I've started testing on Win XP SP2 and it now has something called local
machine lockdown activated by default. It means that active content,
such as JavaScript, is prevented from running.
I thought that the solution was simply - to enable the testing of files
locally - to just add what M$ calls the "mark of the web". So I added
this line to the tops of my HTML pages:
<!-- saved from url=(0013)about:internet -->
However, the local links in the files, such as to external JavaScript
files, do not work because (I believe) the HTML files are now treated as
an internet zone and not a local zone file.
Without deactivating the lockdown is there a way to get a bunch of
inter-linked files to work locally, or is it just my lack of
understanding of what's going on that's at fault?
Andrew Poulos 16 2988
Andrew Poulos wrote: I've started testing on Win XP SP2 and it now has something called local machine lockdown activated by default. It means that active content, such as JavaScript, is prevented from running.
I thought that the solution was simply - to enable the testing of files locally - to just add what M$ calls the "mark of the web". So I added this line to the tops of my HTML pages: <!-- saved from url=(0013)about:internet -->
However, the local links in the files, such as to external JavaScript files, do not work because (I believe) the HTML files are now treated as an internet zone and not a local zone file.
Without deactivating the lockdown is there a way to get a bunch of inter-linked files to work locally, or is it just my lack of understanding of what's going on that's at fault?
Andrew Poulos
Jeeez,
Why don't you use an OS to develop your websites?
An OS comes in really handy when using a computer.
Everytime I read about confusing stuff sold by M$ I am sooo happy I switched
to Linux.
I know this doesn't help you with your current problem, but really, install
some nice Linux-distro and within a week you can laugh about your
M$-introduced problems.
Good luck,
Erwin Moller
Andrew Poulos <ap*****@hotmail.com> wrote in message news:<41***********************@per-qv1-newsreader-01.iinet.net.au>... Without deactivating the lockdown is there a way to get a bunch of inter-linked files to work locally, or is it just my lack of understanding of what's going on that's at fault?
Here is a web site that talks about Windows SP2 and web development. http://www.phdcc.com/xpsp2.htm
Try a gecko based browser like firefox.
Robert
Robert wrote: Andrew Poulos <ap*****@hotmail.com> wrote in message news:<41***********************@per-qv1-newsreader-01.iinet.net.au>...
Without deactivating the lockdown is there a way to get a bunch of inter-linked files to work locally, or is it just my lack of understanding of what's going on that's at fault?
Here is a web site that talks about Windows SP2 and web development.
http://www.phdcc.com/xpsp2.htm
Try a gecko based browser like firefox.
I deliver to clients who run the stuff locally on XP using IE. So this
means as more of them upgrade to SP2 more of my work will fail. I have
no control of the OS, it's settings, or the browser of my client so it
looks like I'm sunk :-(
Andrew Poulos
"Erwin Moller" <si******************************************@spam yourself.com> wrote in message news:41***********************@news.xs4all.nl... Andrew Poulos wrote: I've started testing on Win XP SP2 and it now has something called local machine lockdown activated by default. It means that active content, such as JavaScript, is prevented from running. I thought that the solution was simply - to enable the testing of files locally - to just add what M$ calls the "mark of the web". So I added this line to the tops of my HTML pages: <!-- saved from url=(0013)about:internet --> However, the local links in the files, such as to external JavaScript files, do not work because (I believe) the HTML files are now treated as an internet zone and not a local zone file. Without deactivating the lockdown is there a way to get a bunch of inter-linked files to work locally, or is it just my lack of understanding of what's going on that's at fault? Andrew Poulos Jeeez, Why don't you use an OS to develop your websites? An OS comes in really handy when using a computer. Everytime I read about confusing stuff sold by M$ I am sooo happy I switched to Linux. I know this doesn't help you with your current problem, but really, install some nice Linux-distro and within a week you can laugh about your M$-introduced problems. Good luck, Erwin Moller
I think I hear the Siren birds calling. MS is NOT making me a happy camper with what they are doing.
Bundling their assinine security fixes with enhancement fixes is really steaming me up. Grrrrrrrrrrr!!!
It doesn't effect me because I have quit with their fixes until this bundling disease they have STOPS.
--
George Hester
__________________________________
Andrew Poulos <ap*****@hotmail.com> wrote in message news:<41***********************@per-qv1-newsreader-01.iinet.net.au>... <!-- saved from url=(0013)about:internet -->
Try putting this line in the .js file.
