ie8 weirdness...
-
doesn't it ask you to allow only for that page?
---------------------------------------------------------- this is a sig++
I think the point being made is that "all that is being opened is a bit of html and some css" so where does ActiveX come into that?
My new favourite phrase - "misdirected leisure activity"
-
so i open a page on my local hard drive just to check some css stuff and IE8 tells me it has "blocked some active content or scripts on the page for my safety yada yada..." and i get the yellow bar along the top saying "allow active content..." etc etc ... which includes activex controls and all that good stuff the page i was trying to load? a simple div and some css so... allowing that means i also have to allow activex controls and the rest of "active content"?? and that is security ladies and gentlemen ... no wonder most installs of IE are so vulnerable to attack *shakes head*
"mostly watching the human race is like watching dogs watch tv ... they see the pictures move but the meaning escapes them"
I was reading something about html pages that are opened from local drives being moved, 'automatically' to a high security internet zone. Something that happened in a recent IE patch. There were some notes about putting the 'Mark of the Web' on your page to let IE know what zone it should be opened in: http://msdn.microsoft.com/en-us/library/ms537628(VS.85).aspx[^]
-
I was reading something about html pages that are opened from local drives being moved, 'automatically' to a high security internet zone. Something that happened in a recent IE patch. There were some notes about putting the 'Mark of the Web' on your page to let IE know what zone it should be opened in: http://msdn.microsoft.com/en-us/library/ms537628(VS.85).aspx[^]
interesting thanks but i don't think it applies i created the page from scratch so it was never "saved" from anywhere other than ultraedit weird
"mostly watching the human race is like watching dogs watch tv ... they see the pictures move but the meaning escapes them"
-
interesting thanks but i don't think it applies i created the page from scratch so it was never "saved" from anywhere other than ultraedit weird
"mostly watching the human race is like watching dogs watch tv ... they see the pictures move but the meaning escapes them"
l a u r e n wrote:
i created the page from scratch so it was never "saved" from anywhere other than ultraedit
I think that's what Paddy's talking about - if you'd saved it from the web, IE wouldn't be bugging you (or loading locally-referenced resources...), but since it's been created locally (and is referencing local resources...) IE gives you all manner of crap.
-
l a u r e n wrote:
i created the page from scratch so it was never "saved" from anywhere other than ultraedit
I think that's what Paddy's talking about - if you'd saved it from the web, IE wouldn't be bugging you (or loading locally-referenced resources...), but since it's been created locally (and is referencing local resources...) IE gives you all manner of crap.
I am totally looking forward to that stuff :~
-
interesting thanks but i don't think it applies i created the page from scratch so it was never "saved" from anywhere other than ultraedit weird
"mostly watching the human race is like watching dogs watch tv ... they see the pictures move but the meaning escapes them"
Perhaps IE8 doesn't have the ability to determine "where" a page was saved from. It is probably just detecting a locally accessed page, thus the need for the "Mark of the Web". I have the same problem with html help documents I create from a program called FLARE. If I don't include the "Mark" then I get the warning when viewing them from the harddrive...that goes for IE7 too. ---- Well shoot! I'm just para-parrotting. Anyway, the consensus will more than likely end up being not so much a "bug" with IE8, though it may be bugging you. ( :sigh: sorry for the pun, couldn't resist )
S.Nowlin ----------------------- I'm a Techwriter Monkey -- handy, just less useful than the Bathroom Monkey.
-
I am totally looking forward to that stuff :~
-
I was reading something about html pages that are opened from local drives being moved, 'automatically' to a high security internet zone. Something that happened in a recent IE patch. There were some notes about putting the 'Mark of the Web' on your page to let IE know what zone it should be opened in: http://msdn.microsoft.com/en-us/library/ms537628(VS.85).aspx[^]
Paddy Boyd wrote:
http://msdn.microsoft.com/en-us/library/ms537628(VS.85).aspx\[^\]
WHAT THE FUCK. Bad Engineering - Why require a string length as literal? And why reject lines that don't end in CRL LF? The latter could be a lazy parser. But the first? Design by Comitee? What's the Point? - How do you stop an attacker from using an elevating MOTW? The only hurdle I can think of is that the attacker does not know your security configuration - but then, that's not helping at all against "typical configuraiton" attacks agains many targets. Or am I missing something here?
