About the Pop-up Blocker
Note As of December 2011, this topic has been archived and is no longer actively maintained. For more information, see Archived Content. For information, recommendations, and guidance regarding the current version of Windows Internet Explorer, see Internet Explorer Developer Center.
The Pop-up Blocker feature in Microsoft Internet Explorer 6 for Windows XP Service Pack 2 (SP2) protects users from malicious activity that is often hidden behind or initiated by pop-up windows. Designed to give users more control over their Web browsing experience, this feature is on by default, and blocks script-initiated pop-up and pop-under windows that launch automatically from a Web site. By understanding how the Pop-up Blocker works, you can ensure that important information on your Web site gets noticed, and you can provide your users with a better Web-browsing experience.
This document assumes that you are familiar with Dynamic HTML (DHTML) and scripting.
This topic contains the following sections.
- Why Do We Need a Pop-up Blocker?
- What Does the Pop-up Blocker Block?
- What Doesn't Get Blocked by the Pop-up Blocker?
- How Can You Ensure That Your Web Site Works With the Pop-up Blocker?
- What Else Do You Need to Know About the Pop-up Blocker?
- Related Topics
There are many ways in which pop-up windows have been used either to annoy users or to hide malicious activity. Some of the most annoying pop-up window actions include windows that continually reopen when the user closes them, pop-ups that blanket the desktop with banner ads and cover the entire usable space, or pop-ups that keep reappearing, spawned from an offscreen or hidden window. Probably one of the most annoying actions is the pop-up window that appears suddenly and blocks the user's screen, with no visible way to close the window.
Malicious scripts carry out disruptive activities, such as creating pop-up windows that attempt to imitate a user's desktop and then remain in focus, creating pop-up windows that cannot be closed, or creating pop-ups that appear offscreen where they go unnoticed. These activities often hide malicious activity running behind the pop-up window.
The Pop-up Blocker blocks script-initiated pop-up windows that are created by the following methods, without the user clicking a link. If users enable the most restrictive setting in the Pop-up Blocker Settings, the Pop-up Blocker blocks windows that are opened by these methods from a user-initiated action, such as clicking a page element or tabbing to a link and then pressing
In addition to blocking script-initiated pop-up windows, the Pop-up Blocker also blocks
setHomePage() from launching automatically. This function can be launched only from a user-initiated action, such as clicking a page element or tabbing to a link and then pressing
- Scripts from automatically targeting the search pane.
- Windows that are opened automatically from DHTML elements that overlap content on the same page.
- Scripts from calling window.open on an onunload event in an attempt to get the user to stay on a site, or to serve the user one more ad.
- Scripts from targeting and then navigating to a named frame that doesn't exist.
When the Pop-up Blocker prevents pop-up windows from appearing, the action triggers the Information Bar. Users can decide if they want to see the blocked window by clicking on the Information Bar.
The Pop-up Blocker does not block pop-up windows that open as a direct result of a user action. A user-initiated action includes clicking a page element or tabbing to a link and then pressing
ENTER. Pop-up windows are not blocked if they
- Are opened by a link which the user clicked.
- Are opened by applications that are running on the computer. These applications can include adware.
- Are opened, on user-initiated actions, by ActiveX controls that are instantiated from a Web site.
- Are opened from the Trusted Sites or Local Intranet zones.
- Are launched from a Web site on a user's allow list. Users can add Web sites to their allow list through the Pop-up Blocker settings.
- Are launched with the window.createPopup method. Note that Window Restrictions allow only one pop-up window at a time to be open on a page, and that they restrict pop-up windows launched with this method to the Internet Explorer client window.
Whether pop-up windows appear in each of these cases is ultimately determined by the user. Users can configure the Pop-up Blocker to be more or less restrictive, or they can turn it off altogether.
One way to guarantee that your Web site functions properly, of course, is by avoiding scripting any pop-up windows. If it is not possible to design your Web site without using pop-up windows, there are ways to ensure that your pop-up windows are not inadvertently blocked, and that your user has access to the information in the pop-up windows.
Ensure that all of the pop-up windows in your Web site open as the direct result of a user action, such as clicking a page element, or tabbing to a link and then pressing
ENTER. If your Web site must rely on script-initiated pop-up windows, provide the user with instructions for adding your site to the Pop-up Blocker allow list.
If you are not sure whether a pop-up window is blocked, check your functions that return a window object. You can tell if a pop-up window has been blocked if these functions return null. In particular, you need to check the value of window.open to avoid script errors when your pop-up windows are blocked.
The order in which events occur in your script can also affect pop-up windows. If your Web site processes information asynchronously, you need to be sure of the order in which that information is processed. If the user clicks a link to open a window, and then the site sends or receives information asynchronously before opening the pop-up window, the window might be blocked. Pop-up windows that open from a user-initiated action are not blocked if they open before the site processes the information.
When you script pop-up windows for your Web site, here are some further pointers to keep in mind about the Pop-up Blocker.
- If your site redirects to a different site when a pop-up window is blocked, it might be more difficult for the user to open the blocked pop-up window. The site to which you redirect the user will not show the Information Bar that provides easy access to the blocked pop-up window.
- When you script a window to close because a pop-up window is blocked from the parent window, the Information Bar to access the blocked pop-up also closes. Users cannot access the blocked information, and they might need to do so to accept a download, an ActiveX control, or the pop-up window.
- If you use the setTimeout() method within a click event, the pop-up window will not be launched.
- If your script launches an automatic pop-up window from another pop-up window that was opened by a user action, the second pop-up will be blocked. The Pop-up Blocker will not recognize the second launch as a user action.
- Pop-up windows that are automatically launched through other objects, such as ActiveX controls or Macromedia Flash movies, are blocked by the Pop-up Blocker. There is no workaround. Note, however, that DHTML objects, such as hovering <DIVS> and rich media, can appear to be pop-up windows. These objects are not blocked by the Pop-up Blocker.
- Remember that pop-up windows generated by the window.createPopup method are also governed by Window Restrictions. These restrictions will allow only one pop-up window at a time to be open on a page, even if the pop-up was initiated by a user action. You cannot launch multiple pop-up windows from one user action. See About Window Restrictions for more changes to window objects in Internet Explorer 6 for Windows XP SP2.