SP2 blocking the same code on one page but not another

Discussion in 'Javascript' started by bissatch@yahoo.co.uk, Apr 8, 2005.

  1. Guest

    Hi,

    I have been tryin to run free dhtml code from a web page. The web page
    is:

    http://dynamicdrive.com/dynamicindex14/pixelate.htm

    When I load the page above it opens as normal and the slide show
    automatically runs but when I open my own page that I have saved on my
    desktop, created from code from the above url, SP2 bar kicks in at the
    top of the page window and warns me 'To help protect your security,
    Internet Explorer has restricted active content that could access your
    computer'.

    I know that this can be configured to not display but I want to use it
    for a web page and not have it appear. Why does it not appear on the
    above url?

    Bizt
    , Apr 8, 2005
    #1
    1. Advertising

  2. Dag Sunde Guest

    <> wrote in message
    news:...
    > Hi,
    >
    > I have been tryin to run free dhtml code from a web page. The web page
    > is:
    >
    > http://dynamicdrive.com/dynamicindex14/pixelate.htm
    >
    > When I load the page above it opens as normal and the slide show
    > automatically runs but when I open my own page that I have saved on my
    > desktop, created from code from the above url, SP2 bar kicks in at the
    > top of the page window and warns me 'To help protect your security,
    > Internet Explorer has restricted active content that could access your
    > computer'.
    >
    > I know that this can be configured to not display but I want to use it
    > for a web page and not have it appear. Why does it not appear on the
    > above url?


    Because thatone is loaded from the web.

    Pages loaded from local disk will have JS blocked. To remedy this, Google
    for "Mark of the web".

    --
    Dag.
    Dag Sunde, Apr 8, 2005
    #2
    1. Advertising

  3. Csaba Gabor Guest

    Some details on IE Disinformation Bar woes are described here:
    http://groups-beta.google.com/group/comp.lang.javascript/msg/b31bd2b25f2a2948

    Csaba Gabor from Vienna

    wrote:
    > Hi,
    >
    > I have been tryin to run free dhtml code from a web page. The web page
    > is:
    >
    > http://dynamicdrive.com/dynamicindex14/pixelate.htm
    >
    > When I load the page above it opens as normal and the slide show
    > automatically runs but when I open my own page that I have saved on my
    > desktop, created from code from the above url, SP2 bar kicks in at the
    > top of the page window and warns me 'To help protect your security,
    > Internet Explorer has restricted active content that could access your
    > computer'.
    >
    > I know that this can be configured to not display but I want to use it
    > for a web page and not have it appear. Why does it not appear on the
    > above url?
    >
    > Bizt
    >
    Csaba Gabor, Apr 8, 2005
    #3
  4. Grant Wagner Guest

    The specific "problem" he is having can be "fixed" using a Mark of the
    Web to place the local document in the Internet zone:

    <url: http://msdn.microsoft.com/workshop/author/dhtml/overview/motw.asp
    />

    <-- saved from url=(0014)about:internet -->

    No code that can access the local file system can run when a Mark of the
    Web is used, but if there were code that could access the local file
    system and it is allowed to run, then the information bar is entirely
    correct, there would be script that could be potentially harmful and so
    it should require explicit user action to execute.

    ....Grant

    "Csaba Gabor" <> wrote in message
    news:HKD5e.38217$...
    > Some details on IE Disinformation Bar woes are described here:
    > http://groups-beta.google.com/group/comp.lang.javascript/msg/b31bd2b25f2a2948
    >
    > Csaba Gabor from Vienna
    >
    > wrote:
    >> Hi,
    >>
    >> I have been tryin to run free dhtml code from a web page. The web
    >> page
    >> is:
    >>
    >> http://dynamicdrive.com/dynamicindex14/pixelate.htm
    >>
    >> When I load the page above it opens as normal and the slide show
    >> automatically runs but when I open my own page that I have saved on
    >> my
    >> desktop, created from code from the above url, SP2 bar kicks in at
    >> the
    >> top of the page window and warns me 'To help protect your security,
    >> Internet Explorer has restricted active content that could access
    >> your
    >> computer'.
    >>
    >> I know that this can be configured to not display but I want to use
    >> it
    >> for a web page and not have it appear. Why does it not appear on the
    >> above url?
    >>
    >> Bizt
    Grant Wagner, Apr 11, 2005
    #4
  5. Csaba Gabor Guest

    In this case the OP does not seem to be appealing to this
    group as a developer so that should be the end of it.
    However, as I discussed in my posts, referenced below, this
    "security mechanism" really isn't. Any author who wants to
    have that mechanism bypassed is simply going to add that
    into hir original web page, you don't even need to get the
    size right - Zero security has been gained, and I argue
    that some has been lost.

