473,320 Members | 1,900 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

mark of the web woes

I've started testing on Win XP SP2 and it now has something called local
machine lockdown activated by default. It means that active content,
such as JavaScript, is prevented from running.

I thought that the solution was simply - to enable the testing of files
locally - to just add what M$ calls the "mark of the web". So I added
this line to the tops of my HTML pages:
<!-- saved from url=(0013)about:internet -->

However, the local links in the files, such as to external JavaScript
files, do not work because (I believe) the HTML files are now treated as
an internet zone and not a local zone file.

Without deactivating the lockdown is there a way to get a bunch of
inter-linked files to work locally, or is it just my lack of
understanding of what's going on that's at fault?
Andrew Poulos
Jul 23 '05 #1
16 2988
Andrew Poulos wrote:
I've started testing on Win XP SP2 and it now has something called local
machine lockdown activated by default. It means that active content,
such as JavaScript, is prevented from running.

I thought that the solution was simply - to enable the testing of files
locally - to just add what M$ calls the "mark of the web". So I added
this line to the tops of my HTML pages:
<!-- saved from url=(0013)about:internet -->

However, the local links in the files, such as to external JavaScript
files, do not work because (I believe) the HTML files are now treated as
an internet zone and not a local zone file.

Without deactivating the lockdown is there a way to get a bunch of
inter-linked files to work locally, or is it just my lack of
understanding of what's going on that's at fault?
Andrew Poulos


Jeeez,

Why don't you use an OS to develop your websites?
An OS comes in really handy when using a computer.

Everytime I read about confusing stuff sold by M$ I am sooo happy I switched
to Linux.

I know this doesn't help you with your current problem, but really, install
some nice Linux-distro and within a week you can laugh about your
M$-introduced problems.

Good luck,
Erwin Moller

Jul 23 '05 #2
Andrew Poulos <ap*****@hotmail.com> wrote in message news:<41***********************@per-qv1-newsreader-01.iinet.net.au>...
Without deactivating the lockdown is there a way to get a bunch of
inter-linked files to work locally, or is it just my lack of
understanding of what's going on that's at fault?

Here is a web site that talks about Windows SP2 and web development.

http://www.phdcc.com/xpsp2.htm

Try a gecko based browser like firefox.

Robert
Jul 23 '05 #3
Robert wrote:
Andrew Poulos <ap*****@hotmail.com> wrote in message news:<41***********************@per-qv1-newsreader-01.iinet.net.au>...

Without deactivating the lockdown is there a way to get a bunch of
inter-linked files to work locally, or is it just my lack of
understanding of what's going on that's at fault?


Here is a web site that talks about Windows SP2 and web development.

http://www.phdcc.com/xpsp2.htm

Try a gecko based browser like firefox.


I deliver to clients who run the stuff locally on XP using IE. So this
means as more of them upgrade to SP2 more of my work will fail. I have
no control of the OS, it's settings, or the browser of my client so it
looks like I'm sunk :-(

Andrew Poulos
Jul 23 '05 #4
"Erwin Moller" <si******************************************@spam yourself.com> wrote in message news:41***********************@news.xs4all.nl...
Andrew Poulos wrote:
I've started testing on Win XP SP2 and it now has something called local
machine lockdown activated by default. It means that active content,
such as JavaScript, is prevented from running.

I thought that the solution was simply - to enable the testing of files
locally - to just add what M$ calls the "mark of the web". So I added
this line to the tops of my HTML pages:
<!-- saved from url=(0013)about:internet -->

However, the local links in the files, such as to external JavaScript
files, do not work because (I believe) the HTML files are now treated as
an internet zone and not a local zone file.

Without deactivating the lockdown is there a way to get a bunch of
inter-linked files to work locally, or is it just my lack of
understanding of what's going on that's at fault?


Andrew Poulos


Jeeez,

Why don't you use an OS to develop your websites?
An OS comes in really handy when using a computer.

Everytime I read about confusing stuff sold by M$ I am sooo happy I switched
to Linux.

I know this doesn't help you with your current problem, but really, install
some nice Linux-distro and within a week you can laugh about your
M$-introduced problems.

Good luck,
Erwin Moller


I think I hear the Siren birds calling. MS is NOT making me a happy camper with what they are doing.
Bundling their assinine security fixes with enhancement fixes is really steaming me up. Grrrrrrrrrrr!!!

It doesn't effect me because I have quit with their fixes until this bundling disease they have STOPS.

--
George Hester
__________________________________
Jul 23 '05 #5
Andrew Poulos <ap*****@hotmail.com> wrote in message news:<41***********************@per-qv1-newsreader-01.iinet.net.au>...

