs when hitting links, selecting tabs on this page. Which we determined to be a cross domain scripting issue within an iFrame.

    Access is Denied

    We applied the fix found above and added the “Systems.Web.Extensions” folder to our solution

    Amended the appropriate JS files as per the fix

    Added a ScriptPath attribute to the ScriptManager Tag to point to the relevant location

    Retested the page and checked the appropriate script links were all pointing to the correct and newly added path.

    This tested succussfully.

    However, as a result of applying this fix we encountered a new problem. On loading the display.aspx page, the following Javascript error occurs:

    Expected ';'

    var $create=Sys.Component.create=function(h,f,d,c,g){var a=g?new h(g):new h,b=Sys.Application,i=b.get_isCreatingComponents();

    Followed by a further error Object expected

    var $create=Sys.Component.create=function(h,f,d,c,g){var a=g?new h(g):new h,

    This error is occuring in the MicrosoftAjax.js file we added and modified as described above.

    As a further result… Also on this page we use a which is associated to a control which handles our Polling facility to check responses we receive on a given interval. This no longer functions, we assume the two events are linked.

    Can anyone help me?

  • I've got the same problem, but the fix didn't help me. Because I was using frameborder="no" in my iframe.

    I got the NaN exception.

    The only fix ==> frameborder="0"

  • Thomas: I think you didn't apply the patch properly. What you replace in the release version includes the switch, but you must not replace the case Safari.

    Benny: frameborder="no" is illegal XHTML. Please use "0". This is actually a different problem (which doesn't cause "access denied") so it's not surprising that the patch would not fix it.

  • Thanks very much for your prompt response Bertrand.

    I've checked the release version of the file, but the "case Sys.Browser.Safari" does still exist.


  • Thomas, please contact me through the contact form of this blog. I'll look at your file.

  • Does anyone have the full file working. I am getting a Sys is undefined when using the Atlas toolkit

  • I am getting 'Type' is undefined on the first line of ScriptResource.axd. Does this mean I misconfigured something and the js files are not being used?

  • Carl: you probably made a mistake when patching the file, which created a syntax error, or you did not put the MicrosoftAjax.js and MicrosoftAjax.debug.js files at the right place.
    The fact that you're seeing scriptresource.axd does not mean that the js file is not being used: if you just replaced the MicrosoftAjax.js reference, all other scripts will still use scriptresource.axd. What you want to check is if MicrosoftAjax(.debug).js is being queried and if the script tag in the html source as seen from the browser has its src attribute set to the right url.

  • I placed the entire folder System.Web.Extension in my sight then added a ScriptPath Property to the directory all the way down to the js files. I also tried using the from above. Both result in the same issue.

    I also receive the error prior to trying to path the files and after.

    I just downloaded fiddler and I will try to see if I can see the debug file being accessed.

    I also cleared all browser cache and cleaned my project.

  • Actually, I need more sleep and a spell checker built into the IDE. Everything is now working all is well. Fiddler is a great tool and showed me the 404 error when tryin to access MicrosoftAjax.debug.js. there fore I verified the path in the script manager and realized I had added an 's' to a word. Thanks for everything!

  • Has this now been fixed with the 3/2 release?

  • Darren: what we released last week was an Orcas CTP that doesn't contain any Ajax bits, so I suppose not. It will be fixed in the first Orcas release that contains Ajax bits, which should be beta 1 as far as I know.

  • When can we expect ASP.NET Ajax update with this fix?

  • Fedor: see above comment. The next release (Orcas beta) will have the fix.

  • Thanks,

    It worked like a charm. Our problem was running AJAX applications in Page Viewer Web Parts under Sharepoint (WSS V3.0). In case anyone else is having the same issue. The PopupControl Extender would not fire and display the Calendar. It would (of course) stand-along but not in the Page Viewer Web Part.

    Thanks again,

    Mike Mattix

  • Thanks for this Bertrand, very useful article - problem sorted:-)

  • Leo: you probably introduced a syntax error when you patched the file. Please double check your patched file. You can also look at all error messages, you probably have a syntax error message before the undefined message. That will give you the line number of the syntax error.

  • Yes.

  • This only works for in web.config.
    If I try debug="false" I get the following error:
    'Sys' is undefined, 'Type' is undefined.

    Can you give me any help?

