Braindump: Feature Control Keys and URLActions

Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect them to be mostly correct. I’m writing these up this way now because they’ve…

2

Enhanced Protected Mode and Local Files

Ordinarily, Internet Explorer loads local HTML files in the Local Machine Zone. Locally-loaded HTML files are subject to the Local Machine Lockdown feature which prevents pages from running active content like JavaScript or ActiveX controls, showing the following notification: In order to avoid this lockdown, many local HTML pages will contain a Mark-of-the-Web (MOTW) which…

2

Brain Dump: Random Tidbits

This post contains random IE-related tidbits for which there’s either not enough material or time to write a full post. I expect to revisit and expand this list from time to time. Case-Sensitivity in Cross-Frame Scripting of File URIs Same-Origin-Policy controls how script running in web pages may interact with other pages. Normally, in IE,…

0

Same Origin Policy Part 2: Limited Write

In Part 1 of this series, I described how Same Origin Policy prevents web content delivered from one origin from reading content from another origin. (If you haven’t read that post yet, please do start there.) In today’s post, we’ll look at what restrictions are placed on writing between origins. What is a “Write”? For…

4

Sharpen the Saw

Gather round, young’ins, Grandpa Eric is going to tell you a story. Back in the old days, when I started writing software, programmers’ utilities were sold in boxes in retail stores. You’d plunk down your 149 bucks or whatever (in cash, kids, this was before credit cards got popular) and you’d get your cardboard box…

6

Internet Explorer 9.0.2 Update

Tuesday’s Update for Internet Explorer updates the IE9 Help > About dialog’s version number to v9.0.2. The update includes a number of security and functionality fixes; many of these fixes are described in the More Information section of KB2559049. One fix enables the IE9 Download Manager to properly save files on network drives where the…

15

A Security Prompt that makes you go “Huh?”…

Every few months, a Microsoft employee will send me an email complaining that Internet Explorer showed them the following dialog: This page is accessing information that is not under its control. This poses a security risk. Do you want to continue? …and they don’t understand the question or how to answer. This prompt is called…

6

Controlling ActiveX in Internet Explorer

In today’s post, I’ll provide a high-level overview of features in Internet Explorer that impact the loading of ActiveX controls. Internet Explorer 6 and later allow the user to enable or disable ActiveX controls on an individual basis using the Manage Add-ons screen. Internet Explorer 7 introduced the ActiveX Opt-In feature. This feature showed the…

3

Understanding Local Machine Zone Lockdown

Recently, a colleague sent me an email which provided a flashback into my own past: Hey, Eric– Why do we show this when opening HTML locally? What are we protecting the user from? -Ben I myself had sent an email with almost the same text nearly seven years ago, and the surprisingly complicated answer is…

6

XDomainRequest – Restrictions, Limitations and Workarounds

Update: Internet Explorer 10+ supports CORS using XMLHTTPRequest. IE11 deprecates the XDomainRequest object and it is not available in IE11 Edge mode. In Internet Explorer 8, the XDomainRequest object was introduced. This object allows AJAX applications to make safe cross-origin requests directly by ensuring that HTTP Responses can only be read by the current page if…

44