I got a web site using jQuery, jQuery Tools and some handcrafted JS running performing graphical enhancements. While it's running smooth on FF, Safari and Chrome, IE blocks the script execution :
There is nothing particularly more dangerous on this code than, let's say, on Netvibes.
Why is even talking about activeX ? I'm using JS.
And how can I prevent that ? I don't want my user to click on "I allow this website" to work. It would be like putting a big red absolute DIV reading "Live quick and never e back".
I got a web site using jQuery, jQuery Tools and some handcrafted JS running performing graphical enhancements. While it's running smooth on FF, Safari and Chrome, IE blocks the script execution :
There is nothing particularly more dangerous on this code than, let's say, on Netvibes.
Why is even talking about activeX ? I'm using JS.
And how can I prevent that ? I don't want my user to click on "I allow this website" to work. It would be like putting a big red absolute DIV reading "Live quick and never e back".
Share Improve this question edited Jun 20, 2015 at 18:26 Spooky 2,9938 gold badges29 silver badges42 bronze badges asked Oct 7, 2009 at 16:58 Bite codeBite code 597k117 gold badges309 silver badges335 bronze badges 4-
4
The yellow bar visible in the screen shot is expected if you access the page via the filesystem (e.g.
file:///C:/example.html) instead of a web server (e.g.http://server/example.html). Can you rule that out as a possibility? – Ken Browning Commented Oct 7, 2009 at 17:02 - God, write that as an answer. I test it. If it's that, that would be the quickest accepted answser in SO history. – Bite code Commented Oct 7, 2009 at 17:03
- He's not even written it as an answer :P he's right though. – jakeisonline Commented Oct 7, 2009 at 17:06
- this is the right anwser but it bugs me : js can't access the filesystem, so what's so point ? – Bite code Commented Oct 7, 2009 at 17:11
2 Answers
Reset to default 8js can't access the filesystem, so what's so point ?
Actually JS can traditionally do some bad stuff running from the My Computer Zone, like install ActiveX objects. A lot of past IE exploits used this to leverage filesystem access into arbitrary-code access.
So faced with this problem Microsoft decided to solve the problem, not by simply removing the My Computer zone — oh no, that would be far too easy — but by adding an extra layer of plexity. So Internet Explorer gained an option, on by default, to lock down content from the filesystem, whilst allowing other applications that used embedded WebBrowser controls to continue as before, on the grounds that maybe some applications were relying on the loose settings in their internal HTML interfaces.
(They weren't, really, in the consumer space, but then we never know what shades of foulness may exist in the bespoke Enterprise app world.)
After the embarrassment of IE getting hacked all the time, MS overpensated by making the lockdown settings for filesystem pages considerably more restrictive than even normal web pages from the Intenet. So you can't run JavaScript from files off the filesystem, for no particularly good reason.
At this point web authors whinged, so MS responded not by removing the excessive lockdown — oh no, that would be far too easy — but by adding an extra layer of plexity. So now you can get out of the My Computer Zone simply by placing at the top of your file:
<!-- saved from url=(0014)about:internet -->
This cryptic incantation is known as the Mark of the Web. The newline at the end of it has to be a Windows CRLF, which nicely shafts you if you're using plain LF line-endings. Including this string puts you in the normal Internet Zone where JScript works but you get no other special privileges.
The amusing thing is that since then, the normal security settings in the My Computer Zone have been tightened up so that it's pretty much the same as the default Internet Zone. So the net result is the same as if they'd just got rid of the bloody My Computer Zone in the first place, only with lots of extra plication for the user and annoyance to the web author.
Thank you so very much Microsoft.
As Ken Browning said in a ment to your question, this alert happens with javascript when on a High Security Zone, where local pages are.
If someone has the Internet as a High Security Zone, then the warning will pop up.
You can add localhost to the Trusted Sites Zone.