I had to hack the new prototype.js 1.5.0 release to revert to the 1.4 getTransport() order. The problem: IE7’s “native” XMLHttpRequest method won’t play nice with a <base> tag whose domain value is different than the domain value of the page’s URL.

Example:

url: 
    http://flop.net/bar.html
with:
    <base href="http://foo.com/" />
then IE7 new XMLHttpRequest() for 
    'http://flop.net/ajax' 
throws access denied error.
However, this works:
url:
    http://flop.net/bar.html
with:
    <base href="http://flop.net/">
then IE7 new XMLHttpRequest() for
     'http://flop.net/ajax'

So we just revert to using ActiveX (the original Microsoft version for remote transport).

I see that YUI checks for transport the same way. So I expect their’s will break with IE7 too.

Here’s the diff:

 var Ajax = {
   getTransport: function() {
     return Try.these(
-      function() {return new XMLHttpRequest()},
       function() {return new ActiveXObject('Msxml2.XMLHTTP')},
-      function() {return new ActiveXObject('Microsoft.XMLHTTP')}
+      function() {return new ActiveXObject('Microsoft.XMLHTTP')},
+      function() {return new XMLHttpRequest()}
     ) || false;
   },

I assume Microsoft changed this behaviour in IE7 in the name of security, but it is still a royal PITA.

Did I just miss the warning signs?

I don’t really see how this ‘security’ precaution actually makes anything more secure. If anything, in my case, not using the ‘base’ tag means my HTML would be lots more verbose, since I would need to specify the URL in every href link.