Grant Wagner
Jan 10 2005, 05:09 PM
"Robert" <[Email Removed]> wrote in message
news:[Email Removed]...
QUOTE |
In article <[Email Removed]>, [Email Removed] wrote:
I think the problem here is that Microsoft has dealt with the security issue in a way that causes at least as many problems as it fixes. Instead of detecting actual pernicious activity in ActiveX content that is running locally, they simply disallow all ActiveX. This means that perfectly innocent things like Flash animations generate scary warnings when run from CDs.
Microsoft pollutes Javascript by adding ActiveX controls. Microsoft finds that ActiveX is a problem.
|
This is not a "pollution" of JavaScript, it is an extension of the
browser DOM to manipulate ActiveX controls hosted by the OS or the
browser.
QUOTE |
My understanding is that Microsoft gives a warning when it see javascript. It should give a warning the first time it see ActiveX content or implement Javacript per standard thus disallowing ActiveX controls.
|
The mechanisms for making ActiveX objects available to JavaScript are
simply too complex to monitor that condition. For example, an <object>
tag can be created using createElement(), appended to the document using
appendChild(), then scripted. Trying to detect these sorts of things
would be very complicated and error prone (which has resulted in many of
the security vulnerabilities discovered in the past).
Most of JScript is implemented per the ECMAScript standard. Disallowing
(or not) ActiveX controls has nothing to do with ECMAScript.
ActiveXObject() is there to facilitate communication with the DOM, it is
not part of the language.
QUOTE |
It's anti-competitive because they are labeling Javascript as the problem when it is the Microsoft ActiveX additions that are the problem. Firefox works fine one the same html file.
|
No, they are labelling "active content" as the problem, which it is.
Scripts run in IE in the Local Computer zone have access to do things
not available when run in the Internet zone.
I still fail to see how this is anti-competitive. First you argue that
Microsoft is hurting the ability for companies and individuals to
accomplish their design goals, then you argue that this somehow
_benefits_ Microsoft.
Anyway, all this is completely moot. You can make your scripts run
without warning in the Local Computer zone by including the Mark of the
Web.
<url:
http://msdn.microsoft.com/workshop/author/...xpsp2compat.asp/>
<url:
http://support.microsoft.com/default.aspx?...kb;en-us;873156 />
<url:
http://support.microsoft.com/default.aspx?...kb;EN-US;883866 />
<url:
http://www.microsoft.com/technet/prodtechn...brows.mspx#EHAA/>
Also note that in addition to simply running in the Internet zone (using
<!-- saved from url=(0014)about:internet -->), you can also give your
script more permissions by using <!-- saved from
url=(0022)http://www.yoururl.com --> and adding yoururl.com to the list
of Trusted Sites (this could be done corporate-wide using Group
Policies, a change to each and every workstation is not required).
--
Grant Wagner <[Email Removed]>
comp.lang.javascript FAQ -
http://jibbering.com/faq