a brief history of setHomePage()


I started working on IE right after IE 5.5 shipped.  Since then, there is one little feature which has been the subject of my loving attention from time to time-- setHomePage().


setHomePage() is implemented as a behavior in iepeers.dll.  It takes one argument-- the URL you would like to prompt the user to set as their homepage.  MSDN claims this functionality has been available since IE 5.0.  I do not know who dreamt it up, but on the surface it does not seem unreasonable for a website to be able to prompt the user, and, having recieved the users consent, have the browser set the home page for the user.  But, alas, we live in strange times and drive-by hijacking of a users home page seems to be a full on business model. 


For a long time the implementation of setHomePage() would simply take the string it was given and display it in single quotes in the dialog box and wait for the user to make a decision.  Clever people figured out you could insert \n and \t to format the dialog in strange ways.  This allowed them to socially-engineer users into clicking Yes.  This was fixed in IE6; we now verify the untrusted input first.


For a long time the default answer for the dialog was Yes.  For XP SP2 the default value will change to No.


One especially nefarious method of getting users to answer yes was to use window.createPopup() to cover up and/or change parts of the dialog.  For XP SP2 window.createPopup() has a whole new set of constraints-- must not cover dialog boxes, must not try to exist (too far) outside the boundaries of the HTML rendering surface, only one instance allowed at a time, etc. 


The biggest change for XP SP2, the one I predict will impact web developers the most, is this:  setHomePage() will fail with an access denied error if it is not called within a user initiated context.  This means:


<body onLoad=“oHomePage.setHomePage('www.reallyevilnastynefarioussiteasdf.com')”></body>


will fail with Access Denied.  But the following code will work as expected:


<span onClick=”oHomePage.setHomePage(‘http://www.niceguys-b-usasdf.com’);”>Click here to make us your home page!</span>


Personally, I use about:blank as my home page because the browser window opens faster.  This is especially important over terminal services!

Comments (14)

  1. I use about:blank too because of performance and other things. Why it is not a default value in IE, imho it is obvious it is supposed to be…

  2. jeffdav says:

    Anatoly– I do not know. These decisions were made before my time. And there are lots of people who enjoy having one portal or another as their home page.

  3. Kevin Dente says:

    Any chance we can get an option in SP2 to disable the setHomePage popup completely? It’s frequently used by those domain aggregator sales sites when you close the browser or navigate away from their page. It’s very annoying, and I NEVER want to switch my home page to another site (I also use blank).

  4. Kevin Dente says:

    Oops, sorry, I guess that use that I described would not be classified as a "user initiated context". But would the Access Denied error show up as a javascript debugging error?

  5. jeffdav says:

    Kevin– The Access Denied is in the form of a script error, and OnUnload would not be a user intiated action.

    There was argument for disabling it completely early on in the product cycle, but we decided in the end that the user initiated requirement would solve the majority of problems caused with the prompt.

  6. Kevin Dente says:

    If it’s a script error, then poor developer sods like me that run with script debugging enabled (I do lots of DHTML/Javascript debugging) will get error popups, correct? Kind of unfortunately, albeit for a relatively small portion of the population.

  7. Peter Torr says:

    C’mon, there’s plenty of room left in the Custom Security Settings dialog to add:

    o Allow web pages to prompt you to make them the homepage

    O Enable

    O Disable

    O Only on Thursdays

  8. Pete Cole says:

    Just curious – how do you get setHomePage() to appear on "window"?

  9. jeffdav says:

    Pete– Oops. I will correct the article.

  10. Pete Cole says:

    Jeff – bother, it would have been useful <g>.

    Something else that may be a dumb question – how does a binary behavior know that a method has been called within a user initiated context (or how can it find out)?

  11. About popups: "only one instance allowed at a time"

    Does this mean that http://webfx.eae.net/dhtml/dhtmlmenu4/menu4.html will fail in XP2? The last beta I tested the menus worked ok.

  12. jeffdav says:

    I am not sure if it will fail or not; I did not have time to go through all the code. You should test with SP2 RC1.

  13. Pamela Joy says:

    I made a custom homepage which resides only on my computer. The page contains the links I use the most, including links to various areas of my five drives. The really useful aspect of having a custom homepage is when I travel. I can carry along a copy of all my favorites on a disk or upload the page to my website. When MSIE updates or needs to be reinstalled, I have all my favorites safely tucked away. Also on this custom homepage, I have a box to enter Google searches or words for dictionary.com, as well as a Celsius to Fahrenheit converter.

Skip to main content