Microwell your web site to adapt to Windows XP Service Pack 2: Microsoft Corporation July 2004
Body {font-size: 12px; font-family: verdana;}
Strong {font-size: 14px; color: # 0033cc;
Translator: AMOM 2004 August 2004
Original link:
Http://msdn.microsoft.com/security/productinfo/xpsp2/default.aspx?pull=/library/en-us/dnwxp/html/xpsp2web.asp
Application to:
Microsoft ActiveX control
Microsoft IE browser
Microsfot Outlook
Microsoft Windows XP SP2
Summary: Make sure your site is working well under the new security features of Windows XP Service Pack 2, which will affect many aspects such as ActiveX controls, file downloads, pop-up windows.
The subject:
Does your site use Microsoft ActiveX controls? Does your site allow users to download files? Does your site use the pop-up window? Does your site depend on Microsoft's Java virtual machine? Browse window restrictions general prompts
Does your Web site use Microsoft ActiveX controls?
In Windows XP Service Pack 2, you can intercept the ActiveX control mode installation prompt from the beginning by using the information bar (INFORMATION BAR). When you upgrade the installed ActiveX control, if you encounter one of the following conditions, the system will generate an exception:
The ActiveX control must be registered on your computer through verification of trust code technology. (It references HKEY_CLASSES_ROOT / CLSID / {Control_clsid} / inprocserver32, here Control_clsid is a CLSID named in the Object Label) New Control Number Signed Publisher Name You must match the publisher name of the digital signature on the existing control. If the ActiveX control is packaged with a CAB file, then it must be verified. DLL or OCX must also be verified to ensure that the subsequent upgrade will not be intercepted by the information column.
If the information bar intercepts an ActiveX control, the IE browser will display an in-embedded icon and a text of the instead of the control to install the indication information. Users can click on this area or information bar to install this ActiveX control.
Is the ACTIVEX control distributed with a CAB file?
If so, note that the installation prompt is also intercepted by the information column when upgrading the control later, unless you register an ActiveX control through the signature DLL or OCX.
Is there a different processing when an ActiveX control is installed? (For example, automatic steering or special processing at the time of refresh)
Some web pages are automatically turned automatically or refresh when the user selects the ActiveX control. In some cases, through this way your site allows users to install controls, avoiding a bad user experience.
When you touch the web page, it is not possible to reject the installation or the control is intercepted by the information bar, the recommended practice is to create a new control instance in a stand-alone page to explain the purpose of installing this control. Similarly, please use a module in the
Does your web site have trust code prompts?
To avoid confusion, you can update these images to reflect the user interface (UI) of the new trusted code. You can use the USER Agent string to measure the browser version. (For more information on detecting SP2, see General Tips.)
Is the ActiveX installation dialog that prevents the installation of the control?
If the conversation does not provide an option when installing, the file will not be verified correctly. Make sure you have verification files and signatures. When the signature is invalid, SP2 hides the control installation by default. About ActiveX's best measures
Do not use the pop-up or modal dialog to install the control. Do not recommend that users reduce the security settings of their system when installing the ActiveX control. Creating a control instance in a separate page description control use and the ultimate impact on the user.
Does your Web site allow users to download files?
In SP2, the information bar will intercept the automatically loaded file download prompt.
Compared with SP1, in SP2, file download prompts, email attachments, SHELL and program installation have been modified more stable and clear. When you download some files that can be marked, SP2 will display the publisher information of the file. (Usually tagged to the user computer with potential threats of file types are .exe, .dll, .ocx, .msi)
Is your web site automatically load a download prompt?
If the web site is trying to link a download resource to display the file download dialog, the information bar will block this file download prompt when the user cannot control the computer behavior through the mouse and keyboard.
If you don't want to download being intercepted, make sure the user directly controls the download.
Does your Web site contain file extensions do not match the content type file?
If MIME-Handlers handles your site server file, the extension of these files should be consistent with MIME-Handlers. If the content type of a file does not match its extended progid, the IE browser under SP2 will take the following two measures: 1) The user is prompted to download the file; 2) When executing MIME-Handler failure, its extension Handler Will not be executed.
You can correct these mismatches by changing the content type to match the extension type, provided to ensure that these steps are beneficial to your Web site. Exception: This change will be useless in some cases. These situations are when the "Content-Disposition = Attachment" header information is sent, the file name or extension will be finally determined by the server instead of passing MIME.
Your web site has a download modal dialog image, or displays an image or text in a user clicking on the installation control?
If the customer uses SP2, make sure the update points to the download prompt to reflect the new download session. In IE, you can use the USER Agent string to determine the image version of the display information. (For more information on detecting SP2, see General Tips.)
Does your Web site have downloaded digital authentication?