-
Should't it be the opposite ? Pretty much like "It works there, it works everywhere" ?
I'm waiting for Windows Feng Shui, where you have to re-arrange your icons in a manner which best enables your application to run. Richard Jones www.immo-brasseurs.com
-
Should't it be the opposite ? Pretty much like "It works there, it works everywhere" ?
I'm waiting for Windows Feng Shui, where you have to re-arrange your icons in a manner which best enables your application to run. Richard Jones www.immo-brasseurs.com
-
Paddy Boyd wrote:
http://msdn.microsoft.com/en-us/library/ms537628(VS.85).aspx\[^\]
WHAT THE FUCK. Bad Engineering - Why require a string length as literal? And why reject lines that don't end in CRL LF? The latter could be a lazy parser. But the first? Design by Comitee? What's the Point? - How do you stop an attacker from using an elevating MOTW? The only hurdle I can think of is that the attacker does not know your security configuration - but then, that's not helping at all against "typical configuraiton" attacks agains many targets. Or am I missing something here?
peterchen wrote:
Or am I missing something here?
Yeah. IE has this concept of security "zones", where a page in the local zone can do things like open local files while a page in the "internet" zone can't. So opening a local file is a security risk, produces the alert and gets slapped down, unless it has the special comment indicating it was saved from a different zone - in which case, it is prevented from doing things that aren't allowed in that zone but doesn't produce an alert. Of course, you could argue that it would have made more sense to just open local files in a more restrictive zone by default... but then we wouldn't get to see that alert when viewing locally installed MSDN help.
-
peterchen wrote:
Or am I missing something here?
Yeah. IE has this concept of security "zones", where a page in the local zone can do things like open local files while a page in the "internet" zone can't. So opening a local file is a security risk, produces the alert and gets slapped down, unless it has the special comment indicating it was saved from a different zone - in which case, it is prevented from doing things that aren't allowed in that zone but doesn't produce an alert. Of course, you could argue that it would have made more sense to just open local files in a more restrictive zone by default... but then we wouldn't get to see that alert when viewing locally installed MSDN help.
So, local security zone = allows everything but has the warning, Internet security zone allows less but without the warning? OK, that would make sense from a security experts POV. However, is it practical? Well, as an example from today: A collegue is tasked with exporting some data in XML. I showed him that he can open the XML file in IE so it looks good, and he can even collapse sections (which is good for checking things are ok). Of course you do get that funny warning. His response, after clicking it twice? "Looks like I need to change my security settings". If he has to do it a lot, he'll fiddle with the security settings until he can do. Now we - as the guys trying to protect him - can make him fail, e.g. I could force zone settings through group policy. But that makes IE useless (or much less useful) for this task. If he suceeds, he'll use the first setting he succeeds at - even if that's the internet equivalent of "intrude me". Now we can blame IE for requiring "dangerous stuff" to show some XML. But that, in turn, means for the IE team they can't use a plugin to improve their XML display. We can say "you don't need that collapse really, just ignore the information bar". But that waters down the meaning of the warning: it is a text file he creates, on his computer, he can look at it with notepad and there's nothing evil to be seen, yet IE tells him "You should be afraid of this". Next time he sees the information bar "stopping" h8im from seeing something he wants to see, he'll happily open the gates. We can say "Use a better tool". Now, there's not much to say against that, except that this universal tool is available, and any other generic tool with that popularity will sooner or later run into the same problem. I doubt "many specialized tools" is the solution. And that's just one annoyance out of many I have again and again with all that browser security. I think I didn't quite follow the paradigm shift: from "don't let the evil stuff on your computer" to "we can't stop you from letting that evil stuff on your computer, so we have to protect you from stuff on yopur computer". But it doesn't solve the core problem: we can't tell "evil" from "not evil". Maybe I am taking this much to serious. Maybe I just had a stressful day. :shrug: it's just a yellow bar up there.