While not encouraged, poeple have gotten away with the <!-- -->
comments in javascript. Best to try:
//<!-- saved from url=(0013)about :internet -->
/*<!-- saved from url=(0013)about :internet -->*/
This is just a guess because I do not have access to sp2.
I'd let your customers know that IE isn't secure.
This is an anti-competitive more on M$ part.
Robert
Robert wrote: Andrew Poulos <ap*****@hotmail.com> wrote in message news:<41***********************@per-qv1-newsreader-01.iinet.net.au>...
<!-- saved from url=(0013)about:internet --> Try putting this line in the .js file.
While not encouraged, poeple have gotten away with the <!-- --> comments in javascript. Best to try: //<!-- saved from url=(0013)about:internet --> /*<!-- saved from url=(0013)about:internet -->*/
I just did a test here:
test.htm--
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled</title>
<script type="text/javascript" src="test.js"></script>
</head>
<body>
<!-- saved from url=(0013)about:internet -->
</body>
</html>
test.js--
document.write('Hello, world!');
Loaded into IE 6.0.2900 (Windows XP Service Pack 2), it seems to work. -htm\test.htm- and -js\test.js- with <script
type="text/javascript" src="../js/test.js"></script> also works fine.
As long as the HTML file has the "mark of the web" it seems to work okay. Perhaps the OP could provide a small test-case we
could evaluate and test to determine the cause of his failure.
I'd let your customers know that IE isn't secure.
While doing so might be a great public service, it's more likely he's tasked with making a Web interface that works in all (or
most) Web browsers, including, but not limited to, the one used by (depending on what statistics you believe) 70 - 90% of the
general public. Adding "the mark of the web" seems to resolve the problem. I'd rather find the OP a solution than to tell him
to abandon some of his customers.
This is an anti-competitive more on M$ part.
Please explain that. How is it anti-competitive? It makes IE _less well-suited_ to be used as an interface for slide-show CDs
and other locally loaded HTML content (if in fact this is a problem, which it appears not to be). These limitations might drive
more users to alternative browsers (if in fact this is a problem, which it appears not to be). Microsoft has provided security
at the expense of market share for the first time (if in fact this is a problem, which it appears not to be), possibly in
history, and yet people _still_ complain that Microsoft is the ultimate evil, out to destroy the world.
The locking down of the Local Computer zone is a _security_ related change, intended to make IE a more secure application.
Amazing. Microsoft ignores security implications, or produces products with security problems, and are attacked. They take
security seriously and make positive changes to secure their products and they are attacked.
--
Grant Wagner <gw*****@agricoreunited.com>
comp.lang.javascript FAQ - http://jibbering.com/faq
> Amazing. Microsoft ignores security implications, or produces
products with security problems, and are attacked. They take security seriously and make positive changes to secure their products
and they are attacked.
Grant -
I think the problem here is that Microsoft has dealt with the security
issue in a way that causes at least as many problems as it fixes.
Instead of detecting actual pernicious activity in ActiveX content that
is running locally, they simply disallow all ActiveX. This means that
perfectly innocent things like Flash animations generate scary warnings
when run from CDs.
I'm working with a client now whose business may be harmed because of
this. We submitted a CD version of his web site to a professional
association so that he could get their seal of approval for the
content. Because the chairman of the committe got a warning message he
didn't understand simply because the site uses Flash, my client will
now, most likely, not receive their seal.
Seems that Microsoft does deserve criticism for first creating security
problems, then making belated and clumsy attempts to fix them.
It also seems strange to me that it should be considered OK to run this
kind of content from a web site, but not from a local CD!
- Allen
In article <11*********************@c13g2000cwb.googlegroups. com>, mu*****@clamco.com wrote: I think the problem here is that Microsoft has dealt with the security issue in a way that causes at least as many problems as it fixes. Instead of detecting actual pernicious activity in ActiveX content that is running locally, they simply disallow all ActiveX. This means that perfectly innocent things like Flash animations generate scary warnings when run from CDs.
Microsoft pollutes Javascript by adding ActiveX controls. Microsoft
finds that ActiveX is a problem.
My understanding is that Microsoft gives a warning when it see
javascript. It should give a warning the first time it see ActiveX
content or implement Javacript per standard thus disallowing ActiveX
controls.
It's anti-competitive because they are labeling Javascript as the
problem when it is the Microsoft ActiveX additions that are the problem.
Firefox works fine one the same html file.