<!-- saved from url=(0013)about:internet -->


Try putting this line in the .js file.

While not encouraged, poeple have gotten away with the <!-- -->
comments in javascript. Best to try:
//<!-- saved from url=(0013)about:internet -->
/*<!-- saved from url=(0013)about:internet -->*/

This is just a guess because I do not have access to sp2.

I'd let your customers know that IE isn't secure.

This is an anti-competitive more on M$ part.

Robert
Jul 23 '05 #6
Robert wrote:
Andrew Poulos <ap*****@hotmail.com> wrote in message news:<41***********************@per-qv1-newsreader-01.iinet.net.au>...
<!-- saved from url=(0013)about:internet -->
Try putting this line in the .js file.

While not encouraged, poeple have gotten away with the <!-- -->
comments in javascript. Best to try:
//<!-- saved from url=(0013)about:internet -->
/*<!-- saved from url=(0013)about:internet -->*/


I just did a test here:

test.htm--
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>Untitled</title>
<script type="text/javascript" src="test.js"></script>
</head>

<body>
<!-- saved from url=(0013)about:internet -->
</body>
</html>
test.js--
document.write('Hello, world!');

Loaded into IE 6.0.2900 (Windows XP Service Pack 2), it seems to work. -htm\test.htm- and -js\test.js- with <script
type="text/javascript" src="../js/test.js"></script> also works fine.

As long as the HTML file has the "mark of the web" it seems to work okay. Perhaps the OP could provide a small test-case we
could evaluate and test to determine the cause of his failure.
I'd let your customers know that IE isn't secure.
While doing so might be a great public service, it's more likely he's tasked with making a Web interface that works in all (or
most) Web browsers, including, but not limited to, the one used by (depending on what statistics you believe) 70 - 90% of the
general public. Adding "the mark of the web" seems to resolve the problem. I'd rather find the OP a solution than to tell him
to abandon some of his customers.
This is an anti-competitive more on M$ part.


Please explain that. How is it anti-competitive? It makes IE _less well-suited_ to be used as an interface for slide-show CDs
and other locally loaded HTML content (if in fact this is a problem, which it appears not to be). These limitations might drive
more users to alternative browsers (if in fact this is a problem, which it appears not to be). Microsoft has provided security
at the expense of market share for the first time (if in fact this is a problem, which it appears not to be), possibly in
history, and yet people _still_ complain that Microsoft is the ultimate evil, out to destroy the world.

The locking down of the Local Computer zone is a _security_ related change, intended to make IE a more secure application.

Amazing. Microsoft ignores security implications, or produces products with security problems, and are attacked. They take
security seriously and make positive changes to secure their products and they are attacked.

--
Grant Wagner <gw*****@agricoreunited.com>
comp.lang.javascript FAQ - http://jibbering.com/faq

Jul 23 '05 #7
> Amazing. Microsoft ignores security implications, or produces
products with security problems, and are attacked. They take
security seriously and make positive changes to secure their products and they are attacked.


Grant -

I think the problem here is that Microsoft has dealt with the security
issue in a way that causes at least as many problems as it fixes.
Instead of detecting actual pernicious activity in ActiveX content that
is running locally, they simply disallow all ActiveX. This means that
perfectly innocent things like Flash animations generate scary warnings
when run from CDs.

I'm working with a client now whose business may be harmed because of
this. We submitted a CD version of his web site to a professional
association so that he could get their seal of approval for the
content. Because the chairman of the committe got a warning message he
didn't understand simply because the site uses Flash, my client will
now, most likely, not receive their seal.

Seems that Microsoft does deserve criticism for first creating security
problems, then making belated and clumsy attempts to fix them.

It also seems strange to me that it should be considered OK to run this
kind of content from a web site, but not from a local CD!

- Allen

Jul 23 '05 #8
In article <11*********************@c13g2000cwb.googlegroups. com>,
mu*****@clamco.com wrote:
I think the problem here is that Microsoft has dealt with the security
issue in a way that causes at least as many problems as it fixes.
Instead of detecting actual pernicious activity in ActiveX content that
is running locally, they simply disallow all ActiveX. This means that
perfectly innocent things like Flash animations generate scary warnings
when run from CDs.


Microsoft pollutes Javascript by adding ActiveX controls. Microsoft
finds that ActiveX is a problem.

My understanding is that Microsoft gives a warning when it see
javascript. It should give a warning the first time it see ActiveX
content or implement Javacript per standard thus disallowing ActiveX
controls.

It's anti-competitive because they are labeling Javascript as the
problem when it is the Microsoft ActiveX additions that are the problem.
Firefox works fine one the same html file.