  • Henry: that indicates a syntax error probably happened before. You probably made a mistake when you patched the release version of the file.


  • Deepak: no need to shout. That indicates a syntax error. You probably made a mistake when you patched the file.

  • Marc: the fix is already in the Orcas Beta and will ship with all future versions.

  • Bertrand,
    First of all, thank you for this article.

    I'm getting also Sys and Type undefined. I've rechecked my patch and it's fine. I've already patched the AJAX Toolkit also. Could you please look at: and tell me if you see the error.
    Any help would be appreciated. THANKS!!

  • Oh, something I forgot.. My locale is ES-MX. Perhaps this is where I'm missing something??

  • Yendi: there doesn't seem to be a site there. Can you check the spelling of the url?

  • Can you please tell me, i have put this changes in two files in my solution explorer at script manager i have to point this reference to the new file path, how can i give that, it is in my local, but iam deploying at the remote system.

  • Bertrand, thanks for this patch. However you are not clear at one point in the posting above - which is why you are seeing folks leaving comments about getting these errors with debug="false":
    'Sys' is undefined, 'Type' is undefined

    Bertrand writes:
    Look for "switch(Sys.Browser.agent){case Sys.Browser.InternetExplorer:" and replace everything between that and "case Sys.Browser.Safari:" with the following:
    ... followed by code

    Unfortunately in that code he repeats this:
    switch(Sys.Browser.agent){case Sys.Browser.InternetExplorer:
    whereas what he probably meant to say was: Look for
    "switch(Sys.Browser.agent){case Sys.Browser.InternetExplorer:" and replace THAT AND EVERYTHING UPTO "case Sys.Browser.Safari:"

    In case it isn't obvious, you need to ensure that switch(Sys.Browser.agent){case Sys.Browser.InternetExplorer:
    is not repeated again - which is what will happen if you follow his directions to the letter. In that case, you will get these errors with debug="false":
    'Sys' is undefined, 'Type' is undefined

  • Yendi: thanks for the feedback, there's indeed a problem if you enable localization. See the updated known issues at the end of the post for a workaround.

    Gann: I'm sorry, but could you please rephrase your question? I'm not sure I'm following you. Did you deploy the script files on the remote system?

    Atanu: thanks for the detective work, I should have seen that one. I updated the post.

  • Hi Bertrand,

    I have observed a piculiar thing. I did everything you said like copying the System.Web.Extensions folder found into my js folder and then pointing ScriptPath to that folder as

    inside the .aspx page EXCEPT doing the patch.

    And I found the error "access is denied" is gone without using the patch!

    However, there appeared two new erros as
    Line: 116, Error: 'Sys' is undefined
    Line: 211, Error: 'Sys' is undefined

    Fact is if I implement the patch as you said, the situation remains same.

    Please help.

  • Hello,

    I have sometrouble patching the files.

    i added the external script files downloaded here in the same foldder of my project, i point ScriptPath of the ScriptManager to "~/scripts/System.Web.Extensions/1.0.61025.0/MicrosoftAjax.js", i patched the files as you explained and i get 2 errors of sys is undefined. I restore the original files downloaded and i get the same error.
    In my config the debug is set to false.

    Any ideas?

  • never mind i've found my error, thanks it works great.

  • Faisal, you're not getting the access denied error because it fails before it even reaches it. The error you're getting is probably caused by a syntax error introduced by your incorrectly patching the file. Please double-check.

  • Hi David,

    Hello, I have sometrouble patching the files. i added the external script files downloaded here in the same foldder of my project, i point ScriptPath of the ScriptManager to "~/scripts/System.Web.Extensions/1.0.61025.0/MicrosoftAjax.js", i patched the files as you explained and i get 2 errors of sys is undefined. I restore the original files downloaded and i get the same error. In my config the debug is set to false. Any ideas?
    i am alos getting same errors. Could you let me know where to fix?


  • I made it work by copying all ajaxtoolkit control js files to the same path of script files and renaming them "AjaxControlToolkit.Common.xxxx".

    This is not elegant but it worked.

  • hi, thank you for your fix.
    I still have this problem. I have a datagrid with a template column with a small image within. When the user hover it a balloon appears (similar to that of google maps) displaying some data.
    Before your fix there was no way to show it within a iframe. Thanks to your fix now the balloon displays, but it seem that it ignores offset values, do you have any idea?


  • No, offset values on what?

