a brief history of setHomePage()

  • Article

I started working on IE right after IE 5.5 shipped. Since then, there is one little feature which has been the subject of my loving attention from time to time-- setHomePage().

setHomePage() is implemented as a behavior in iepeers.dll. It takes one argument-- the URL you would like to prompt the user to set as their homepage. MSDN claims this functionality has been available since IE 5.0. I do not know who dreamt it up, but on the surface it does not seem unreasonable for a website to be able to prompt the user, and, having recieved the users consent, have the browser set the home page for the user. But, alas, we live in strange times and drive-by hijacking of a users home page seems to be a full on business model. 

For a long time the implementation of setHomePage() would simply take the string it was given and display it in single quotes in the dialog box and wait for the user to make a decision. Clever people figured out you could insert \n and \t to format the dialog in strange ways. This allowed them to socially-engineer users into clicking Yes. This was fixed in IE6; we now verify the untrusted input first.

For a long time the default answer for the dialog was Yes. For XP SP2 the default value will change to No.

One especially nefarious method of getting users to answer yes was to use window.createPopup() to cover up and/or change parts of the dialog. For XP SP2 window.createPopup() has a whole new set of constraints-- must not cover dialog boxes, must not try to exist (too far) outside the boundaries of the HTML rendering surface, only one instance allowed at a time, etc. 

The biggest change for XP SP2, the one I predict will impact web developers the most, is this: setHomePage() will fail with an access denied error if it is not called within a user initiated context. This means:

<body onLoad=“oHomePage.setHomePage('www.reallyevilnastynefarioussiteasdf.com')”></body>

will fail with Access Denied. But the following code will work as expected:

<span onClick=”oHomePage.setHomePage(‘https://www.niceguys-b-usasdf.com’);”>Click here to make us your home page!</span>

Personally, I use about:blank as my home page because the browser window opens faster. This is especially important over terminal services!