Release Date: 8/18/2004 | Update Date: 8/18/2004
Microsoft Corporation
Applicable to:
Microsoft Active X Controls
Microsoft Internet Explorer
Microsoft Outlook Express
Microsoft Windows XP Service Pack 2 (SP2)
Summary: Make your Web site well using new security features in Windows XP SP2, which may affect ActiveX controls, file downloads, pop-up windows, and more.
This page
Do you use Microsoft ActiveX controls?
Does your Web site allow users to download files?
Does your Web site use pop-ups?
Does your Web site depends on Microsoft Java Virtual Machine (MSJVM)?
Browser window restriction
Common skill
Do you use Microsoft ActiveX controls?
In Windows XP Service Pack 2 (SP2), the mode installation prompt of the ActiveX control is initially blocked by the "File Bar". If the following conditions are met, an exception is triggered when the controls that have been installed on your computer are enhanced.
■ The file registered as an ActiveX control must use the Authenticode technology signature. (This file is referenced from HKEY_CLASS_ROOT / CLSID / {Control_Clsid} / InprocServer32, where
Control_clsid
CLSID, by
Object tag is specified. )
■ The publisher name of the new control is represented in a digital signature, which matches the publisher name in the existing control digital signature.
■ If the ActiveX control is packaged as a CAB file, the CAB file must be signed. The DLL or OCX to be installed should also be signed so that the subsequent upgrade can skip the "information bar".
If the "File Bar" blocks an ActiveX control, and the control will occupy the area on the page, Internet Explorer will display an embedded icon and text (instead of control), indicating that the ActiveX control is required. End users will be able to click on the area or "information bar" to install the ActiveX control.
Is the ActiveX control distribute as a CAB file?
If yes, please note that the future installation prompt for upgrading the control will also be blocked by the "File" unless you sign the DLL or OCX to be registered as the ActiveX control.
Depending on whether there is an ActiveX control installed, your Web site has different behavior (for example, special behavior when redirecing or refreshing)?
If the control has not been installed, it is refreshed, and some web pages will automatically redirect or behave differently. In some cases, build a site in this way may prevent the user from installing the control, resulting in a bad user experience.
Since the web page is unable to distinguish whether the user rejects the installation of the ActiveX control, or the "File Bar" block control, the recommended practice of installing the ActiveX control is: Create an instance of the control on a separate web page of an explanation control. In addition, it should be
[/ b] The [B] section is used in the mark to dynamically provide the user's "Help" text about the installation failed.
Does your web site have an image of the Authenticode dialog?
To prevent users from confusion, you can update these images to reflect the new Authenticode user interface (UI). You can use the user agent string to determine the correct version of the browser. (For more information on testing SP2, see Common Skills.)
Does the ActiveX Installation dialog box prevents the control from installing?
If the dialog box does not provide an option to install the ActiveX control, the file may not be properly signed. Make sure your file has been signed and the signature is still valid. By default, SP2 blocks the installation of the control when the signature of the ActiveX control is invalid.
ActiveX best practices
■ Do not use the pop-up or HTML dialog box to install the ActiveX control.
■ Do not recommend that users reduce their security settings to install ActiveX controls.
■ An instance of the ActiveX control is created on the purpose of describing the control and a separate page impact on the end user.
Does your Web site allow users to download files?
In SP2, the "Info Bar" will prevent automatic start-up file download prompts.
In SP2, the prompt for file download, email attachment, shell process, and program installation has been modified, which is more consistent, clear in Windows XP Service Pack 1 (SP1). In SP2, the publisher information will be displayed after downloading file types that may be potentially damaged by the user computer and the signature. (Signature and may undermine common file types of user computers including .exe, .dll, .ocx, and .msi).
Will your Web site automatically start the download prompt?
If the user does not use the mouse click or press the button to start navigation, the web site attempts to navigate to the resource to generate the file download dialog box, then the file download prompt will be blocked by the "File".