  • Sorry, I missed to say the most important thing!!
    The balloon is actually a HoverMenuExtender, I was talkin about OffsetX and OffsetY properties of this extender. After your fix now the extender display, but it's centered above the control it extends and the offset values are ignored.

  • Stefano: you should probably ask this question to the toolkit team.

  • I will, but I think this problem is releted with this article, since if I see the page outside the iframe the behavior of the extender is perfect. Sorry if I bother you once again!

  • Stefano: it is related to the iframe, but the patch here only deals with the security issue. It may end up being a problem somewhere in Microsoft Ajax, but you should start by asking the toolkit team as this happens with one of their extenders.

  • Thanks for this great info. I wanted to pass along a tip I learned while applying this patch. After applying the patch and trying to run the app I was also getting the 'Sys' and 'Type' undefined errors that I saw other people getting. It took a long time to track down, but what I found was that our Sys Admins had deployed a tool called URLScan onto every desktop to prevent users from going to potentially malicious websites. Well, that tool also has a setting that prevents URLs with periods in their address. We figured this out based on using Fiddler and identifying that we were getting a 404 error when trying to load the patched Ajax files. The URLScan tool was preventing us from loading that file. Anyways, I hope that helps someone out there.

  • Shane: urls with periods in the address? That's radical. Most of the web must be filtered out by this?

  • Hi
    I was wondering about one thing.
    I added the scriptpath and this is ok.
    but why do I need to modify the
    MicrosoftAjax.debug.js and MicrosoftAjax.js files?
    Why havent this been fixed in the files from the download location?

    When I did the abouve I still get an error when trying to use ajaxToolkit. Do you have any idea as to why?
    When making these changes do I need to modify any references to the ajaxtoolkit?
    Help is appreciated

  • Ajaa: the files in the download location are the exact same files that are embedded in the dll. We're not servicing one and not the other. That's why we're presenting this as a patch for the people who need it until it is integrated into the main build (which it is in the Orcas betas). See this as a way to get the fix earlier.
    About the toolkit issues, please read UPDATE 2 in the post. You can also contact the toolkit folks through the CodePlex site or the forums.

  • I just wanted to mention another problem I had. Although applying the patch worked I got problems when using the ajaxToolkit (latest release).
    I got an error that ajaxToolkit could not be found.

    To solve this I added the ajaxToolkit dll's in same folder as
    MicrosoftAjax.js and MicrosoftAjax.debug.js
    and renamed them to
    (as you can see I added the prefix 'AjaxControlToolkit.Common.')
    This is mentioned earlier here but I just thought I can repeat it just in case!

    Now everything works for me :) Ive got a updatepanel and the AjaxToolkit Rating control and theire 100% up and running!

    Thanks alot for this patch!

  • Why don't you guys just provide us with the modified file?

  • Madia: because this bug doesn't meet the servicing bar. This is fixed in the Orcas beta release, which has been available for a few months now.

  • Hi Bertran

    Thanx for the time..

    I have checked the path in the Source code..The path is correct..But still am getting an error "sys is undefined.." Can u tell me some other reason for that..

  • Deepak: well, if the path is correct and you've checked that the file actually gets downloaded (for example using Firebug or Fiddler), you probably introduced a syntax error while patching the file. Does it reproduce in debug and release modes?

  • Hi Loy

    I am heartly Sorry to you and Heartly Thanx for the time..

    Atlast i got my stupid mistake..Error is resolved..

    Actually i have patched the release version file but not debug one..

    Thats why i always get an error

    Thanx a lot

    Thanx once again


  • Hi Bertrand Le Roy

    I have check in both modes - Release and Debug Mode..The Error "Sys is undefined" comes in both the mode..

    Even i have patched my js files 2-3 times but nothing work for me..If you say, Could i send u the patch files by mail...

    One more thing i am using FreeTextBox Control(version 3.16) on the same aspx page..Would it be creaitng any problem..

    Pls help me..Its really look bad when a popup displays on the Client Screen with the message "Sys is undefined".

    Thanx for the help and time in advance..


  • Deepak: did you check in Firebug that the script do actually get loaded?

  • I had exactly the same symptoms as Deepak and just fixed it. If like me you're testing within an iframe then the request to get the script file can be unauthenticated even though you're logged in (because the hosting page's cookies are not accessible to the iframe'ed page). So if the script files are in a location that requires a logged-in user then you'll be able to download them by manually pasting the URL into the address bar but the iframe'ed page still won't be able to load them. Just need to change web.config appropriately to fix it.

