SP2 blocking the same code on one page but not another

[bissatch]

Hi,

I have been tryin to run free dhtml code from a web page. The web page
is:

http://dynamicdrive.com/dynamicindex14/pixelate.htm

When I load the page above it opens as normal and the slide show
automatically runs but when I open my own page that I have saved on my
desktop, created from code from the above url, SP2 bar kicks in at the
top of the page window and warns me 'To help protect your security,
Internet Explorer has restricted active content that could access your
computer'.

I know that this can be configured to not display but I want to use it
for a web page and not have it appear. Why does it not appear on the
above url?

Bizt

 

[Dag Sunde]

Hi,

I have been tryin to run free dhtml code from a web page. The web page
is:

http://dynamicdrive.com/dynamicindex14/pixelate.htm

When I load the page above it opens as normal and the slide show
automatically runs but when I open my own page that I have saved on my
desktop, created from code from the above url, SP2 bar kicks in at the
top of the page window and warns me 'To help protect your security,
Internet Explorer has restricted active content that could access your
computer'.

I know that this can be configured to not display but I want to use it
for a web page and not have it appear. Why does it not appear on the
above url?

Because thatone is loaded from the web.

Pages loaded from local disk will have JS blocked. To remedy this, Google
for "Mark of the web".

 

[Csaba Gabor]

Some details on IE Disinformation Bar woes are described here:
http://groups-beta.google.com/group/comp.lang.javascript/msg/b31bd2b25f2a2948

Csaba Gabor from Vienna

 

[Grant Wagner]

The specific "problem" he is having can be "fixed" using a Mark of the
Web to place the local document in the Internet zone:

<url: http://msdn.microsoft.com/workshop/author/dhtml/overview/motw.asp
/>

<-- saved from url=(0014)about:internet -->

No code that can access the local file system can run when a Mark of the
Web is used, but if there were code that could access the local file
system and it is allowed to run, then the information bar is entirely
correct, there would be script that could be potentially harmful and so
it should require explicit user action to execute.

....Grant

 

[Csaba Gabor]

In this case the OP does not seem to be appealing to this
group as a developer so that should be the end of it.
However, as I discussed in my posts, referenced below, this
"security mechanism" really isn't. Any author who wants to
have that mechanism bypassed is simply going to add that
into hir original web page, you don't even need to get the
size right - Zero security has been gained, and I argue
that some has been lost.

If you are only concerned about a handful of pages, I suppose
it's OK to expect a completely HTML illiterate person to figure
out that they should add that construct to their web page.
Oops. I mean scaring and confusing hir by that 'content bar'
(I call it a content bar because it bars content) that comes
up and having them click a few extra times. But it is
unbelievably burdensome to the web developer, not to
mention imposing another cavalier unstandard when there is
already a mechanism for the same thing, <base href=...>

As a result, a developer might lose a day to figure out how to,
and then turn off mechanisms that are supposedly protecting hir,
but are in reality hindering hir efficiency. The point is that
if a protection mechanism is made to hinder a user's efficiency,
that mechanism can expect to be turned off resulting in a more
exposed condition. This is something the designers of such
programs should consider.

Csaba Gabor from Vienna

 

[Grant Wagner]

In this case the OP does not seem to be appealing to this
group as a developer so that should be the end of it.
However, as I discussed in my posts, referenced below, this
"security mechanism" really isn't. Any author who wants to
have that mechanism bypassed is simply going to add that
into hir original web page, you don't even need to get the
size right - Zero security has been gained, and I argue
that some has been lost.

You seem to misunderstand what Mark of the Web does, and what it means.

A script loaded from a local hard disk has unlimited security (it can
access the local file system for example). This is why any HTML document
that is loaded into the Web browser from the local disk requires the
user agree to not one, but two warnings that the script can take
malicious actions.

A script loaded from a local hard disk with the Mark of the Web has the
same permissions as an HTML document loaded from the Internet zone (as a
result, it can _not_ access the local file system for example). This is
why a page loaded from the local hard disk with the Mark of the Web does
not result in a prompt, the script can not do anything that a script
loaded from the Internet can not do (barring any unpredicted security
vulnerabilities).

