Grant Wagner
Jan 10 2005, 04:57 PM
<[Email Removed]> wrote in message
news:[Email Removed]...
QUOTE |
Amazing. Microsoft ignores security implications, or produces products with security problems, and are attacked. They take security seriously and make positive changes to secure their products and they are attacked.
Grant -
I think the problem here is that Microsoft has dealt with the security issue in a way that causes at least as many problems as it fixes. Instead of detecting actual pernicious activity in ActiveX content that is running locally, they simply disallow all ActiveX. This means that perfectly innocent things like Flash animations generate scary warnings when run from CDs.
|
I'm not sure what "scary warning" you refer to, but if it is the "active
content" warning you receive when attempting to run script locally, I've
already explained how to avoid that, by using the Mark of the Web. You
script will run in the Internet zone, and as a result will not have
access to harmful ActiveX controls, but it will run without a warning.
It only requires including <!-- saved from url=(0014)about:internet -->
somewhere on your page.
This is explained at <url:
http://msdn.microsoft.com/workshop/author/...2compat.asp#lmz/> and <url:
http://support.microsoft.com/default.aspx?...kb;en-us;873156 /> and
<url:
http://support.microsoft.com/default.aspx?...kb;EN-US;883866 />
QUOTE |
I'm working with a client now whose business may be harmed because of this. We submitted a CD version of his web site to a professional association so that he could get their seal of approval for the content. Because the chairman of the committe got a warning message he didn't understand simply because the site uses Flash, my client will now, most likely, not receive their seal.
|
Again, you obviously failed to give your document the Mark of the Web,
doing so will restore functionality without a warning.
QUOTE |
Seems that Microsoft does deserve criticism for first creating security problems, then making belated and clumsy attempts to fix them.
|
So your solution is to not make any attempt to protect users from
locally executed malicious scripts because the solution has been late in
coming?
As I've said, Microsoft locked down the Local Computer zone and required
the user to explicitly allow such content to be run. If you wish to add
JavaScript to a file that will be loaded from the Local Computer zone,
then add the Mark of the Web. This will make the script execute in the
Internet zone, with the restrictions that zone imposes.
QUOTE |
It also seems strange to me that it should be considered OK to run this kind of content from a web site, but not from a local CD!
|
This is because the JavaScript run from a local CD would run in the
Local Computer zone, where it has abilities (such as creating a
FileSystemObject) not available to it when run from a Web site (the
Internet zone).
As a result, the user needs to grant permission to scripts which execute
in a zone where they could do harmful things to the user's computer, or
_you_ need to give your page the Mark of the Web, which forces the
locally executed page to run in the Internet zone.
--
Grant Wagner <[Email Removed]>
comp.lang.javascript FAQ -
http://jibbering.com/faq