a brief history of setHomePage()

I started working on IE right after IE 5.5 shipped. Since then, there is one little feature which has been the subject of my loving attention from time to time-- setHomePage().

setHomePage() is implemented as a behavior in iepeers.dll. It takes one argument-- the URL you would like to prompt the user to set as their homepage. MSDN claims this functionality has been available since IE 5.0. I do not know who dreamt it up, but on the surface it does not seem unreasonable for a website to be able to prompt the user, and, having recieved the users consent, have the browser set the home page for the user. But, alas, we live in strange times and drive-by hijacking of a users home page seems to be a full on business model. 

For a long time the implementation of setHomePage() would simply take the string it was given and display it in single quotes in the dialog box and wait for the user to make a decision. Clever people figured out you could insert \n and \t to format the dialog in strange ways. This allowed them to socially-engineer users into clicking Yes. This was fixed in IE6; we now verify the untrusted input first.

For a long time the default answer for the dialog was Yes. For XP SP2 the default value will change to No.

One especially nefarious method of getting users to answer yes was to use window.createPopup() to cover up and/or change parts of the dialog. For XP SP2 window.createPopup() has a whole new set of constraints-- must not cover dialog boxes, must not try to exist (too far) outside the boundaries of the HTML rendering surface, only one instance allowed at a time, etc. 

The biggest change for XP SP2, the one I predict will impact web developers the most, is this: setHomePage() will fail with an access denied error if it is not called within a user initiated context. This means:

<body onLoad=“oHomePage.setHomePage('www.reallyevilnastynefarioussiteasdf.com')”></body>

will fail with Access Denied. But the following code will work as expected:

<span onClick=”oHomePage.setHomePage(‘https://www.niceguys-b-usasdf.com’);”>Click here to make us your home page!</span>

Personally, I use about:blank as my home page because the browser window opens faster. This is especially important over terminal services!

Comments

  • Anonymous
    April 13, 2004
    I use about:blank too because of performance and other things. Why it is not a default value in IE, imho it is obvious it is supposed to be...
  • Anonymous
    April 13, 2004
    Anatoly-- I do not know. These decisions were made before my time. And there are lots of people who enjoy having one portal or another as their home page.
  • Anonymous
    April 13, 2004
    Any chance we can get an option in SP2 to disable the setHomePage popup completely? It's frequently used by those domain aggregator sales sites when you close the browser or navigate away from their page. It's very annoying, and I NEVER want to switch my home page to another site (I also use blank).
  • Anonymous
    April 13, 2004
    Oops, sorry, I guess that use that I described would not be classified as a "user initiated context". But would the Access Denied error show up as a javascript debugging error?
  • Anonymous
    April 13, 2004
    Kevin-- The Access Denied is in the form of a script error, and OnUnload would not be a user intiated action.

    There was argument for disabling it completely early on in the product cycle, but we decided in the end that the user initiated requirement would solve the majority of problems caused with the prompt.
  • Anonymous
    April 13, 2004
    If it's a script error, then poor developer sods like me that run with script debugging enabled (I do lots of DHTML/Javascript debugging) will get error popups, correct? Kind of unfortunately, albeit for a relatively small portion of the population.
  • Anonymous
    April 13, 2004
    C'mon, there's plenty of room left in the Custom Security Settings dialog to add:

    o Allow web pages to prompt you to make them the homepage
    O Enable
    O Disable
    O Only on Thursdays
  • Anonymous
    April 13, 2004
    Just curious - how do you get setHomePage() to appear on "window"?
  • Anonymous
    April 14, 2004
    Pete-- Oops. I will correct the article.
  • Anonymous
    April 15, 2004
    Jeff - bother, it would have been useful <g>.

    Something else that may be a dumb question - how does a binary behavior know that a method has been called within a user initiated context (or how can it find out)?
  • Anonymous
    April 16, 2004
    About popups: "only one instance allowed at a time"

    Does this mean that http://webfx.eae.net/dhtml/dhtmlmenu4/menu4.html will fail in XP2? The last beta I tested the menus worked ok.
  • Anonymous
    April 16, 2004
    I am not sure if it will fail or not; I did not have time to go through all the code. You should test with SP2 RC1.
  • Anonymous
    April 28, 2004
    The comment has been removed