Brain Dump: Random Tidbits

This post contains random IE-related tidbits for which there’s either not enough material or time to write a full post. I expect to revisit and expand this list from time to time.

Case-Sensitivity in Cross-Frame Scripting of File URIs

Same-Origin-Policy controls how script running in web pages may interact with other pages. Normally, in IE, an origin consists of a protocol scheme, hostname, and zone number. Hostnames are canonicalized to lowercase. However, file URIs’ origins consist of the protocol scheme, first component of the path, and zone number. That’s because file shares are named, and different shares may have different access lists. For instance file://server/Accounting and file://server/Dev/ are considered different origins. Making matters more interesting, on some file systems, paths and share names are case-sensitive. As a consequence, the Origin of a file URI is also case-sensitive. You will find that file://server/Dev/Page1.htm can interact with file://server/Dev/Page2.htm but not file://server/dev/Page3.htm because the Origin for the first two pages is FILE:server/Dev while the origin for the third is FILE:server/dev.

Blocking ActiveX controls in the Web Browser Control

Hosts of the Web Browser can control how it behaves by implementing IOleClientSite and responding to DISPID_AMBIENT_DLCONTROL with a set of desired behavior flags. One important caveat: the flag DLCTL_NO_RUNACTIVEXCTLS only blocks OBJECT tags within the document itself. It has no impact on the use of calls to new ActiveXObject(“…”) from script, if DLCTL_NO_SCRIPTS was not set. In order to prevent ActiveX execution in a Web Browser host, supply an IInternetSecurityManager and return URLPOLICY_DISALLOW and S_FALSE when your ProcessURLAction implementation is called with URLACTION_ACTIVEX_RUN. To permit only a specified “allow list” of controls to run, the ProcessURLAction implementation can examine the CLSID of the requested control; that CLSID is passed in using the pContext parameter.

FavIcons in the Windows 8 "Metro" Start Screen

If you pin a site to the Windows 8 Start Screen, it will only show the site's FavIcon if the site supplied a 32x32 image in its .ico file. Learn more here.

ActiveX Filtering and Zones

In IE10, the ActiveX Filtering feature was changed to permit a small list of controls that are deemed part of the web platform. This change was undertaken both to improve the user-experience and to provide developers with a means of emulating Metro-style Internet Explorer's ActiveX restrictions in the desktop, where the F12 Developer Tools are available for debugging purposes.

Unfortunately, this debugging strategy won't always work effectively because the ActiveX Filtering feature is disabled by default in the Local Intranet Zone. For instance, if you're loading your development site from https://localhost, it will run in the Local Intranet Zone and thus ActiveX Filtering is not applied. In order to enable ActiveX Filtering for the Intranet zone, you will need to adjust the setting Tools > Internet Options > Security > Local intranet > Custom Level > Allow ActiveX Filtering to Enable.  

 

To be continued…