Pop-up Blocker Bypass via Local base href

Setting <base href> to a local path (c:\) bypassed IE’s pop-up blocker entirely. Windows opened via window.open after a setTimeout — which should have been blocked as unsolicited pop-ups — were allowed through without any user interaction check.

<base href="c:\">

<script>
function main()
{
	window.open("http://www.bing.com", "", "width=300,height=300,left=0");
	window.open("http://www.google.com", "", "width=300,height=300,left=320");
	window.open("http://www.nature.com", "", "width=300,height=300,left=640");
}
</script>

The pop-up blocker’s user-gesture tracking apparently had a special code path for local (file:// or drive-letter) origins that skipped the block. Since the base href shifted IE’s perceived origin to c:\, all three delayed window.open calls went through unblocked. Three separate windows opened without any user interaction, completely sidestepping the pop-up blocking logic.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [base href file:// Bypasses IE Protected Mode Integrity Level] :: [UXSS: X-Content-Security-Policy Sandbox + Cached window.open + xml Script Tag] >