Robert
Jul 23 '05 #9
<mu*****@clamco.com> wrote in message
news:11*********************@c13g2000cwb.googlegro ups.com...
Amazing. Microsoft ignores security implications, or produces products with security problems, and are attacked. They take
security seriously and make positive changes to secure their

products and they are attacked.

Grant -

I think the problem here is that Microsoft has dealt with the security
issue in a way that causes at least as many problems as it fixes.
Instead of detecting actual pernicious activity in ActiveX content

that is running locally, they simply disallow all ActiveX. This means that
perfectly innocent things like Flash animations generate scary warnings when run from CDs.
I'm not sure what "scary warning" you refer to, but if it is the "active
content" warning you receive when attempting to run script locally, I've
already explained how to avoid that, by using the Mark of the Web. You
script will run in the Internet zone, and as a result will not have
access to harmful ActiveX controls, but it will run without a warning.

It only requires including <!-- saved from url=(0014)about:internet -->
somewhere on your page.

This is explained at <url:
http://msdn.microsoft.com/workshop/a...compat.asp#lmz
/> and <url:
http://support.microsoft.com/default...b;en-us;873156 /> and
<url: http://support.microsoft.com/default...b;EN-US;883866 />
I'm working with a client now whose business may be harmed because of
this. We submitted a CD version of his web site to a professional
association so that he could get their seal of approval for the
content. Because the chairman of the committe got a warning message he didn't understand simply because the site uses Flash, my client will
now, most likely, not receive their seal.
Again, you obviously failed to give your document the Mark of the Web,
doing so will restore functionality without a warning.
Seems that Microsoft does deserve criticism for first creating security problems, then making belated and clumsy attempts to fix them.
So your solution is to not make any attempt to protect users from
locally executed malicious scripts because the solution has been late in
coming?

As I've said, Microsoft locked down the Local Computer zone and required
the user to explicitly allow such content to be run. If you wish to add
JavaScript to a file that will be loaded from the Local Computer zone,
then add the Mark of the Web. This will make the script execute in the
Internet zone, with the restrictions that zone imposes.
It also seems strange to me that it should be considered OK to run this kind of content from a web site, but not from a local CD!


This is because the JavaScript run from a local CD would run in the
Local Computer zone, where it has abilities (such as creating a
FileSystemObject) not available to it when run from a Web site (the
Internet zone).

As a result, the user needs to grant permission to scripts which execute
in a zone where they could do harmful things to the user's computer, or
_you_ need to give your page the Mark of the Web, which forces the
locally executed page to run in the Internet zone.

--
Grant Wagner <gw*****@agricoreunited.com>
comp.lang.javascript FAQ - http://jibbering.com/faq

Jul 23 '05 #10
"Robert" <rc*******@my-deja.com> wrote in message
news:rc*****************************@individual.ne t...
In article <11*********************@c13g2000cwb.googlegroups. com>,
mu*****@clamco.com wrote:
I think the problem here is that Microsoft has dealt with the security issue in a way that causes at least as many problems as it fixes.
Instead of detecting actual pernicious activity in ActiveX content that is running locally, they simply disallow all ActiveX. This means that perfectly innocent things like Flash animations generate scary warnings when run from CDs.
Microsoft pollutes Javascript by adding ActiveX controls. Microsoft
finds that ActiveX is a problem.


This is not a "pollution" of JavaScript, it is an extension of the
browser DOM to manipulate ActiveX controls hosted by the OS or the
browser.
My understanding is that Microsoft gives a warning when it see
javascript. It should give a warning the first time it see ActiveX
content or implement Javacript per standard thus disallowing ActiveX
controls.
The mechanisms for making ActiveX objects available to JavaScript are
simply too complex to monitor that condition. For example, an <object>
tag can be created using createElement(), appended to the document using
appendChild(), then scripted. Trying to detect these sorts of things
would be very complicated and error prone (which has resulted in many of
the security vulnerabilities discovered in the past).

Most of JScript is implemented per the ECMAScript standard. Disallowing
(or not) ActiveX controls has nothing to do with ECMAScript.
ActiveXObject() is there to facilitate communication with the DOM, it is
not part of the language.
It's anti-competitive because they are labeling Javascript as the
problem when it is the Microsoft ActiveX additions that are the problem. Firefox works fine one the same html file.


No, they are labelling "active content" as the problem, which it is.
Scripts run in IE in the Local Computer zone have access to do things
not available when run in the Internet zone.

I still fail to see how this is anti-competitive. First you argue that
Microsoft is hurting the ability for companies and individuals to
accomplish their design goals, then you argue that this somehow
_benefits_ Microsoft.

