Do browsers ignore window parameters when opening new windows via javascript?
https://stackoverflow.com/questions/3841331
-
27-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm opening a popup window via javascript. I'm trying to set some of the display parameters - specifically we want to hide the location and statusbar, but every browser I've tested this in, the location and status bars still display.
My code looks like this:
newwindow=window.open(url,'name','height=250,width=290,left=200,top=200,location=no,resizable=yes,scrollbars=yes,toolbar=no,status=no');
Any ideas? The client is insisting on a popup window, rather than a hover tooltip.
Solution
Yes, some parameters are disabled. The reason is that it should not be possible to open a window that pretends to be something else.
The exact rules depends on the browser, the scope of the page (intranet/public), and the user settings. Most browsers won't remove the address bar, so that you can always see where the page is coming from.
You can for example read here about the restrictions in Internet Explorer.
Some quotes:
"Internet Explorer 6 for Windows XP SP2 requires that the window title bar and status bar are always in the visible area of the display; if the address bar is displayed, it must also remain visible. By placing these restrictions on script-opened windows, the Window Restrictions security feature prevents malicious code from hiding information and from spoofing user interfaces. The Window restrictions feature is on by default for the Internet zone, and the feature is off by default for the Local Intranet and Trusted Sites zones."
and:
"The status bar is an Internet Explorer security feature that provides the user with Internet Explorer security zone information. Prior to Internet Explorer 6 for Windows XP SP2, the status bar could be hidden from the user by scripts that call the window.open method. With the status bar hidden from view, users could be deceived into thinking that they were on a trusted site when they were actually interacting with a malicious host.
With window restrictions in place, the status bar cannot be turned off for any window created by the window.open method; it is always visible for all Internet Explorer windows. The zone information that the status bar contains cannot be spoofed or hidden from view, so that the user always knows in what security zone the content is being displayed."
This is about IE 6, as that's when this was introduced. There were some furhter changes in IE 7, but that mostly has to do with how the navigation changed, making some parameters of the open command work differently or being obsolete.
OTHER TIPS
The browsers have stopped listening to some of the parameters for security reasons. For example, FF3+ and IE6 / 7+ force a location bar to prevent scammers pretending to be a site they're not.
Related: The Internet Explorer 7 Security Status Bar
Whenever you are visiting any website, you should look at the full address (URL) for the site to understand what website you are looking at. IE7 helps you by enforcing the presence of an address bar in every window, but you still may need to scroll through it or maximize the window in order to view the full address.
If you need more freedom, and happen to have some control over the user's computer (e.g. in a closed intranet), there are solutions like Mozilla Prism that allow a web site to appear rather like a desktop application. But those are highly specialized solutions unsuitable for normal web sites.
Due to changes in security models, it's not possible to have a totally chromeless popup window any more and attempts to strip all the chrome off will simply be ignored. Have you considered using JQuery to create a pseudo-popup that is skinned to look like a window, give it drag handlers and a dismiss button? you could gracefully degrade to a standard pop-up.
Further touching on what FatherStorm said, there's some options here:
Most browsers displays the location bar and status bar by default, and make it also impossible to override window.status. This is done for safety (to guard against phishing).
Some more specific information on how a user can change the setting that allows the status and/or address to be set by Javascript to hidden or visible:
From the 'custom level' dialog from the IE security tab - scroll down to:
"Allow websites to open windows without address or status bars"
Depending on if these is set to Disable or Enable - you will see different behavior from your application.
To my knowledge this applies to IE7, IE8, and IE9
