IE Intranet and Trusted Modes

If you’re dealing with iframes and popup windows, in IE or Edge, you’re in murky water. Here are some of the things we’ve learned for future people exploring this path.

This article covers IE11 and Edge. Previous versions of IE have their own weird intranet and trusted mode problems that I didn’t have time to research while putting together these notes.

How do I get into intranet and trusted mode?

1. Your site may automatically land in these modes.
2. Your administrator may have added your corporate device to intranet or trusted mode.
3. You may have added a domain manually in the IE or Edge settings.

How do I get out?

First navigate to Internet Options. In IE you can find this in the menu:

Or for Edge, you’re going to need to find these settings in your start bar:

From there, you can navigate to Security, and hit Local Intranet and Trusted Sites, then hit the Sites button:

For intranet mode, you’ll see this menu:

I would recommend unchecking all of these boxes. Then hit Advanced, and you’ll see the following window:

Again I would recommend removing every site from this list.

For trusted mode, you will see a similar window:

Again, unless you have any sites that need to be here, I recommend removing everything from this list.

Finally, If you’re in IE, I would recommend navigating to Compatibility View Settings:

Then uncheck Display intranet sites in compatibility view:

What if that doesn’t work?

If all of the above fails — and I’ve seen instances where none of the above steps work — you may need to contact your IT department or administrator to figure out why certain sites are landing in intranet or trusted mode.

How can I detect intranet and trusted modes in javascript?

You can run the following simple check:

Note: this check will only work in IE. If you have a way to check in Edge, please let me know.

How will intranet mode ruin your day?

It’ll do quite a few things:

Compatibility Mode in IE11

By default, intranet mode will force IE11 into compatibility mode. It will run your app with an IE7 user-agent, and disable certain browser features.

If your site or app is in an iframe, it will inherit compatibility mode from the parent page, even if your domain is not explicitly in intranet mode.

If that iframe is not in compatibility mode, and it opens a popup window on the same domain in intranet mode, the popup window will be in compatibility mode by default.

So intranet mode has totally different effects depending on the context in which your app is loaded. So far the general rule seems to be that compatibility mode is set when the domain of the top-level window is in intranet mode — and popup windows count as a new top-level window.

Edge does not have compatibility mode enabled by default for intranet mode.

Trusted and Intranet Mode in IE11

By default, trusted and intranet mode seem to work without any hitches in IE11 providing the Display intranet sites in compatibility view setting is disabled.

It’s impossible, to the best of my knowledge, to differentiate between intranet and trusted mode in javascript. So your best bet it to check the user-agent and make you’re it does not show IE7, to make sure you’re not being forced into compatibility mode.

Intranet and Trusted mode in Edge, with popups

If you open a popup window in Edge, and point it to a domain which is in trusted mode, the popup window will become orphaned. That means:

1. win.closed will be true, where win is a reference in the parent to the popup window you opened.
2. The popup window will actually still be open and usable.
3. Communication with the window using postMessage will not be possible
4. The popup window will have window.opener set to null, meaning it will not be able to detect itself as a popup, or message its opener.
5. The popup window will have window.name set to "" meaning any data or information passed via the window name will be lost.

This means if you open a popup window for a trusted domain, both the parent window and the popup window will immediately lose all communications with each other.

The best thing you can do to mitigate this is pass a query parameter to the popup, like popup=1, when you initialize it. Then if the query parameter is present and window.opener is null, trigger an error or automatically close the window. Unless you don’t actually need to do any communication with the parent.