Anyway, all this is completely moot. You can make your scripts run
without warning in the Local Computer zone by including the Mark of the
Web.

<url:
http://msdn.microsoft.com/workshop/a...psp2compat.asp
/>
<url: http://support.microsoft.com/default...b;en-us;873156 />
<url: http://support.microsoft.com/default...b;EN-US;883866 />
<url:
http://www.microsoft.com/technet/pro...rows.mspx#EHAA
/>

Also note that in addition to simply running in the Internet zone (using
<!-- saved from url=(0014)about:internet -->), you can also give your
script more permissions by using <!-- saved from
url=(0022)http://www.yoururl.com --> and adding yoururl.com to the list
of Trusted Sites (this could be done corporate-wide using Group
Policies, a change to each and every workstation is not required).

--
Grant Wagner <gw*****@agricoreunited.com>
comp.lang.javascript FAQ - http://jibbering.com/faq
Jul 23 '05 #11
Grant -

I appreciate your sincerity, and the time you have taken in responding.
I now see why they are more worried about locally run scripts than
those running from web sites. That was counterintuitive to me, but I
do get it.

Yes, the "scary message" I referred to was the active content warning.
It's not scary to me, because I understand what it means, and can
easily deal with it. It's scary to the unsophisticated computer users
who make up the majority of the viewers of the content my client is
trying to provide to them.

My problem is simply this:

I am trying to put an entire web site onto a CD for distribution.

In fact the "Mark of the Web" solution does NOT work for me. It does
allow the first page to run without a warning, yes. But it also
disables all links to the other files on the CD! You can view the home
page, but nothing else!

The "Mark of the Web" was apparently designed to allow a developer to
view a single page locally.

I also tried changing the file extensions to .hta, but that doesn't
work for anything beyond the first page, either. As soon as you click
any link, you get a dialog box

Yes, I could include some material with the CD to explain to users how
to deal with the situation. However, my client is trying to get that
CD certified as an instructional tool by a professional association.

The professional association is now refusing to certify it, because
they have read (and only partially understood) the Microsoft warnings
about active content being potentially harmful. They have taken that
to mean that ANY active content could damage a computer. My client and
I are trying to explain to them that it is possible to create "active
content" that is perfectly safe. We'll see if that flies.

I appreciate the fact that Microsoft is trying to make their operating
system more secure. I also believe that it might be possible to allow
some kinds of benign active content (like the simple Flash animation
used in my project), but to detect and disallow potentially harmful
activities (like reading files that are outside the directory that
contains the content, or writing files anywhere), instead of just
locking everything down and displaying messages that most users don't
understand.

Here's a question for you, since you seem like quite a knowledgable
fellow. Microsoft says:

"An alternative is to create a separate application that hosts the
HTML content Internet Explorer Web Object Control (WebOC). The HTML is
then no longer bound by the same rules that apply to content run in
Internet Explorer. When the HTML content runs in that other process,
it can have full rights as defined by the developer or zone policy for
that process."

I'm not a programmer, so I don't know how to do this. Do you have any
idea how involved creating such an application would be? Could it be
done with Visual Basic?

Thanks.

- Allen

Jul 23 '05 #12
>>Anyway, all this is completely moot. You can make your scripts run
without warning in the Local Computer zone by including the Mark of theWeb.


Grant -

As discussed in my previous message, this is definitely not moot, since
it works only for individual files.

By the way, I wanted to gripe just a little bit about the MOTW
documentation from Microsoft. First, they say you should add that line
to your file. But they don't say where it should go, and that turns
out to be critical.

Then they provide two different versions of the generic form of the
line, in different knowledgebase articles:

<!-- saved from url=(0014)about:internet -->
and
<!-- saved from url=(0013)about:internet -->

The former will work, and the latter won't. Moreover, I discovered
through painful trial and error that if you add this text to a file
that you create on a Mac running OS X, the MOTW will not work! You
have to edit the file and save it on a Windows machine. As I normally
develop my sites on the Mac, it didn't occur to me.

I didn't think of trying that until I'd spent quite a while trying
different combinations of placement and numbering. It wasn't until I
saw that Macromedia had created a Dreamweaver extension to add the
MOTW, but that it only supported the Windows version of DW, that I
decided to try that. I downloaded the DW extension and installed it on
my XP machine, et voila!

Jul 23 '05 #13
Sorry. In the middle of one message I said, "I also tried changing the
file extensions to .hta, but that doesn't
work for anything beyond the first page, either. As soon as you click
any link, you get a dialog box" and didn't finish the though.
You get a dialog box asking if you want to download the file.