If you are only concerned about a handful of pages, I suppose
it's OK to expect a completely HTML illiterate person to figure
out that they should add that construct to their web page.
Oops. I mean scaring and confusing hir by that 'content bar'
(I call it a content bar because it bars content) that comes
up and having them click a few extra times. But it is
unbelievably burdensome to the web developer, not to
mention imposing another cavalier unstandard when there is
already a mechanism for the same thing, <base href=...>

<base href=...> does not do the same thing.

As outlined above, the Mark of the Web actually changes the security
zone in which the script executes.

As a result, a developer might lose a day to figure out how to,
and then turn off mechanisms that are supposedly protecting hir,
but are in reality hindering hir efficiency. The point is that
if a protection mechanism is made to hinder a user's efficiency,
that mechanism can expect to be turned off resulting in a more
exposed condition. This is something the designers of such
programs should consider.

The developer would not lose a day if they have familiarized themselves
with the changes to Service Pack 2 made to Internet Explorer.

However, the security mechanism is not intended to protect just the Web
developer, it is intended to protect all users of Internet Explorer. It
is simple enough (using provided Microsoft documentation) to write and
test scripts from the local hard disk in Internet Explorer without being
prompted. And I would argue that you should not be testing your Web
pages loaded from a local hard disk anyway, you should be running your
own Web server to most closely mimic the environment in which your pages
will be loading.

 

[Csaba Gabor]

news:[email protected]...

First of all, I just want to be clear that my vent was not in the
slightest way directed towards you. I just happened to recollect
the frustrations I experienced upon installing service pack 2.

You seem to misunderstand what Mark of the Web does, and what it means.

Evidently. And glad you took the time to write. I always like to
get my misunderstandings cleared up.

A script loaded from a local hard disk has unlimited security (it can
access the local file system for example). This is why any HTML document
that is loaded into the Web browser from the local disk requires the
user agree to not one, but two warnings that the script can take
malicious actions.

A script loaded from a local hard disk with the Mark of the Web has the
same permissions as an HTML document loaded from the Internet zone (as a
result, it can _not_ access the local file system for example). This is
why a page loaded from the local hard disk with the Mark of the Web does
not result in a prompt, the script can not do anything that a script
loaded from the Internet can not do (barring any unpredicted security
vulnerabilities).

I thought that .hta files were the ones that had unlimited access
and that is why they had a different suffix so that there should
be no mixup between pages that had limited vs. unlimited access.
If .htm pages have apriori (that is until SP2) unlimited access
then what is the effective distinction between .hta and .htm
(pre service pack 2)?

<base href=...> does not do the same thing.

As outlined above, the Mark of the Web actually changes the security
zone in which the script executes.

I agree it doesn't, and though it's a moot point, I would

The developer would not lose a day if they have familiarized themselves
with the changes to Service Pack 2 made to Internet Explorer.

Touche. But actually, I did take pains (and it was painful) to
familiarize myself with it - I tried to find the docs, and then to
understand them. And perhaps I am not very good at understanding
things (such as how this Mark of Microsoft works) but (at the
time, anyway), the documentation was scant and confusing on
the nitty gritty details that I was after, plus wrong on
certain points.

However, the security mechanism is not intended to protect just the Web
developer, it is intended to protect all users of Internet Explorer. It

Fair enough. And as the developer, I can expect to have to take
extra time to configure my system to be optimal for me.

is simple enough (using provided Microsoft documentation) to write and
test scripts from the local hard disk in Internet Explorer without being

Sorry if I'm missing something here. Microsoft DID spell out what
I could do (to insert a Mark of the Web for each web page I want do
diddle with locally), but that is massively burdensome for someone
who is going to be doing it frequently.

prompted. And I would argue that you should not be testing your Web
pages loaded from a local hard disk anyway, you should be running your
own Web server to most closely mimic the environment in which your pages
will be loading.

Yes, when I am making real pages I agree. But often, I have to
investigate how page fragments are working (in conjunction with javascript).
Although most of the time I run these through a specialized server setup
I have, in some cases I just want to click on the .htm

Regards,
Csaba