Grant said:
First of all, I just want to be clear that my vent was not in the
slightest way directed towards you. I just happened to recollect
the frustrations I experienced upon installing service pack 2.
You seem to misunderstand what Mark of the Web does, and what it means.
Evidently. And glad you took the time to write. I always like to
get my misunderstandings cleared up.
A script loaded from a local hard disk has unlimited security (it can
access the local file system for example). This is why any HTML document
that is loaded into the Web browser from the local disk requires the
user agree to not one, but two warnings that the script can take
malicious actions.
A script loaded from a local hard disk with the Mark of the Web has the
same permissions as an HTML document loaded from the Internet zone (as a
result, it can _not_ access the local file system for example). This is
why a page loaded from the local hard disk with the Mark of the Web does
not result in a prompt, the script can not do anything that a script
loaded from the Internet can not do (barring any unpredicted security
vulnerabilities).
I thought that .hta files were the ones that had unlimited access
and that is why they had a different suffix so that there should
be no mixup between pages that had limited vs. unlimited access.
If .htm pages have apriori (that is until SP2) unlimited access
then what is the effective distinction between .hta and .htm
(pre service pack 2)?
<base href=...> does not do the same thing.
As outlined above, the Mark of the Web actually changes the security
zone in which the script executes.
I agree it doesn't, and though it's a moot point, I would
rather have seen said:
The developer would not lose a day if they have familiarized themselves
with the changes to Service Pack 2 made to Internet Explorer.
Touche. But actually, I did take pains (and it was painful) to
familiarize myself with it - I tried to find the docs, and then to
understand them. And perhaps I am not very good at understanding
things (such as how this Mark of Microsoft works) but (at the
time, anyway), the documentation was scant and confusing on
the nitty gritty details that I was after, plus wrong on
certain points.
However, the security mechanism is not intended to protect just the Web
developer, it is intended to protect all users of Internet Explorer. It
Fair enough. And as the developer, I can expect to have to take
extra time to configure my system to be optimal for me.
is simple enough (using provided Microsoft documentation) to write and
test scripts from the local hard disk in Internet Explorer without being
Sorry if I'm missing something here. Microsoft DID spell out what
I could do (to insert a Mark of the Web for each web page I want do
diddle with locally), but that is massively burdensome for someone
who is going to be doing it frequently.
prompted. And I would argue that you should not be testing your Web
pages loaded from a local hard disk anyway, you should be running your
own Web server to most closely mimic the environment in which your pages
will be loading.
Yes, when I am making real pages I agree. But often, I have to
investigate how page fragments are working (in conjunction with javascript).
Although most of the time I run these through a specialized server setup
I have, in some cases I just want to click on the .htm
Regards,
Csaba