    Having wasted an afternoon on this I just need to let off some steam by saying Microsoft is bonkers beyond belief to leave poor Bertrand helping thousands of developers patching a bug that affects everybody (because every site gets put in an iframe by someone).

    Thank you, I feel better now.

  • Deepak: I'm not asking if the path is ok, but if it effectively loads. You can check that in Firebug by expanding the entry in the net tab.
    Max: the issue doesn't affect many users as you need to use iframes *and* have your iframe be in a different domain. That is not that common and it is a lot less trouble to offer out of band advice than to release a full service patch. The problem is also fixed in all recent releases of Ajax.

  • If your getting the Sys and Type error. try this:

    Set ScriptMode="auto" and in the compliation tag of web.config remove the debug attribute

    or change ScriptMode attribute to ScriptMode="Release".

    In debug mode your script tag will alter the path to find a debug js file.

  • Matt: if you followed the post's indication, you should have installed all files from the library, which include both the debug and release versions.

  • Ziro: you probably included too much in the script path. Apparently in your case it should just be "scripts".

  • Vladimiro: err, it is a simpler solution, but to a completely different problem so I'm not sure what you mean here...

  • Alberto, you're right. I've sent mail so that this gets fixed.

  • Has the link been fixed yet?

  • Gerald: I've reported the problem. It should have been fixed by now but hasn't for some reason. I've reported it again a few minutes ago and it's being investigated (it doesn't reproduce consistently). Sorry about that and thanks for your patience.

  • Thanks Bertrand, seems to work ok.

    So if we update to Orcas or update to the newest version of Ajax when it comes out, should this issue be fixed? Thanks.

  • Yes.

  • I figured it out. The ScriptReference path is relative, so once I removed the tilde, it worked. Thank you!

  • Man, your comments are really fast... It changes everytime I'm gonna refresh it..

  • MrVent: browsers preventing script from accessing other frames that are in different domains is a very fundamental security feature, one of the things web security is built on. You may find some vendor-specific workarounds but there are also better solutions that rely on message-based communication between frames using url fragments. Microsoft Research has produced a technique called subspaces, and there's also some work being done around that in OpenAjax.

  • Used this to get a an Ajax enabled page working through a PageViewer web part. It worked like a charm and really saved my hide.


  • Very good patching!

    App now works smoothly

  • Thanks, It fixed the problem! Hope that MS would release some official patch as well, I assume there are plenty more to be fixed!

  • Shauheen: it's already patched in all recent versions of ASP.NET Atlas.

  • Bertrand,

    this is great ! Saved my project !

    Regarding your last comment, that it's already patched, I'm not sure.
    It still didn't work today :)

    But your patch solved it ! Thanks !!!!

    Arnout Symoens

  • What I mean by "all recent version", I mean everything that shipped from Orcas Beta 1, but that doesn't include 1.0 even though it can still be downloaded. Version 1.0 remains unpatched and will remain that way.

  • Bertrand,

    Thank you very much. The patch worked like a charm.

  • I just resolved the 'sys' undefined error by removing ALL line breaks from microsoftajax.js. The file as downloaded from Microsoft has 2 line breaks in it. I'll never get those days back..

  • What???

  • Works like a charm - thanks!!

  • im getting sys.undefined only in firefox and not in ie can u help me out with this

  • Venk: you probably introduced a syntax error while patching the file. Please double-check.

  • I've implemented the Ajax patch and so far so good. But I'm pretty sure that the fix has not been implemented in the AjaxControlToolkit.
    I've just downloaded the 9/20/2007 build and I'm still getting the 'Access denied' error when viewing my app within a Sharepoint PageViewer web part. I'm about to grab the source code and do the changes manually and rebuild.

    Can anyone else confirm that the current AjaxControlToolkit still has the issue? I can't find squat about it on the CodePlex Issue Tracker.

  • Thanks. This solution helped me a lot.

  • Thank you - you just saved my day :-)
    Worked great!

  • It works but I get a strange javascript error: Unspecified error.
    Can anyone help me? Thank you!

  • John: you should check with a tool such as Firebug, Fiddler or Nikhil's browser helper if the script files are actually downloaded. I'm suspecting that you have a path inconsistency between what you specified in the script reference and the physical location of the file.