To make sure the download is not blocked, you can download all the downloads as a direct user action.
Does your Web site contain files that their file extensions do not match their content type?
If your site contains files handled by the MIME handler, the extension of these files should correspond to the same ProgID as the MIME handler. If the content type ProgID of a given file does not match the file extension ProgID, the Internet Explorer in XP SP2 may take the following: 1) You may prompt the user to download the file; 2) If the file cannot be processed in the MIME handler Then it will not process it in the extension handler.
You can correct these mismatch by changing the content type to match the file extension. Please make sure this applies to your webpage.
Exception: This change does not affect the case of sending the "Content-Disposition = Attachment" header. In these cases, the server proposal file name or extension is considered a final name and does not change with multiple purpose Internet mail extensions (MIME) probes.
Does your web site have an image of the download dialog on the site, or where is the image / text that is displayed to accept the control?
If the customer uses Windows XP Service Pack 2, make sure update all images to the download prompt to reflect the new download dialog. To determine the version of the display, you can use the User Agent string in Internet Explorer (see details on detecting SP2)
Commonly used tips).
Does your Web site have downloads that should be digitally signed?
Now, SP2 can check the digital signature of files that can be digitally signed. The most common examples of these files include files with the following extensions: .exe, .dll, .cab, .ocx, and .msi. If you are a publisher of files that can be signed with Authenticode technology, the customer will now be able to verify the files you created. This applies to Internet Explorer and Outlook Express. Does your Web site use pop-ups?
Internet Explorer includes a pop-up blocking program with default open in SP2. This pop-up block may intervene to automatically generate a new window from the script. The pop-up program contains a helpful "Allow" list for automatic pop-up. By default, pop-up blocking programs do not attempt to block pop-up from intranet or trusted site area.
What does Internet Explorer treat pop-up window?
Internet Explorer will try to prevent any windows from the script from the script, but
CreatePopup () except. Somely affected common functions include
Window.Open (),
ShowmodelessDialog (),
ShowModalDialog () and
Showhelp (). (Note: The operation of the automatic search pane is also blocked by the pop-up blocking limit.)
The pop-up window opened as a direct result of the user is not blocked, such as clicking a page element. By default, the pop-up block is not applied to the intranet or a trusted site area.
How do I determine if Internet Explorer stops my pop-up window?
If the window is blocked, the function of returning the window object will return a null value. When the pop-up is blocked, use
The return value of Window.open () will always check the value before avoiding script errors.
Does your site can redirect or close the page based on the blocked pop-up?
As long as it may, do not redirect or close the window according to the blocked content. If your site is redirected to other sites when the pop-up is blocked, it may be difficult to display the blocked pop-up for the customer. In this case, the redirected site does not display the "information bar" that usually appears, and the user cannot easily access the pop-up content.
Similarly, if a window is turned off due to blocking the pop-up, the "information bar" entry point that will be blocked will disappear with the window.
Does your site start pop-up from the pop-up?
As long as it is possible, please do not start another automatic pop-up window from a pop-up window. In the pop-up block, the second startup is not considered a user operation, so it will be blocked.
Do you automatically launch the setHomePage () dialog box?
In Windows XP Service Pack 2,
The setomePage () function can only start from the user operation, similar to the pop-up window. Automatic start-up
The setomepage () prompt will be blocked.
If you ask for information, will your Web site open a new window?
If the site opens a specific window after the asynchronous request information, Internet Explorer may block these windows, even if the user clicks on the link to open the window. If the window starts directly from the user before requesting asynchronous information (mouse click), then these windows will not be blocked. The operation that the user starts cannot be kept across navigation.
Your web site starts the pop-up window through the ActiveX control, or starts the pop-up window through other objects on the page?
For other pop-up windows, if the window is not started from the user, the pop-up block will block it. One window must be in response to direct user operations to be opened.
General pop-up suggestion
■ Do not redirect when the pop-up window fails.
