Protect the addressbar in IE

Posted on 2003-02-28
Medium Priority
Last Modified: 2013-12-16
Does anyone know a way to protect the addressbar in Internet Explorer and Netscape.
The meaning is that the user cannot see the name of the current page (protected page).
The addressbar may be invisible or filled with another address.
Question by:fvg
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

RajeshTN earned 300 total points
ID: 8041657
You can run the Internet explorer in full screen. Just follow the code:
<script language="javascript">
 var Win;

this will open a child popup window with yourPage.htm in a full screen mode, diabling some of the functionalities. Hope this helps
LVL 16

Expert Comment

ID: 8042474
This will work for someone that knows nothing about source code.

How ever if they want to know that addy they will find it.

So to answer your question



Expert Comment

ID: 8045357

Masking the URL is just about impossible - it's easy to do for novice users, but anyone with a habbit for right-clicking may be able to sift through the HTML source to find the address you're hiding.

Here's a work-around...


This page would actually accept input from the query string to determine what page to show. For example:


In your default.asp code, you'd have something like this:

<% 'Decide which page to display

    Select Case Request.QueryString("page")
      Case "services"
       Call CheckAuthenticated()

       <!--#include file="secured-dir/services.asp"-->

      Case "page-x"
       Call CheckAuthenticated()
       <!--#include file="secured-dir/page-x.asp"-->

      Case Else
       Response.Write "Invalid page ID. Try again."
      End Select


The Sub CheckAuthenticated() could check to see if the request for the page originated from this server itself, i.e. it came from a link on your site.

That way, you could in essence prevent users from linking to pages directly on your site, or from being able to view things they shouldn't be able to get to.

Just an idea!
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.


Expert Comment

ID: 8045836
This question has been posed before in a somewhat different fashion.  You can set the MenuBar visibility in a window.open() call in javascript.  However, you can not access the visibility property of the menubar once a browser window has been opened (i.e., these properties are "protected" in the window object).

There is a good discussion of this on THIS site.  See the following:  http://www.experts-exchange.com/Web/Web_Languages/JavaScript/Q_20119973.html

Ok, so I think Javascript is _not_ the way to get this type of functionality.

I think the best bet is to "fill" the location bar with a "dummy" address.  This can be achieved on both Windows and Unix platforms using server side includes.

For example, let's say I have an apache server (on linux or windows).  I would take the following steps:
1)  First create a file, called "securefinance.html" in a secure area of my site (possibly a subfolder called "MySecureFolder"), and restrict access to it (the file or folder) by IP.  I configure apache so that only IP (local host) can open this file.
2)  Then create a finance.html page with the following line of code:  <!--#include virtual="/MySecureFolder/securefinance.html" -->

That's about it.  Now when a user clicks a link to view "finance.html" the HTML for the page will actually come from "securefinance.html".  Furthermore, if somehow they guessed the real page name, and tried to load it into their browser they would be rejected because of the apache config.

The syntax for doing this on IIS would be very similar and would work for IIS 4 or higher.  Also, a similar analogy would apply for scripting languages, say, Cold Fusion, where my example would be tweaked by changing file extensions to .cfm and using a <cfinclude> instead of a server-side include (include virtual).

Expert Comment

ID: 8053008
you can simply put your page in an iframe <iframe src="<your page>">></iframe> then encrypt your page so its unreadable, this will make it much harder to find out what the URL of the page you are protecting is alternativly, if you have PHP you can put the file you want to protect outside your root web directory and then use <?php include "../<your file>" ?> to call it this will stop the user and is practicaly imposible to get around.

Expert Comment

ID: 8058925
I like the 'running in full screen' approach.  To make it more secure you'd need javscript to prevent right clicking.  And to prevent people from turning off js and cruising your site, you'd need to make all your navigation occur through js too.  At which point you have more of an application than a web site.... what is it you're trying to hide so bad?  Maybe you'd be better off with some sort of executable - you could run your whole site in Flash instead of html - Flash exposes no useful source code or urls.

You could also use the ?page=services approach, but encode your argument.  You can find code to base64 or RC4 encrypt arguments and use that so that you see page=#%va#$aq3f - which is unintelligible to most people, but very attractive to hackers who may think you have something to hide.

Ooooh..... I used to work at a company that used Vignette's StoryServer (now just V6).  The URLs are incomre-freaking-hensible.  Wired and CNet use it, the URLs look like http://wired.com/news/business/0,1367,57810,00.html - it is actually that crappy ,1367,57810, part that tells the server side engine what page to display.  You could replicate this in javascript - have a basic page that just included a js library and an iframe.  The js library decodes the ,1367,57810 crap and conditionally sets the source of the iframe.  You can even encode your javascript so nobody can read the source of it.  Again... people can still right click in the iframe, so you need js to disable the right clicking, but now the js to control page navigation is central to your site, so if they disable javascript they can't navigate anymore.  Just make the html file names bizarre or useless too - set the iframes source to the results of a cgi-bin query for instance.  But for god's sake is that going to be a llllooootttt of work.  Unless you're running a porn site, I don't see it as being worthwhile.

Author Comment

ID: 8062788
To : RajeshTN
I've tried your concept and it works fine.
I've also looked to the source code of the opened window and I see no page name in it.
Since the code is only used to create a dummy page that will open the real window I think there is only a little change to see the page-name.
The dummy page is displayed only for a second and is called by the program CoffeeCup Password Wizard.
Never the less I find the remark of making it all in Flash also a very usefull hint to think about it.
Thanks to all responders

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers the basics of the Sass, which is a CSS extension language. You will learn about variables, mixins, and nesting.
What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
The purpose of this video is to demonstrate how to integrate Mailchimp with WordPress, by placing a Mailchimp signup form on a WordPress Page or Post. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchi…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question