In IE 7, the window.open function isn't what it used to be

So here's the scenario. You have a website with a link that opens a new window. When opening this new window, you use the javascript:window.open() function, and you specifically state "location=no, statusbar=no" within the open function. When you test it locally, it works wonderfully. Then, you make your push to production, and users see the location and statusbar in the new window. What's the deal!?

IE 7, Firefox, and Safari have all preached user security for quite some time, so it may not be much of a shock to you to hear that the address and status bars are always visible, no matter what parameters you feed it via window.open(). Granted, the address bar in the above scenario cannot be used for navigation as it is "greyed out", but these toolbars are always visible to ensure that user's aren't sent to Phishing sites, etc.

So why did my window.open() function work when I tested it?

Simple, when testing on your development PC, or internal network, you're withing your "Intranet" group according to your browser. The Intranet group has lower level security permissions that allow such functions to work. However, when you make your push to production, the site is now in the "Internet" group, which obviously has higher level security.

This FAQ here states how IE 7, Firefox, and Safari take to the window.open() parameters.

This post, albeit brief, hopefully saves you some time and energy on not only troubleshooting the scenario above, but also saves you in development time as you can no longer rely on this technique to open new windows with total control over their look and feel.