  • Thanks, Bertrand.

    Fiddler showed that I was receiving a 403 error when trying to pull the MicrosoftAjax.js file from my /bin/System.Web.Extensions/1.0.61025.0 directory. Made perfect sense once I saw it. The internal web server in Visual Studio 2005 is apparently blocking that folder, but on my test server I can get to the file. In order to avoid the problem altogether, I moved MicrosoftAjax.js and MicrosoftAjax.debug.js to a new folder in my project named /Scripts and updated my script reference appropriately. Everything works just fine now, both locally and on the test server.


  • I am having the same issue in ASP classic, is there a similar work around I can apply? Any help would be greatly appreciated, I am pulling my hair out :(

  • Ghaj: what do you mean "the same issue"? Do you mean you're getting an access denied error or that you're using MicrosoftAjax with classic ASP?
    If it's just an access denied error that's unrelated to Microsoft Ajax, you probably have some javascript that's trying to get at an object in another frame that's pointed to a different domain.

  • Thanks Bertrand you are right it is javascript trying to get another object in a different frame, do you know of anything I can do to make it load properly in my frame without giving me the access denied error?

  • Ghaj: it's an essential security measure that browsers don't allow you to script windows that came from a different domain. Your options are to get those pages to be in the same domain or use a cross-frame communication technique such as Subspace but that's fairly complex and only allows limited, message-based communication.

  • Thanks a lot man, this solution worked fine on my website.

  • Hi,

    I have applied the fix as specified above, and have gone down the ScriptRefernce route as I am using the toolkit. I am running the latest patched version of the AjaxControlToolkit, and this is fine. I am receiving the following error on page load:

    Sys.ArguementTypeException: Object of type 'Sys._Application' cannot be converted to type 'Sys._Application'.
    Parameter name: instance

    And the is being raised by the following line in MicrosoftAjax.debug.js:

    if (!this.isInstanceOfType(instance)) throw Error.argumentType('instance', Object.getType(instance), this);

    Any ideas as to why this error is being thrown and how I can correct the problem?

    Many Thanx,

  • Chris: this typically indicates that a reference to an object in one frame has been passed somehow to the other frame. The system gets confused because the two application types in the two frames are actually different objects.
    I'm suspecting that you're somehow passing complex objects across frames here. If that's the case, try passing plain JavaScript data objects instead (such as {foo: "bar", baz: 42}).
    If this doesn't help, let's take that offline and send me mail through the contact form of the blog.

  • Thanks for your informative article.

    Just wondering if VS 2008 / 3.5 obviates the need for this patch? You mentioned: "I expect this is the fix that will be in the next service release" Has this happened yet?


  • Crile: yes, the fix is in 3.5 already.

  • Why the hell you don't make things work properly the first way? I spent 1 whole day just to find the problem. I was stupid to have used your library the first place.

  • Umer: now it works properly out of the box as the fix is in .NET 3.5. This was a bug that was found after the product shipped. These things happen, unfortunately. We thought it was better to provide a workaround than nothing. I'm sorry you had to spend a day on that.

  • I spent 10 seconds on Google and found this article. Thanks for the heads up.

  • Hi, I'm trying to load into IFrame application that uses ASP.NET Ajax and have the issue described in this post. But I can't fix it thru the proposed solution because I can't access applications ScriptManager. Application is compiled and I've no access to the source code.
    Is there any other approach to replace JavaScript files than accessing ScriptManger to fix this issue? (maybe thru pathching ScriptReference.axd handler)
    Thanks in advance!

  • Andrew: I think your only other options are:
    1. to ask your hoster to upgrade to .NET 3.5
    2. to replace the whole function that we're patching here. You'd do that by including an additional file that contains a redefinition of the function that will overwrite the one in the resource.
    Makes sense?

  • Thanks Bertrand!

    The 2nd option works fine for me. I've got access to the master pages, so I've just included script block with overriding whole funtion into the master page. And it works fine now.