    If you are only concerned about a handful of pages, I suppose
    it's OK to expect a completely HTML illiterate person to figure
    out that they should add that construct to their web page.
    Oops. I mean scaring and confusing hir by that 'content bar'
    (I call it a content bar because it bars content) that comes
    up and having them click a few extra times. But it is
    unbelievably burdensome to the web developer, not to
    mention imposing another cavalier unstandard when there is
    already a mechanism for the same thing, <base href=...>

    As a result, a developer might lose a day to figure out how to,
    and then turn off mechanisms that are supposedly protecting hir,
    but are in reality hindering hir efficiency. The point is that
    if a protection mechanism is made to hinder a user's efficiency,
    that mechanism can expect to be turned off resulting in a more
    exposed condition. This is something the designers of such
    programs should consider.

    Csaba Gabor from Vienna


    Grant Wagner wrote:
    > The specific "problem" he is having can be "fixed" using a Mark of the
    > Web to place the local document in the Internet zone:
    >
    > <url: http://msdn.microsoft.com/workshop/author/dhtml/overview/motw.asp
    > />
    >
    > <-- saved from url=(0014)about:internet -->
    >
    > No code that can access the local file system can run when a Mark of the
    > Web is used, but if there were code that could access the local file
    > system and it is allowed to run, then the information bar is entirely
    > correct, there would be script that could be potentially harmful and so
    > it should require explicit user action to execute.
    >
    > ...Grant
    >
    > "Csaba Gabor" <> wrote in message
    > news:HKD5e.38217$...
    >
    >>Some details on IE Disinformation Bar woes are described here:
    >>http://groups-beta.google.com/group/comp.lang.javascript/msg/b31bd2b25f2a2948
    >>
    >>Csaba Gabor from Vienna
    >>
    >> wrote:
    >>
    >>>Hi,
    >>>
    >>>I have been tryin to run free dhtml code from a web page. The web
    >>>page
    >>>is:
    >>>
    >>>http://dynamicdrive.com/dynamicindex14/pixelate.htm
    >>>
    >>>When I load the page above it opens as normal and the slide show
    >>>automatically runs but when I open my own page that I have saved on
    >>>my
    >>>desktop, created from code from the above url, SP2 bar kicks in at
    >>>the
    >>>top of the page window and warns me 'To help protect your security,
    >>>Internet Explorer has restricted active content that could access
    >>>your
    >>>computer'.
    Csaba Gabor, Apr 11, 2005
    #5
  6. Grant Wagner Guest

    "Csaba Gabor" <> wrote in message
    news:TRz6e.296$...
    > In this case the OP does not seem to be appealing to this
    > group as a developer so that should be the end of it.
    > However, as I discussed in my posts, referenced below, this
    > "security mechanism" really isn't. Any author who wants to
    > have that mechanism bypassed is simply going to add that
    > into hir original web page, you don't even need to get the
    > size right - Zero security has been gained, and I argue
    > that some has been lost.


    You seem to misunderstand what Mark of the Web does, and what it means.

    A script loaded from a local hard disk has unlimited security (it can
    access the local file system for example). This is why any HTML document
    that is loaded into the Web browser from the local disk requires the
    user agree to not one, but two warnings that the script can take
    malicious actions.

    A script loaded from a local hard disk with the Mark of the Web has the
    same permissions as an HTML document loaded from the Internet zone (as a
    result, it can _not_ access the local file system for example). This is
    why a page loaded from the local hard disk with the Mark of the Web does
    not result in a prompt, the script can not do anything that a script
    loaded from the Internet can not do (barring any unpredicted security
    vulnerabilities).

    > If you are only concerned about a handful of pages, I suppose
    > it's OK to expect a completely HTML illiterate person to figure
    > out that they should add that construct to their web page.
    > Oops. I mean scaring and confusing hir by that 'content bar'
    > (I call it a content bar because it bars content) that comes
    > up and having them click a few extra times. But it is
    > unbelievably burdensome to the web developer, not to
    > mention imposing another cavalier unstandard when there is
    > already a mechanism for the same thing, <base href=...>


    <base href=...> does not do the same thing.

    As outlined above, the Mark of the Web actually changes the security
    zone in which the script executes.

    > As a result, a developer might lose a day to figure out how to,
    > and then turn off mechanisms that are supposedly protecting hir,
    > but are in reality hindering hir efficiency. The point is that
    > if a protection mechanism is made to hinder a user's efficiency,
    > that mechanism can expect to be turned off resulting in a more
    > exposed condition. This is something the designers of such
    > programs should consider.


    The developer would not lose a day if they have familiarized themselves
    with the changes to Service Pack 2 made to Internet Explorer.

    However, the security mechanism is not intended to protect just the Web
    developer, it is intended to protect all users of Internet Explorer. It
    is simple enough (using provided Microsoft documentation) to write and
    test scripts from the local hard disk in Internet Explorer without being
    prompted. And I would argue that you should not be testing your Web
    pages loaded from a local hard disk anyway, you should be running your
    own Web server to most closely mimic the environment in which your pages
    will be loading.

