You may have encountered a warning similar to the following when browsing web sites with IE7:
This website wants to run the following add-on: ‘MSXML 5.0’ from ‘Microsoft Corporation’. If you trust this website and the add-on and want to allow it to run, click here…
The same warning may appear for some other common add-ons:
- This website wants to run the following add-on: ‘QuickTime’ from ‘Apple Computer, Inc.’.
- This website wants to run the following add-on: ‘Windows Media 6.4 Player Shim’ from ‘Microsoft Corporation’
- This website wants to run the following add-on: ‘Windows Media Player Core’ from ‘Microsoft Corporation’
- This website wants to run the following add-on: ‘Windows Media Player Extension’ from ‘Microsoft Corporation’
If you are seeing any of these warnings, you probably wonder if it is safe to allow the control to run. And if you are a web developer, you probably wonder why your web page is triggering this warning.
Why the Warning?
This warning occurs whenever a web page attempts to execute code on your machine that has not been used previously and is not on the local pre-approved list. This is usually caused by the website trying to use older code. Web Developers often copy-and-paste samples to do things like statistics tracking and media player detection. Some samples that are several years old were written to use old versions of the controls. If the web page is written to look for the most recent versions of QuickTime or Media Player, no warning is shown. You can see which controls are pre-approved on your machine by looking in Tools>Manage Add-ons>Enable or Disable Add-ons.
It’s important to note that the “Run” approval in the Information Bar is different from “Install” approval. “Run” is for code already on your PC. “Install” is for new code that the website would like you to download and install. As has been our guidance for many years, you should only install code from websites and vendors that you trust. IE7 provides a series of dialogs with information to help make this trust decision.
Should you Allow?
Once you approve a control, any site on the Internet will be able to script that control without prompting you again. You should NOT approve the control unless you have strong reason to believe that the control is safe. Site authors should not be using these older Microsoft controls, and approving them exposes you to increased risk. You should encourage site owners to change their web sites to check for the newer, safer versions of the controls.
How to Avoid the Warning?
If you are a web developer, you should use the safer versions of these controls. Please do not encourage your users to approve controls when safer options are pre-approved. If you are getting these warnings, you are probably using some very old sample code:
- Windows Media Player: Do not use MediaPlayer.MediaPlayer.1, or other older techniques. Use wmplayer.ocx.
- QuickTime: Do not use QuickTimeCheckObject.QuickTimeCheck.1. Instead, use QuickTime.QuickTime.
- MSXML: Do not use MSXML 5.0. See this sample code to detect the right version of MSXML in IE7.