  • I had applied the this fix months ago on a Framework 2 site with the ASP.Net Ajax 1.0. Now, when the site was upgraded to 3.5 and my script manager was pointing to manual copies of the scripts I got the error "ASP.NET Ajax client-side framework failed to load"... I've had to remove the script manager pointing to those scripts and am in the process now of testing to make sure this bug is fixed with IFrames with 3.5 like some here have posted, I'm crossing my fingers it is! :)

  • hi,
    I have applied this fix to my web application. how ever I still got 'Sys' is undefined, 'Type' is undefined Errors. I have two questions,

    1. how do i compile the MicrosoftAjax.js, what whould i do?

    2. does the main web application need to add this fix as well? the main web application is Net 1.1 and the web application inside the frame is Net 2.0. does that cuz the problem?

    thank you.

  • 1. You don't have to compile it. Just follow the instructions very carefully and you'll be fine. Also look at the answers I already made to other people with the same difficulties, there are a few possible causes for that.
    2. No.

  • Congratulations!
    It works very well at first attempt.

    Thanks a lot!

  • Pablo, your last post was golden. This worked in my .net 2.0 master page. I'm so glad I finally fixed this. Thank you for posting the condensed javascript.

  • Pablo, your fix works like a champ!

  • Yeah Pablo, thanks. I work for a major corp and we had a big rollout this morning when we saw that error. Thanks, it worked.

  • Yes, DO NOT use Pablo's fix. It is overwriting the implementation of the method for all browsers with the one that's specific to IE.

  • Bertrand -- just a quick note to point our that your comment below is wrong:

    "Max: the issue doesn't affect many users as you need to use iframes *and* have your iframe be in a different domain. That is not that common ..."

    Every public site gets put in an iframe by someone, sometime. The developer has no control over this and definitely does not need to be using iframes themselves to be affected, as you claim. I don't use iframes myself and am still dealing with the fallout from this over a year later.

  • @Max: I'm sorry this affected you but that doesn't mean it affects everyone as you claim. Indeed, support does not seem to be getting that many incidents around that issue. Anyway, this is fixed in the current version of .NET (3.5).

  • Bertrand -- if you don't agree you might be respectful enough to explain where the hole in my logic is. If you think for a moment, perhaps you'll realise it absolutely does mean that everyone was affected.

  • @Max: I'm sorry if you felt that I've been disrespectful, that wasn't my intention. I think there's a differnece between disagreeing and being disrespectful.
    I agree that *potentially*, everyone is affected, but in reality, this issue is relatively rare, as is attested by the number of support calls. I disagree that "every public site gets put in an iFrame by someone, sometime" and anywaythe person setting up the iframe should probably be the one making sure it works. Furthermore, the problem is fixed in the current version of the framework. If you would like a QFE for previous versions, please contact support but I think it unlikely to happen as there is a reasonable workaround.

  • Wow, thanks a lot it really works!

  • Could it be that this doesn't work in IE8 beta? Thanks!

  • @rudgr: can you be a little more specific? What problem are you experiencing?

  • Has this been fixed with 3.5?

  • Yes.

  • Excellent Article,
    Note:The Path should be relative

  • Hi,

    I have the following errors in release mode :

    var $create=Sys.Component.create=function(h,f,d,c,g){var a=g?new h(g):new h,

    It appends when I have a timer in my page... as Thomas problem!!

    I've checked my script and I think it's ok .

    What's wrong please ?

  • I'm facing the exact same problem as Hiruma...

  • @Hiruma: Thomas had incorrectly patched his file if I remember correctly. Please double-check.

  • I have checked my patch and there's no difference in the javascript file but I use the ScriptPath property of the Script manager.

    In the page source code, the correct MicrosoftAjax.js file is called. I don't understand ...

  • Give me the url of your page and I'll take a look.

  • If I replace my ScriptPath by the ScriptReference it works !

    so the files downloaded are corrupted ?

  • It works like a charm...Dude your a genious. Thanks alot.

  • Hello Bertrand,

    It would be a great help if you can comment on my issues.

    Thank you in advance

  • Thanks for this article - I read and followed the exact sequence for patching the files for debug and release but I still continue to get "Access Denied" errors when attempting to open another web page in an iframe. I see in "View Source" that my file is being referenced from the correct location - Is there anything else that could cause this error?? I get the error on both debug and release versions of the MicrosoftAjax.js file. Please let me know what you think about this issue - Thanks for your help!!

  • @ubgadeashish: The problem is that I didn't understand your comment, which seems to be unrelated to the problem described in this post. Please contact me through the contact form with a simple repro of the problem.

