We integrated QV10 AjaxZfc to our web application simply by creating a web page that contains an iframe, which links to AjaxZfc's opendoc.htm.
This works just fine if we deploy the AjaxZfc and the web app under the same IIS web site. However, if the AjaxZfc stuff and the web application are deployed on different servers or web sites, the trouble begins.
The QvAjax.js contains some statements that access window.parent.Qva. From browser's point of view, the window object and window.parent object originate from different domains, which means that browsers consider accessing the window.parent.Qva object as an attempt to do cross-site scripting and an exception gets thrown and nothing works. There is no try-catch block in the script.
FireFox 3.6.13 and IE9 are secure enough to catch this, but Safari 5 and IE8 load the report without any problems.
If you are referring to the issue where you cannot host the Qlikview document in an iFrame, you basically only have one option due to actual browser restrictions (Cross Site Scripting). That solution is to host your integration web site and the Qlikview Web Server under the same IIS site. We have done that, and that has solved the issue with cross site scripting.
I have received a response back from QlikTech support regarding this issue. They have confirmed that this is a bug in the AJAX library that was shipped in SR1 and are working on a patch for it. They have not committed to a resolution date, or whether the fix will be in the next service release, but I assume that it will be.
This is a frequent problem that AJAX applications make cross-site requests. The usual solution is to deploy a web proxy in the server where the QV page is, proxy-ing the content of the other web server.