If you're just here for the answer, not the story, the solution is at the bottom.

If you've ever used JSFiddle, Codepen, or others, this problem will be familiar to you: The goal is to take some HTML, CSS, and JS (stored as strings) and create an iframe with the code loaded inside.

This problem should be easy, but it isn't. At least... It wasn't, until I found the golden ticket I had been waiting for all along.

But more on that later. Let's start with all the things that didn't work, because that's more fun.

Attempt #1: Using srcdoc

After doing a bit of research, I was thrilled to discover that it's possible to add a srcdoc attribute to iframes.

If you pass in an HTML string, the iframe will load with that HTML content inside:

<iframe srcdoc="<p>This text will appear in the iframe!</p>"></iframe>

Unfortunately, there are two main problems with this approach:

1. Browser Support for srcdoc is not great

If we want to support IE or Edge, we'll need a different approach (or a polyfill).

2. It's possible to "escape" from CSS/JS

Here's roughly how my implementation using srcdoc looked:

function setIframeContent(iframe, { html, css, js }) {
  const source = `
    <html>
      <head><style>${css}</style></head>
      <body>
        ${html}
        <script>${js}</script>
      </body>
    </html>
  `
  iframe.srcdoc = source
}

The problem? When writing CSS or JS, it's possible to "escape" out into HTML land, simply by including </style> or </script> in the code, respectively.

This bug is actually quite common; both JSFiddle and Codepen are affected:

Attempt #2: Serverless Boomerang

To fix the browser support issue, let's replace srcdoc with a regular src attribute. In order to do this, we'll need to pass a real URL instead of just code.

Perhaps we can set up a page which takes HTML, CSS, and JS "GET" parameters and spits out the same type of page as before, but this time loaded from an actual URL.

This is a perfect time to use a serverless architecture, because we just want a single endpoint that does one thing. Here's my attempt:

module.exports = (req, res) => {
  // Code comes from GET params in URL
  const { html = '', css = '', js = '' } = req.query

  // Generate and send HTML page
  return res.send(`
    <html>
      <head><style>${css}</style></head>
      <body>
        ${html}
        <script>${js}</script>
      </body>
    </html>
  `)
}

This works across virtually all browsers, but is not without its own issues:

1. "Escaping" from CSS/JS into HTML is still a problem
2. The entire source code is passed in a URL, which isn't ideal.

Attempt #3: Serverless Boomerang (redux)

Our first boomerang solved the browser support problem, but still has the "escaping" issue to deal with.

Fortunately, due to the way that we pass in the code, this can actually be solved. Rather than inserting the CSS and JS into the page on the server, we can do it on the client! This works because the URL GET parameters are still accessible to the client's computer.

The source here is a bit longer, but it does work:

module.exports = (req, res) => {
  return res.send(`
    <html>
      <head>
        <script type="text/javascript">
          window.addEventListener('load', function() {
            function getUrlParameter(name) {
              name = name.replace(/[\\[]/, '\\\\[').replace(/[\\]]/, '\\\\]');
              var regex = new RegExp('[\\\\?&]' + name + '=([^&#]*)');
              var results = regex.exec(location.search);
              return results === null ? '' : decodeURIComponent(results[1].replace(/\\+/g, ' '));
            };

            // Load JS from GET params (on client)
            var js = getUrlParameter('js');
            if (js) {
              var script = document.createElement('script');
              script.type = 'text/javascript';
              script.text = js;
              document.body.appendChild(script);
            }

            // Load CSS from GET params (on client)
            var css = getUrlParameter('css');
            if (css) {
              var style = document.createElement('style');
              style.type = 'text/css';
              if (style.styleSheet) {
                style.styleSheet.cssText = css;
              } else {
                style.appendChild(document.createTextNode(css));
              }
              document.head.appendChild(style);
            }

            // Remove the currently running script tag
            document.currentScript.parentNode.removeChild(document.currentScript);
          });
        </script>
      </head>
      <body>
        ${req.query.html || ''}
      </body>
    </html>
  `)
}

Now, if a script or style includes scary HTML characters, the browser will handle them for us when inserting said script/style into the document.

This solution is... fine. It works, technically. But we still have the soft URL length limit to consider. Plus, we're now dealing with something server-side that feels like it should happen on the client.

There must be a better way.

Solution: Blob URLs

This entire time, we've been trying to simulate loading data from a URL:

• First we used srcdoc to load data instead of loading from a URL
• Then we used the boomerang to load code from a URL
• Next we updated our boomerang to attempt to simulate the "loading CSS/JS from an external URL" behavior, despite every resource coming from one URL.

It turns out that Javascript has a feature to do just this: Blob URLs.

Blobs

We can use the Blob constructor to create a pseudo-file. It's not a real file loaded from disk or from a URL -- it's just stored in memory. But in many ways, it functions just like a real loaded file.

Then, we can use URL.createObjectURL(blob) to create a URL that can be used to load the contents of the blob.

Here's how that works in practice:

const getBlobURL = (code, type) => {
  const blob = new Blob([code], { type })
  return URL.createObjectURL(blob)
}

console.log(getBlobURL('<p>My webpage</p>', 'text/html'))
// blob:https://dev.to/9ca05e31-05ea-48f8-838d-cc1ad0949ec8

Try running the above code in the console to see it for yourself! It will log a URL. If you paste the URL into a new tab (including the blob: bit at the beginning), it will load a page containing the HTML.

Notice the 'text/html' passed to getBlobURL? We can change that too. Generating a CSS or JS blob is easy: Just pass text/css or text/javascript respectively.

Another benefit of blob URLs is that they stick around, and can be accessed any way that you would access a regular URL. Which means that we can actually load our CSS and JS files from a separate URL, so the "escaping" trick is no longer a problem.

Here's a bare-bones implementation of this in practice:

const getGeneratedPageURL = ({ html, css, js }) => {
  const getBlobURL = (code, type) => {
    const blob = new Blob([code], { type })
    return URL.createObjectURL(blob)
  }

  const cssURL = getBlobURL(css, 'text/css')
  const jsURL = getBlobURL(js, 'text/javascript')

  const source = `
    <html>
      <head>
        ${css && `<link rel="stylesheet" type="text/css" href="${cssURL}" />`}
        ${js && `<script src="${jsURL}"></script>`}
      </head>
      <body>
        ${html || ''}
      </body>
    </html>
  `

  return getBlobURL(source, 'text/html')
}

const url = getGeneratedPageURL({
  html: '<p>Hello, world!</p>',
  css: 'p { color: blue; }',
  js: 'console.log("hi")'
})

const iframe = document.querySelector('#iframe')
iframe.src = url

Oh, and browser support for Blob URLs is much better than srcdoc. ;)

The Moral?

Don't fight the language, I guess.

I knew what I wanted to do: Load data from URLs. It just never occurred to me to look for a non-hacky way to do just that!