■ If the pop-up window, the download or ActiveX control is blocked, please do not close or automatically redirect the browser window. If you close or redirect your browser window, the user will not be able to click and accept pop-up windows, download or activeX controls on the "File Bar". ■ Do not start the pop-up window from the pop-up window.
■ Do not start multiple pop-up windows from one user action.
■ Please do not
ShowmodelessDialog () or
The SHOWMODALDIALOG () call starts the automatic pop-up window.
Does your Web site depends on Microsoft Java Virtual Machine (MSJVM)?
See Microsoft Web site
Microsoft Java Virtual Machine Support.
Browser window restriction
Do your web site set the window to make the title bar or address bar above the top of the visible display, or make the status bar below the visible display bottom end?
Check the code to make sure you understand
Window.Open () or
The Window.createPopup () method is limited to the window launched by the script. Scripts can call the same method to create Internet Explorer has edge windows (use
Window.open () method), or Internet Explorer boundless pop-up window (use
WINDOW.CREATEPOPUP () method). However, you may need to check your design to make sure that the pop-up window is visible to the user when appropriate, and the information contained in the status bar is correct.
The following instructions will show how to use the script to start using the script boot window during the process of running the Windows Restrictions Security function.
For use
Window.Open () open window:
■ The expected status bar will appear and write code for it. By default, the status bar is turned on and the height is 20-25 pixels.
■ Adjust the size and content of the window so that it is visually suitable for the overall size of the window. The window cannot override the taskbar, so if the status bar is turned on, it may lose 40 pixels. The vertical size outside the task bar cannot exceed 30 pixels.
■ Do not open the window outside the screen - they will make a minimum
X and
The Y coordinate offset makes the window completely displayed on the screen.
■ As previously, the display of the window will be affected by the display subject, font size, and resolution, so when you design the window, you may need to consider the impact of these UIs.
■ Note: Now
Fullscreen = yes
Window.Open () will result in the maximized window, not the window of the Kiosk mode.
For use
Window.createPopup () Opened window:
■ Adjust the size and content of the window so that it is visually suitable for the overall size of the window. With this new feature, the window will not overwrite the title bar or status bar of its parent window, so if you do not take into account the title bar or status bar, it may lose 40 pixels. Adjust the vertical size of the window so that it does not exceed the current visible area of the page.
■ Do not open an boundless browsing window outside the Internet Explorer's HTML - they will make a minimum
X and
The Y coordinate offset makes the window completely displayed in the client area. But there is an exception: up to half windows can exist outside the left or right edge of the Internet Explorer client area.
■ As previously, the display of the window will be affected by the display subject, font size, and resolution, so when you design the window, you may need to consider the impact of these UIs.
Common skill
Detect Internet Explorer in SP2
If you connect to your site's browser is Internet Explorer in SP2, you can use Window.navigator.USERAGENT to detect. Var g_fissp2 = false; function browserversion ()
{
g_fissp2 = (Window.navigator.USERAGENT.INDEXOF ("SV1")! = -1);
IF (g_fissp2)
{
// this Browser is Internet Explorer in SP2.
}
Else
{
// this Browser is Not Internet Explorer in SP2.
}
}
If the user agent string contains "SV1", the browser connected to your site is Internet Explorer in SP2.
Is your site use ShowModelessDialog () call or showmodaldialog () call?
If possible, do not try to create a new instance of the ActiveX control, automatically start file download or automatically start the pop-up window from these dialogs. In this scenario, the "information bar" will not be displayed when the content is blocked, so the user will not easily allow the content. The proposed solution is to start these behaviors from the Internet Explorer window.
Does your site are redirected to another when the content is blocked?
If possible, do not attempt to redirect to another web page when the browser blocks content (such as ActiveX controls, download prompts, or pop-up). When the content is blocked, the "information bar" may not appear on the redirected page, so the user may not easily view the content.
Msdn.microsoft.com/security/productinfo/xpsp2/default.aspx?pull=/library/en-us/dnwxp/html/xpsp2web.asp