Robert
<mu*****@clamco.com> wrote in message
news:11*********************@c13g2000cwb.googlegro ups.com... Amazing. Microsoft ignores security implications, or produces products with security problems, and are attacked. They take security seriously and make positive changes to secure their
products and they are attacked. Grant -
I think the problem here is that Microsoft has dealt with the security issue in a way that causes at least as many problems as it fixes. Instead of detecting actual pernicious activity in ActiveX content
that is running locally, they simply disallow all ActiveX. This means that perfectly innocent things like Flash animations generate scary
warnings when run from CDs.
I'm not sure what "scary warning" you refer to, but if it is the "active
content" warning you receive when attempting to run script locally, I've
already explained how to avoid that, by using the Mark of the Web. You
script will run in the Internet zone, and as a result will not have
access to harmful ActiveX controls, but it will run without a warning.
It only requires including <!-- saved from url=(0014)about:internet -->
somewhere on your page.
This is explained at <url: http://msdn.microsoft.com/workshop/a...compat.asp#lmz
/> and <url: http://support.microsoft.com/default...b;en-us;873156 /> and
<url: http://support.microsoft.com/default...b;EN-US;883866 />
I'm working with a client now whose business may be harmed because of this. We submitted a CD version of his web site to a professional association so that he could get their seal of approval for the content. Because the chairman of the committe got a warning message
he didn't understand simply because the site uses Flash, my client will now, most likely, not receive their seal.
Again, you obviously failed to give your document the Mark of the Web,
doing so will restore functionality without a warning.
Seems that Microsoft does deserve criticism for first creating
security problems, then making belated and clumsy attempts to fix them.
So your solution is to not make any attempt to protect users from
locally executed malicious scripts because the solution has been late in
coming?
As I've said, Microsoft locked down the Local Computer zone and required
the user to explicitly allow such content to be run. If you wish to add
JavaScript to a file that will be loaded from the Local Computer zone,
then add the Mark of the Web. This will make the script execute in the
Internet zone, with the restrictions that zone imposes.
It also seems strange to me that it should be considered OK to run
this kind of content from a web site, but not from a local CD!
This is because the JavaScript run from a local CD would run in the
Local Computer zone, where it has abilities (such as creating a
FileSystemObject) not available to it when run from a Web site (the
Internet zone).
As a result, the user needs to grant permission to scripts which execute
in a zone where they could do harmful things to the user's computer, or
_you_ need to give your page the Mark of the Web, which forces the
locally executed page to run in the Internet zone.
--
Grant Wagner <gw*****@agricoreunited.com>
comp.lang.javascript FAQ - http://jibbering.com/faq
"Robert" <rc*******@my-deja.com> wrote in message
news:rc*****************************@individual.ne t... In article <11*********************@c13g2000cwb.googlegroups. com>, mu*****@clamco.com wrote:
I think the problem here is that Microsoft has dealt with the
security issue in a way that causes at least as many problems as it fixes. Instead of detecting actual pernicious activity in ActiveX content
that is running locally, they simply disallow all ActiveX. This means
that perfectly innocent things like Flash animations generate scary
warnings when run from CDs. Microsoft pollutes Javascript by adding ActiveX controls. Microsoft finds that ActiveX is a problem.
This is not a "pollution" of JavaScript, it is an extension of the
browser DOM to manipulate ActiveX controls hosted by the OS or the
browser.
My understanding is that Microsoft gives a warning when it see javascript. It should give a warning the first time it see ActiveX content or implement Javacript per standard thus disallowing ActiveX controls.
The mechanisms for making ActiveX objects available to JavaScript are
simply too complex to monitor that condition. For example, an <object>
tag can be created using createElement(), appended to the document using
appendChild(), then scripted. Trying to detect these sorts of things
would be very complicated and error prone (which has resulted in many of
the security vulnerabilities discovered in the past).
Most of JScript is implemented per the ECMAScript standard. Disallowing
(or not) ActiveX controls has nothing to do with ECMAScript.
ActiveXObject() is there to facilitate communication with the DOM, it is
not part of the language.
It's anti-competitive because they are labeling Javascript as the problem when it is the Microsoft ActiveX additions that are the
problem. Firefox works fine one the same html file.
No, they are labelling "active content" as the problem, which it is.
Scripts run in IE in the Local Computer zone have access to do things
not available when run in the Internet zone.
I still fail to see how this is anti-competitive. First you argue that
Microsoft is hurting the ability for companies and individuals to
accomplish their design goals, then you argue that this somehow
_benefits_ Microsoft.
Anyway, all this is completely moot. You can make your scripts run
without warning in the Local Computer zone by including the Mark of the
Web.
