the importance of context
Almost every navigation in Internet Explorer results in a flurry of security checks. Many of these checks are fairly obvious things, such as checking the URL of the current location (the context URL) and the pending navigation's destination URL to see if their zones/domains/protocols/etc are the same/different/acceptable/etc. Much of my time recently has been spent debugging strange combinations and ways of navigating. I will not bore you with the details; my goal is to emphasize the importance of context. I will mainly speak to the Internet Explorer Pop-up Blocker's dependence on the context URL.
The Pop-up Blocker is dependent on the context URL. When the page attempts to open a new window, mshtml queries the Pop-up Blocker. The Pop-up Blocker looks in the white list to see if this page is exempt from new window management. If, for some reason, the context URL provided is NULL, then obviously it cannot be matched to a domain in the white list.
So let us examine the following:
var oSpan = document.createElement("span");
oSpan.innerHTML = "<a href='https://www.microsoft.com' target='_blank'>Microsoft.com</a>";
When the anchor causes the browser to navigate, it will see the _blank and attempt to open a new window. This attempt will have to be verified by Pop-up Blocker. But the span is not parented to anything, thus it has no context. Elements with no context get the default context, which is about:blank, which confers no rights.
The moral of this story is always remember to parent your dynamically created elements to something in the document:
document.appendChild(oSpan);
Muah.
Comments
- Anonymous
May 11, 2004
How exactly can an anchor cause the browser to navigate when it's not inserted to the document tree? How is the user going to click on a link that doesn't exist in the document? - Anonymous
May 11, 2004
You can call .click() on it. The original code to do it was fairly opaque and I have not quoted it in its entirety for that reason. Trust me, though-- it can be done! And someone out there will find a way to do it and then want to know why Pop-up Blocker is blocking their new window even though they have added their site to the allow list. This entry is for them. - Anonymous
May 11, 2004
So if one allows about:blank to raise popus it should work? - Anonymous
May 11, 2004
The comment has been removed - Anonymous
May 12, 2004
I just ran into something yesterday that might be to this (on XP, but not SP2).
I have an IE toolbar and I want to call window.open when you click one of the toolbar buttons, so I can open a window with no toolbars and have it be automatically reused if you click the button again.
I can get the current document in the browser, but document.open() and document.parentWindow.open() both return E_ACCESSDENIED. Same thing happens if I get an IDispatch interface on the window object and call open() that way.
Is there any way around this? (I do run a 3rd party script/popup blocker but I turned it off before trying this.) - Anonymous
May 12, 2004
Of course if you followed the W3C DOM specs, the element would be parented, since its ownerDocument would point to the document that was used to create it... - Anonymous
July 02, 2004
In my web app. I required to open a web page from the body onload event of page. For example, user has selected some option from the menu and code first save the contents of the page and submit the page and in page body onload event opening the requested page.
I tried some alternates for ex. calling link click event from onload and tried to open new window but it could not work. As per MS doc. ( regarding Window XP SP2) there is no alternate to open new window through code .
I just want know what are other alternates can be used to accomplish such tasks. Thanks. - Anonymous
July 22, 2004
"Of course if you followed the W3C DOM specs, the element would be parented, since its ownerDocument would point to the document that was used to create it..."
Thanks for that insight Ian. You are a continual help, if only the MS folks were to an equal degree.