    @Robert: Yes, this error is perfectly normal if you're trying to access the DOM in another frame that is in a different domain. That is a security restriction that is imposed by your browser.
    The problem that this post solves was the appearance of this error in pages that didn't explicitly try to access another frame.

  • @Oleg: check the path in the renedered HTML against the real location of the script and adjust your Path attribute accordingly.

  • Thanks Bertrand, I forgot that the fix was only for IE.

  • Actually the above solution is working for Firefox not in IE.Please advice us.

  • @Cathrine: it was never broken on Firefox. Chances are you improperly patched the files.

  • Hi Bertrand, Thanks for the nice post. I modified Release and Debug JS as mentioned, and i was able to see it the script working in Frame.

    Only issue i have is i get right and bottom a scroll bar in AutoCompleteExtender of AJAX Toolkit, which is hiding the one row of data which is last row.

    I don't get the scroll bar if i run the application without frame and original files.

    Any idea what could be causing the scrollbar to be displayed. I am using IE6

  • @Amit: We can take that offline (bleroy at Microsoft) but the first thing I'd check is that you have a doctype for standard mode.

  • Hi Bertrand, thanks for the info!

    After applying the patch I was also getting the 'Sys' and 'Type' undefined errors, but only on one particular WebServer.

    Our problem was the same that Shane was experiencing: the server had the URLScan tool installed, and it was preventing Requests containing periods (in our case, the patched Ajax files).

    If someone else is having this problem, you can configure the URLScan tool to allow Requests with periods (by default they are denied) by setting the AllowDotInPath=1 in the %windir%\system32\inetsrv\urlscan\UrlScan.ini file.

    I hope this helps someone else!

  • Our problem is similar, since we do get the access denied error, however all of the aspx scripts are pregenerated by Sybase Powerbuilder and, because of that, we don't have direct access to it. We're using an iframe on the html page that is linked to the aspx site on IIS. Any sugestions how to work this around? Any way to fix this without acquiring Visual Studio?

  • @Bruno: you should contact Sybase's support (Visual Studio shouldn't have anything to do with it).

  • @Bruno: please read the section of the post under the title "how to apply the fix". If Sysbase's application doesn't let you do that, only them can fix it. The only solution I would see would be to "monkey-patch" the method by adding another script file to the page that contains a fixed override for the method.

  • Hi Bertrand,

    I'm sorry if this would seem to be a very newbie question, but I didn't get the first step on how to fix the problem (script manager, script path step) Could you please help?

    Thanks alot.

  • @KCC: Just create an explicit script reference for MicrosoftAjax.js as described in the following paragraph. But your best bet right now is to migrate to a more recent version of the framework, where this bug is fixed.

  • Hi Roy,

    I was able to complete the steps you mentioned here, but unfortunately, the "Permission Denied" error still remains. I didn't even get the 'sys is undefined' error. I have checked (using Fiddler) that MicrosoftAjax.js has been properly loaded into the masterpage. I have also patched the files as mentioned.

    Unfortunately, I can't use the recent version of the framework.

    Thanks in advanced.

    Any help would be appreciated.

  • I have the same problem. I applied the patch and it worked fine. I installed it on our DEV Server and it was working fine. One day the DEV Server hardware was replaced (They claim to have not changed any thing else. )
    Now all of sudden, the application is showing Access Denied error. My frames are using an asp page and an aspx page (.net 2.0) .

  • @KCC & @Samir: please contact me at bleroy at microsoft and I'll try to help.

  • This worked brilliantly in conjuntion with the toolkit fix.

    Make sure your script path is just the top level ie. "~/scripts" and not "~/scripts/system.web.extensions/v1..........."

    Hope this helps someone!

  • I was able to fix the problem "Access is denied" and just wanted to share with everyone. I lowered the security settings in my IE (Tools > Options > Security). Select Meidum-low or anything lower than that and it would accept the scripts.

  • I would not recommend anyone follow KCC's advice. First, you can't and shouldn't ask all your customers to lower the level of security of their browsers. Second, you're fixing the symptom rather than the actual problem.

  • Having read this excellent article and all the comments, I followed the all the steps. I still got the error when trying to instantiate an AJAX calendar popup.

    My solution was to upgrade the site from VS2005 (ASP.Net 2.0) to VS2008 (ASP.Net 3.5). Works fine now!