<url: http://msdn.microsoft.com/workshop/a...psp2compat.asp
/>
<url: http://support.microsoft.com/default...b;en-us;873156 />
<url: http://support.microsoft.com/default...b;EN-US;883866 />
<url: http://www.microsoft.com/technet/pro...rows.mspx#EHAA
/>
Also note that in addition to simply running in the Internet zone (using
<!-- saved from url=(0014)about :internet -->), you can also give your
script more permissions by using <!-- saved from
url=(0022) http://www.yoururl.com --> and adding yoururl.com to the list
of Trusted Sites (this could be done corporate-wide using Group
Policies, a change to each and every workstation is not required).
--
Grant Wagner <gw*****@agricoreunited.com>
comp.lang.javascript FAQ - http://jibbering.com/faq
Grant -
I appreciate your sincerity, and the time you have taken in responding.
I now see why they are more worried about locally run scripts than
those running from web sites. That was counterintuitive to me, but I
do get it.
Yes, the "scary message" I referred to was the active content warning.
It's not scary to me, because I understand what it means, and can
easily deal with it. It's scary to the unsophisticated computer users
who make up the majority of the viewers of the content my client is
trying to provide to them.
My problem is simply this:
I am trying to put an entire web site onto a CD for distribution.
In fact the "Mark of the Web" solution does NOT work for me. It does
allow the first page to run without a warning, yes. But it also
disables all links to the other files on the CD! You can view the home
page, but nothing else!
The "Mark of the Web" was apparently designed to allow a developer to
view a single page locally.
I also tried changing the file extensions to .hta, but that doesn't
work for anything beyond the first page, either. As soon as you click
any link, you get a dialog box
Yes, I could include some material with the CD to explain to users how
to deal with the situation. However, my client is trying to get that
CD certified as an instructional tool by a professional association.
The professional association is now refusing to certify it, because
they have read (and only partially understood) the Microsoft warnings
about active content being potentially harmful. They have taken that
to mean that ANY active content could damage a computer. My client and
I are trying to explain to them that it is possible to create "active
content" that is perfectly safe. We'll see if that flies.
I appreciate the fact that Microsoft is trying to make their operating
system more secure. I also believe that it might be possible to allow
some kinds of benign active content (like the simple Flash animation
used in my project), but to detect and disallow potentially harmful
activities (like reading files that are outside the directory that
contains the content, or writing files anywhere), instead of just
locking everything down and displaying messages that most users don't
understand.
Here's a question for you, since you seem like quite a knowledgable
fellow. Microsoft says:
"An alternative is to create a separate application that hosts the
HTML content Internet Explorer Web Object Control (WebOC). The HTML is
then no longer bound by the same rules that apply to content run in
Internet Explorer. When the HTML content runs in that other process,
it can have full rights as defined by the developer or zone policy for
that process."
I'm not a programmer, so I don't know how to do this. Do you have any
idea how involved creating such an application would be? Could it be
done with Visual Basic?
Thanks.
- Allen
>>Anyway, all this is completely moot. You can make your scripts run without warning in the Local Computer zone by including the Mark of
theWeb.
Grant -
As discussed in my previous message, this is definitely not moot, since
it works only for individual files.
By the way, I wanted to gripe just a little bit about the MOTW
documentation from Microsoft. First, they say you should add that line
to your file. But they don't say where it should go, and that turns
out to be critical.
Then they provide two different versions of the generic form of the
line, in different knowledgebase articles:
<!-- saved from url=(0014)about :internet -->
and
<!-- saved from url=(0013)about :internet -->
The former will work, and the latter won't. Moreover, I discovered
through painful trial and error that if you add this text to a file
that you create on a Mac running OS X, the MOTW will not work! You
have to edit the file and save it on a Windows machine. As I normally
develop my sites on the Mac, it didn't occur to me.
I didn't think of trying that until I'd spent quite a while trying
different combinations of placement and numbering. It wasn't until I
saw that Macromedia had created a Dreamweaver extension to add the
MOTW, but that it only supported the Windows version of DW, that I
decided to try that. I downloaded the DW extension and installed it on
my XP machine, et voila!
Sorry. In the middle of one message I said, "I also tried changing the
file extensions to .hta, but that doesn't
work for anything beyond the first page, either. As soon as you click
any link, you get a dialog box" and didn't finish the though.
You get a dialog box asking if you want to download the file.
- Allen
Aha!
My problem is solved. I looked further into the .hta solution, and
discovered that there are several custom parameters that can be
controlled in a file that uses the .hta extension. This is documented
here: http://msdn.microsoft.com/workshop/a...taoverview.asp
One of the parameters is "Navigable", which by default is set to "no".