- Allen

Jul 23 '05 #14
Aha!

My problem is solved. I looked further into the .hta solution, and
discovered that there are several custom parameters that can be
controlled in a file that uses the .hta extension. This is documented
here:
http://msdn.microsoft.com/workshop/a...taoverview.asp

One of the parameters is "Navigable", which by default is set to "no".
When set to "yes" by including the following code in the <head> section
of an HTA file, it allows one to link to other local files.

<HTA:APPLICATION NAME="Whatever"
NAVIGABLE="yes">

There are a number of other parameters that control such things as
whether the window opens maximized, whether scroll bars appear or not,
etc. All the parameters are documented here:
http://msdn.microsoft.com/workshop/a..._ref_entry.asp

I have yet to test this on a non-windows machine, and I think there's
every chance it won't work. I will just have to include two different
versions of the content on the CD. In one, the index file will have
the .hta extension, and all files that refer to it will link back to
index.hta. In the other, I'll just use the standard .htm extension.

It's a bit klugey, but it will do.

I hope this post helps someone else who is having the same problem.
- Allen

Jul 23 '05 #15
> The former will work, and the latter won't. Moreover, I discovered
through painful trial and error that if you add this text to a file
that you create on a Mac running OS X, the MOTW will not work! You
have to edit the file and save it on a Windows machine. As I normally
develop my sites on the Mac, it didn't occur to me.

Bbedit on MacOS lets you select what line end character or characters
you want to use. Dos, MacOS, and Unix use different line end
characters.

Normally, web browser accept all three line end characters.

Good that you found a solution.
Did you try putting mark of the web in all the html files?

Robert>

Jul 23 '05 #16
> The mechanisms for making ActiveX objects available to JavaScript are
simply too complex to monitor that condition.
Isn't activex disallowed in the internet zone? So Microsost disallows
activex in the internet zone and allows javascript without the warning
message. Seems just the thing to allow in the local zone.

Most of JScript is implemented per the ECMAScript standard. Disallowing (or not) ActiveX controls has nothing to do with ECMAScript.


Accept activex isn't defined in ecmascript. Adding things not in the
standard is call polluting the standard. So, faithfully implementing
ecmascript would meant improved security and less hassle for the
javascript writer.
A simple solution would have been to add a new file type of activex.
Thus:
htm - run in the internat zone so disallowing activex
activix - run with a warning message
hta - as before

Why didn't Microsoft run html in the internet zone? If they did this,
you could not of run activex in the html files on the local machine
without change setting. Instead, they are making it hard for people to
run html files form cd-rom. And a lot less secure when you change to
hta.

Robert

Jul 23 '05 #17

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: Cedric | last post by:
This is a 3 weeks old problem, but having found a solution (and having looked for one here, finding only this message), I'm replying now. From: Jive (someone@microsoft.com) Subject: Upgrade...
3
by: Angel Cat | last post by:
Trying to get my jobs to send mail when job fails. Should be easy but it's giving me headache Had a whole slew of issues. Outlook is installed with a n outlook mail profile set up that can...
2
by: Andrew Thompson | last post by:
- NN 4.78 rendering woes, links at far left - I am trying to rework an old site, make it valid html and css, improving the x-browser and 'older browser' compatibility. My efforts so far, have...
0
by: Arun Bhalla | last post by:
I'm having some inconsistency problems with my deployment project ("Setup") and its custom actions ("Installer"). I'm using Visual Studio .NET 2003 (.NET 1.1, no service pack) on Windows XPSP1. ...
8
by: p175 | last post by:
Express C v9.1 I'm having a hell of a job trying to reduce the highwater mark for various tablespaces in Express C. DB2MART advises to reorg several tables with LONGLOBDATA and to disconnect,...
9
by: Mark Rae | last post by:
Hi, This time, I'm looking for a regular expression which says "the string must contain exactly seven or exactly eight digits" e.g. 123456 fails 1234567 passes 12345678 passes 123456789...
1
by: hdogg | last post by:
Scope Woes - IF statement nested in WHILE statement -PHP I have an array $actuals_sum. <?php while(conditions) { if($i == '24) {
4
by: =?Utf-8?B?VkIgSm9ubmll?= | last post by:
I am at my witless end here, please help! I have an ASP.Net aspx web page, hosted on Windows Server 2003, that receives a query string with the path to an autocad drawing file selected from a...
1
by: Mike Howarth | last post by:
I've been having a few problems with connecting to SQL Server, initially I was using dblib however found some problems with returning text fields whereby all text fields were ignored and it bawked...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.