  • Really worthful article.
    It's really worked for me.
    I am very much tahnkful to u as it saved my job.

  • This fix worked like a dream first time after a morning of panic after seeing my eCommerce site going fubar in an iFrame.

    Thanks a million.

  • I encountered this error today. My dev system worked fine without any fixes (regular Internet security, not Trusted site level). Our beta test server had the Access Denied problem. I've applied this fix and resolved a new (but temporary) Sys Is Undefined error. Now I am getting Permission Denied.

    I have an ASP page on web site #1 with a button control. I have an ASPX AJAX page on web site #2 with a hidden LinkButton control that is within an IFrame on the ASP page. When the ASP button control is clicked, it attempts to click the LinkButton. No error on the dev system, but this results in a Permission Denied on the beta system.

  • @Joe: could be several things. You might have patched only the debug version and not the release one (that would explain that it works on the dev box and not the server), you might have omitted to copy your patched files over, the error might come from your own code, something I haven't thought of or a combination of the above.

  • @Augusto: did you deploy the patched MicrosoftAjax.js file to the dev server? Did you check the script was getting downloaded using Firebug or Fiddler? Did you check you were getting no syntax errors?

  • @jgdean: having static script references is the way to go. The script profiler that is available on CodePlex/aspnet can help you determine the set of scripts you need for any given page.
    I'd also encourage you to upgrade to 3.5 SP1 if you can.

  • Bertrand Le Roy THANKS!!!!!

  • can u take off access denied on this computer?

  • Thanks for this post. Together with Delay's Blog (which pointed me to yours) and Damian Mehers' (which pointed me to the location of the MicrosoftAjax.js) I managed to get our .Net 2.0 ASP.Net with the Ajax Toolkit working properly in an iFrame on our company's site.

  • Good fix Bertrand.

    This fixed it for me with ASP.NET 2.0 app in Sharepoint 2007 Web Page Viewer Web Part. So for anyone reading this - unless you are using an ASP.NET 3.5+ web app of course in web part do exactly what he says and save yourself a lot of hastle.

  • Hi,
    am getting status 404 tomcat server error,when i followed what you have mentioned.Could anyone explain Why???


  • @Priya: well, if Tomcat is giving you an error, that means that you're using Java and thus you're completely off-topic here. You'll have a much better chance of seeing your problem solved if you asked your question on a Tomcat/Java forum and if you explained exactly what server error you're seeing and what you did that triggered that error. By the way, 404 means resource not found, so chances are you used a URL that doesn't exist.

  • @Mike: very likely, you introduced a syntax error while patching the files.
    Please consider upgrading to .NET 3.5SP1 or 4.0.

  • Query about sidestepping the whole problem by simply not using cross-domain frames: Will it resolve the problem if the framed site using Ajax uses a subdomain alias of the host page domain? E.g., if I use Ajax on a page hosted at, and I display that site in an iframe on a page at, will this avoid the issue?

  • @SDG: seriously, just upgrade ASP.NET already, this has been fixed for the last two versions.

  • First of all, thanks for this awesome fix, I added this to my 2.0 application when the client wanted to call the page from an IFrame. It got fixed and worked well in IE, but now not working in Chrome. When I checked the .js, IE and CHrome shares same switch as I didnt changed any other. IS there any fix for this in CHrome, without changing the framework?

  • @Binu Jo: It's probably time to move on to a recent version of ASP.NET. This was fixed about a century ago :)

  • am getting javascript error when i try to do some operations on the https pages like button clicks. The error is below

    Webpage error details

    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2; BRI/2)
    Timestamp: Sat, 26 May 2012 04:28:12 UTC

    Message: Access is denied.

    Line: 6930
    Char: 9
    Code: 0
    URI: http://localhost:51516/ScriptResource.axd?d=h_o86yu-K-6nTNA3HhMgZoSImLI-VZzHJp_zcYCqJKeY5fNfe2-pvJdiEviO7YYwdftPGkhPoEWeYhxg3VguzhSFtolRzruKiiGyuHbjt9skWfwZ8jL6v7dbwa5lxsUjQnMK7v7NyOOJpTG1dEwC62FYhPByOFqtZ3DqnQeTNoGBkiy5MycdjDpVux7e_GsN0&t=ffffffffbd2983fc


  • @shirishmanda: just upgrade. If that doesn't work, contact support.

Comments have been disabled for this content.