When set to "yes" by including the following code in the <head> section
of an HTA file, it allows one to link to other local files.
<HTA:APPLICATION NAME="Whatever"
NAVIGABLE="yes">
There are a number of other parameters that control such things as
whether the window opens maximized, whether scroll bars appear or not,
etc. All the parameters are documented here: http://msdn.microsoft.com/workshop/a..._ref_entry.asp
I have yet to test this on a non-windows machine, and I think there's
every chance it won't work. I will just have to include two different
versions of the content on the CD. In one, the index file will have
the .hta extension, and all files that refer to it will link back to
index.hta. In the other, I'll just use the standard .htm extension.
It's a bit klugey, but it will do.
I hope this post helps someone else who is having the same problem.
- Allen
> The former will work, and the latter won't. Moreover, I discovered through painful trial and error that if you add this text to a file that you create on a Mac running OS X, the MOTW will not work! You have to edit the file and save it on a Windows machine. As I normally develop my sites on the Mac, it didn't occur to me.
Bbedit on MacOS lets you select what line end character or characters
you want to use. Dos, MacOS, and Unix use different line end
characters.
Normally, web browser accept all three line end characters.
Good that you found a solution.
Did you try putting mark of the web in all the html files?
Robert>
> The mechanisms for making ActiveX objects available to JavaScript are simply too complex to monitor that condition.
Isn't activex disallowed in the internet zone? So Microsost disallows
activex in the internet zone and allows javascript without the warning
message. Seems just the thing to allow in the local zone.
Most of JScript is implemented per the ECMAScript standard.
Disallowing (or not) ActiveX controls has nothing to do with ECMAScript.
Accept activex isn't defined in ecmascript. Adding things not in the
standard is call polluting the standard. So, faithfully implementing
ecmascript would meant improved security and less hassle for the
javascript writer.
A simple solution would have been to add a new file type of activex.
Thus:
htm - run in the internat zone so disallowing activex
activix - run with a warning message
hta - as before
Why didn't Microsoft run html in the internet zone? If they did this,
you could not of run activex in the html files on the local machine
without change setting. Instead, they are making it hard for people to
run html files form cd-rom. And a lot less secure when you change to
hta.
Robert This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Cedric |
last post by:
This is a 3 weeks old problem, but having found a solution (and having
looked for one here, finding only this message), I'm replying now.
From: Jive (someone@microsoft.com)
Subject: Upgrade...
|
by: Angel Cat |
last post by:
Trying to get my jobs to send mail when job fails. Should be easy but
it's giving me headache
Had a whole slew of issues. Outlook is installed with a n outlook
mail profile set up that can...
|
by: Andrew Thompson |
last post by:
- NN 4.78 rendering woes, links at far left -
I am trying to rework an old site, make it valid html
and css, improving the x-browser and 'older browser'
compatibility. My efforts so far, have...
|
by: Arun Bhalla |
last post by:
I'm having some inconsistency problems with my deployment project ("Setup")
and its custom actions ("Installer"). I'm using Visual Studio .NET 2003
(.NET 1.1, no service pack) on Windows XPSP1.
...
|
by: p175 |
last post by:
Express C v9.1
I'm having a hell of a job trying to reduce the highwater mark for
various tablespaces in Express C. DB2MART advises to reorg several
tables with LONGLOBDATA and to disconnect,...
|
by: Mark Rae |
last post by:
Hi,
This time, I'm looking for a regular expression which says "the string must
contain exactly seven or exactly eight digits" e.g.
123456 fails
1234567 passes
12345678 passes
123456789...
|
by: hdogg |
last post by:
Scope Woes - IF statement nested in WHILE statement -PHP
I have an array $actuals_sum.
<?php
while(conditions)
{
if($i == '24)
{
|
by: =?Utf-8?B?VkIgSm9ubmll?= |
last post by:
I am at my witless end here, please help!
I have an ASP.Net aspx web page, hosted on Windows Server 2003, that
receives a query string with the path to an autocad drawing file selected
from a...
|
by: Mike Howarth |
last post by:
I've been having a few problems with connecting to SQL Server, initially I
was using dblib however found some problems with returning text fields
whereby all text fields were ignored and it bawked...
|
by: DolphinDB |
last post by:
Tired of spending countless mintues downsampling your data? Look no further!
In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: Vimpel783 |
last post by:
Hello!
Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
|
by: Defcon1945 |
last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
|
by: Shællîpôpï 09 |
last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
|
by: af34tf |
last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
| |