-
So, local security zone = allows everything but has the warning, Internet security zone allows less but without the warning? OK, that would make sense from a security experts POV. However, is it practical? Well, as an example from today: A collegue is tasked with exporting some data in XML. I showed him that he can open the XML file in IE so it looks good, and he can even collapse sections (which is good for checking things are ok). Of course you do get that funny warning. His response, after clicking it twice? "Looks like I need to change my security settings". If he has to do it a lot, he'll fiddle with the security settings until he can do. Now we - as the guys trying to protect him - can make him fail, e.g. I could force zone settings through group policy. But that makes IE useless (or much less useful) for this task. If he suceeds, he'll use the first setting he succeeds at - even if that's the internet equivalent of "intrude me". Now we can blame IE for requiring "dangerous stuff" to show some XML. But that, in turn, means for the IE team they can't use a plugin to improve their XML display. We can say "you don't need that collapse really, just ignore the information bar". But that waters down the meaning of the warning: it is a text file he creates, on his computer, he can look at it with notepad and there's nothing evil to be seen, yet IE tells him "You should be afraid of this". Next time he sees the information bar "stopping" h8im from seeing something he wants to see, he'll happily open the gates. We can say "Use a better tool". Now, there's not much to say against that, except that this universal tool is available, and any other generic tool with that popularity will sooner or later run into the same problem. I doubt "many specialized tools" is the solution. And that's just one annoyance out of many I have again and again with all that browser security. I think I didn't quite follow the paradigm shift: from "don't let the evil stuff on your computer" to "we can't stop you from letting that evil stuff on your computer, so we have to protect you from stuff on yopur computer". But it doesn't solve the core problem: we can't tell "evil" from "not evil". Maybe I am taking this much to serious. Maybe I just had a stressful day. :shrug: it's just a yellow bar up there.
peterchen wrote:
However, is it practical?
No. It's asinine. ;)
peterchen wrote:
Maybe I am taking this much to serious.
I agree with you. MS has a really nasty tendency to build good tools and then use them badly. If the warning bar always meant, "Thar be dragons", we could safely tell users to avoid ever, ever clicking that "allow" button* - but trying to teach them the subtleties needed to differentiate between real danger and paranoia is doomed to fail. See also: UAC... *let's just pretend we're not involved in organizations that rely on ActiveX controls for the proper operation of internal apps without sufficient processes in place for deploying said controls, 'k?
-
peterchen wrote:
However, is it practical?
No. It's asinine. ;)
peterchen wrote:
Maybe I am taking this much to serious.
I agree with you. MS has a really nasty tendency to build good tools and then use them badly. If the warning bar always meant, "Thar be dragons", we could safely tell users to avoid ever, ever clicking that "allow" button* - but trying to teach them the subtleties needed to differentiate between real danger and paranoia is doomed to fail. See also: UAC... *let's just pretend we're not involved in organizations that rely on ActiveX controls for the proper operation of internal apps without sufficient processes in place for deploying said controls, 'k?
Shog9 wrote:
*let's just pretend we're not involved in organizations that rely on ActiveX controls for the proper operation of internal apps without sufficient processes in place for deploying said controls, 'k?
Is there a way to do so that doesn't result in the warning bar coming up every time?
Today's lesson is brought to you by the word "niggardly". Remember kids, don't attribute to racism what can be explained by Scandinavian language roots. -- Robert Royall
-
so i open a page on my local hard drive just to check some css stuff and IE8 tells me it has "blocked some active content or scripts on the page for my safety yada yada..." and i get the yellow bar along the top saying "allow active content..." etc etc ... which includes activex controls and all that good stuff the page i was trying to load? a simple div and some css so... allowing that means i also have to allow activex controls and the rest of "active content"?? and that is security ladies and gentlemen ... no wonder most installs of IE are so vulnerable to attack *shakes head*
"mostly watching the human race is like watching dogs watch tv ... they see the pictures move but the meaning escapes them"
As was mentioned in another post, to bypass that issue, you add a "mark of the web" to your source: http://msdn.microsoft.com/en-us/library/ms537628.aspx[^] But, if you are like me and do not care for that feature and figure you will take control over your own security on your local machine, you can turn that feature off by going to Tools/Internet Options/Advanced/Security and check the "Allow active content to run in files on My Computer" option and restart the browser. With all the issues Microsoft has to deal with, I guess they decided to use the "swatting a fly with a bazooka" method :)
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com