Internet vs. intranet vs. the window.status method call

Feb 14, 2007 12:14 GMT  ·  By

What do you think Dave Massy, the IE Senior Program Manager, is up to in his last days at Microsoft? Well, not much. Except a blog entry on MOTW. The Mark of the Web was designed as a security feature that manages web pages over security zones in accordance with the restrictions imposed by the Local Machine zone. The fact of the matter is that in Internet Explorer, the browser's default settings can differ according to the security zone where the page is running.

"By default the security settings for content running in the Internet zone are a little more restrictive than those for content running in the intranet zone. One example is that in IE7 under default security settings a web page running in the Internet zone may not write text to the IE status bar using the window.status method call, whereas the call is allowed in the intranet zone," revealed Massy, adding that the limitation was designed as a protection method against spoofing.

In Internet Explorer 7, online content cannot have any impact in the exterior of the HTML rendering area. Microsoft advised developers to extensively test web pages content outside the local server, and check the results of a call to set window.status on the Internet as opposed to the intranet.

"To avoid these differences and have content run in the internet zone despite it originating on the intranet you can add the Mark Of The Web (MOTW) to pages. The MOTW is a comment that should be placed at the start of the HTML page to show that the content is from the internet in the form ," explained Massy. "Including the MOTW in pages and checking that you have default security settings during development can help ensure that you are experiencing the same settings as users of IE on the internet will have when your pages are deployed."