4

In IE10 I've disabled JS execution by setting maximum security level (IE11 also affected).

Then I add or edit onmousedown attribute on any element on any site (for example, body element on www.google.com).

<body onmousedown="alert('Hello')">...</body>

And so I get an alert when clicking anywhere.

Is it expected behavior or bug?

Paul Sweatte
  • 24,148
  • 7
  • 127
  • 265
Anton Rudeshko
  • 1,039
  • 2
  • 11
  • 20
  • Maybe developer console makes automatic turn on JS on page? – denisoid Jun 24 '13 at 08:06
  • @denisoid, nope, i cannot even `2+2` in console. – Anton Rudeshko Jun 24 '13 at 09:51
  • 1
    Only an IE developer can come here and confirm this, but it's obviously a terrible bug – Áxel Costas Pena Oct 01 '13 at 07:18
  • Is this working with mouseevents and alert only, or all event attribute and any javascript? –  Mar 14 '14 at 19:11
  • @derylius, didn't test much, but I'm pretty sure that both may vary widely. You can try it yourself. – Anton Rudeshko Mar 15 '14 at 06:20
  • I have only IE11 to test with but I will take a look in a few days and may sign back the results –  Mar 15 '14 at 08:08
  • I've already tested IE11 and updated my question =) No good. – Anton Rudeshko Mar 15 '14 at 16:33
  • So I made some testing as well, and it seems to be more complex, as I've been able to call a predeclared function with the function-call added manually but couldn't call any injected function, nor could assign any event listener, which makes me think that the way they implemented the enabling/disabling of javascript, is that it simply blocks the execution of any function, which work just fine, but when they implemented the dev-tools they left it opened for the devs to inject code. Maybe it's a bug, maybe an undocumented feature, but as long as it can't be exploited by XSS I would say latter. –  Mar 17 '14 at 11:44
  • 1
    So as it stands for any further research we should have a source or an MS dev as Axel pointed out. Try to fill a bug report if it's annoying you, otherwise just don't use it if you don't need it. –  Mar 17 '14 at 11:50

1 Answers1

2

F12 has its own Disable menu in IE10:

This menu helps you test how users would experience your site based on how they have configured their browser. The following commands are available in the Disable menu:

Script

Disable all scripts on a webpage. This command must be clicked again to enable all scripts. When selected, the command is set and causes the page to refresh. This command is not available if Internet Security has Protected Mode set to On. To activate this command, set Protected Mode to Off.

Popup Blocker

Disable all pop-up blockers so that pop-ups are allowed on this website. This command must be selected again to enable pop-up blockers. This command is not available if Internet Security has Protected Mode set to On. To activate this command, set Protected Mode to Off.

All CSS

Disable all Cascading Style Sheets (CSS) on the page. Click again to enable all CSS. When selected, the command is set and causes the page to refresh to reflect the selection. This command will be re-enabled when a webpage refreshes.

This is deprecated in IE11:

There are no plans at this time to bring back the disable menu from IE10 F12. You can disable most of the features previously in the F12 disable menu from the Internet Options advanced and security options.

References

Community
  • 1
  • 1
Paul Sweatte
  • 24,148
  • 7
  • 127
  • 265