    --
    Grant Wagner <>
    comp.lang.javascript FAQ - http://jibbering.com/faq
    Grant Wagner, Apr 11, 2005
    #6
  7. Csaba Gabor Guest

    Grant Wagner wrote:
    > "Csaba Gabor" <> wrote in message
    > news:TRz6e.296$...


    First of all, I just want to be clear that my vent was not in the
    slightest way directed towards you. I just happened to recollect
    the frustrations I experienced upon installing service pack 2.

    > You seem to misunderstand what Mark of the Web does, and what it means.


    Evidently. And glad you took the time to write. I always like to
    get my misunderstandings cleared up.

    > A script loaded from a local hard disk has unlimited security (it can
    > access the local file system for example). This is why any HTML document
    > that is loaded into the Web browser from the local disk requires the
    > user agree to not one, but two warnings that the script can take
    > malicious actions.


    > A script loaded from a local hard disk with the Mark of the Web has the
    > same permissions as an HTML document loaded from the Internet zone (as a
    > result, it can _not_ access the local file system for example). This is
    > why a page loaded from the local hard disk with the Mark of the Web does
    > not result in a prompt, the script can not do anything that a script
    > loaded from the Internet can not do (barring any unpredicted security
    > vulnerabilities).


    I thought that .hta files were the ones that had unlimited access
    and that is why they had a different suffix so that there should
    be no mixup between pages that had limited vs. unlimited access.
    If .htm pages have apriori (that is until SP2) unlimited access
    then what is the effective distinction between .hta and .htm
    (pre service pack 2)?

    >>If you are only concerned about a handful of pages, I suppose
    >>it's OK to expect a completely HTML illiterate person to figure
    >>out that they should add that construct to their web page.
    >>Oops. I mean scaring and confusing hir by that 'content bar'
    >>(I call it a content bar because it bars content) that comes
    >>up and having them click a few extra times. But it is
    >>unbelievably burdensome to the web developer, not to
    >>mention imposing another cavalier unstandard when there is
    >>already a mechanism for the same thing, <base href=...>

    >
    > <base href=...> does not do the same thing.
    >
    > As outlined above, the Mark of the Web actually changes the security
    > zone in which the script executes.
    >

    I agree it doesn't, and though it's a moot point, I would
    rather have seen <base href=...> adapted.

    >>As a result, a developer might lose a day to figure out how to,
    >>and then turn off mechanisms that are supposedly protecting hir,
    >>but are in reality hindering hir efficiency. The point is that
    >>if a protection mechanism is made to hinder a user's efficiency,
    >>that mechanism can expect to be turned off resulting in a more
    >>exposed condition. This is something the designers of such
    >>programs should consider.

    >
    >
    > The developer would not lose a day if they have familiarized themselves
    > with the changes to Service Pack 2 made to Internet Explorer.


    Touche. But actually, I did take pains (and it was painful) to
    familiarize myself with it - I tried to find the docs, and then to
    understand them. And perhaps I am not very good at understanding
    things (such as how this Mark of Microsoft works) but (at the
    time, anyway), the documentation was scant and confusing on
    the nitty gritty details that I was after, plus wrong on
    certain points.

    > However, the security mechanism is not intended to protect just the Web
    > developer, it is intended to protect all users of Internet Explorer. It


    Fair enough. And as the developer, I can expect to have to take
    extra time to configure my system to be optimal for me.

    > is simple enough (using provided Microsoft documentation) to write and
    > test scripts from the local hard disk in Internet Explorer without being


    Sorry if I'm missing something here. Microsoft DID spell out what
    I could do (to insert a Mark of the Web for each web page I want do
    diddle with locally), but that is massively burdensome for someone
    who is going to be doing it frequently.

    > prompted. And I would argue that you should not be testing your Web
    > pages loaded from a local hard disk anyway, you should be running your
    > own Web server to most closely mimic the environment in which your pages
    > will be loading.


    Yes, when I am making real pages I agree. But often, I have to
    investigate how page fragments are working (in conjunction with javascript).
    Although most of the time I run these through a specialized server setup
    I have, in some cases I just want to click on the .htm

    Regards,
    Csaba
    Csaba Gabor, Apr 11, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. George
    Replies:
    5
    Views:
    763
    =?Utf-8?B?S2VuIEJlYXJk?=
    Aug 24, 2004
  2. Tim Wood
    Replies:
    1
    Views:
    298
    Patrick Olurotimi Ige
    Feb 19, 2005
  3. =?Utf-8?B?RGF2aWQgVGFsYm90?=

    IE6 SP2 blocking dynamic file export

    =?Utf-8?B?RGF2aWQgVGFsYm90?=, May 16, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    416
    =?Utf-8?B?RGF2aWQgVGFsYm90?=
    May 16, 2005
  4. Likhith Areekkal

    Calendars overlap : IE SP2 ; WinXP SP2

    Likhith Areekkal, Dec 23, 2004, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    129
    Likhith Areekkal
    Dec 23, 2004
  5. Robert Cohen
    Replies:
    3
    Views:
    256
    Andrew Durstewitz
    Jul 15, 2003
Loading...

Share This Page