SP2 now detects those digital signatures that require digital verification files. The most common example is a file including the following extensions: .exe, .dll, .ocx, .msi. If you have released a file that needs to trust code technology verification, then the customer can now verify the file you created. This application contains IE browser and Outlook Express.
Does your web site use the pop-up window?
The IE of SP2 is now included with a default open pop-up interceptor. This interceptor can interfere with sites that automatically pop up the window through the script. It also includes a trust list to include sites that users allow to pop up a new window. By default, pop-up interceptors do not attempt to intercept the pop-up window from the enterprise internal network and the trust site area.
IE browser
IE will prevent any windows that automatically open from scripts other than CreatePopup (). Some common functions affected by this are: window.open (), showmodelessdialog (), showmodaldialog (), and showhelp (). (Note: Due to pop-up restrictions, automatic search PANE will also be blocked.)
A window () that is popped up by the user directly acts will not be blocked. The pop-up window intercepted no default application to the enterprise internal network and trust site area.
How do I know that IE browser stops my pop-up window? If the window is intercepted, the function returns a window object that returns Null. Make sure to check the return value of Window.Open () to avoid a script error while the pop-up window is intercepted.
Based on an intercepted pop-up window, is your site uses a measure of turning or closing a page?
No matter what possible, do not turn the window or close the window in the blocked window. When the pop-up window is blocked, if you turn to another site, it may be more difficult to display the intercepted content. In this case, the steering site will not display the information bar that allows the user to facilitate accessing pop-up content.
Similarly, if the window is shut down, the information bar will point to intercept information that does not display the pop-up window.
Does your site load another pop-up window from a pop-up window?
In any possible case, do not automatically load another pop-up window from a pop-up window, pop-up interceptor does not think this is a user behavior and will block it.
Do you automatically load the setHomePage () Modal dialog box?
In SP2, the setomepage () function only pops up on a similar user behavior. Automatically load the setomepage () prompt will be blocked.
Does your web site open a new window when there is information that does not synchronize?
The IE browser may block the window that the site open will be turned on without synchronous request information, even if the user clicks on a link to open the window. The Windows does not prevent the window directly opened by the user behavior (mouse click) before requesting information without synchronization. The initial behavior initialized by the user will not be insisted.
Does your web site load the pop-up window via an ActiveX control or some other page pair?
As with other pop-up windows, if a window is not popped up through user behavior, the interceptor will block it. One window is allowed to open in response to user direct behavior.
General recommendations of pop-up windows:
Do not turn when the pop-up window fails. If a pop-up window, download, or ActiveX control is intercepted, do not turn off or automatically turn to the window. If you do this, the user will not be able to click the information bar to accept the pop-up window, download, or ActiveX control. Do not automatically load another pop-up window from a pop-up window. Do not load multiple pop-up windows from user behavior. Do not load automatic pop-up windows from ShowModelessDialog () or ShowModalDialog ().
Does your web site depend on Microsoft's Java virtual machine?
See Microsoft Java Virtual Machine Support on Microsoft Website.
Browser window restriction
Is your web site uses a positioning window to make the title bar or address bar above the top of the displayed visible area or the status bar under the displayed visible area at the bottom of the display area?
Looking back on your code to see if you correctly understand the restrictions on windows initialized by Window.Open () or Window.createPopup () methods. For a blocking IE browser window (using a Window.Open () method) or a blockless IE window (using the window.createpopup () method, the script can call the same method. However, it is necessary to ensure that the design pop-up window is suitable for displaying information to the user or status bar.
Below is the guidelines called for the script initialization window when running a Windows security restriction feature.
For windows that use Window.Open ():
Go to present the status bar and encode it. The status bar will be turned on by default, and its height is 20-25 pixels. Adjust your window size and content make it look better for the size of the entire window. Don't let the window block the task bar, so you have to leave 40pixels to ensure that the status bar and taskbar are displayed normally. The vertical direction window is not more than 30pixels. Do not open the window of the off-screen - otherwise the x, y parameters of the window will be adjusted to make it completely displayed on the screen. In the past, the display is displayed the subject, the size of the font, so when you design the window, it may also be necessary to consider the impact of these user interfaces. Note: Window.Open () set up FULLSCREEN = YES will open a maximized window instead of a window of a pavilion mode. For windows that use window.createpopup ():
Adjust your window size and content make it look better for the size of the entire window. Under this new feature, the window will not block the title bar or status bar of its parent window, so it may have 40pixels to leave to the title bar or status bar. The vertical dimension of the window cannot be greater than the visible area of the current page. Do not open a blockless window floating in the IE browser to display the outside of the HTML area - otherwise the X, Y parameter will make the window completely displayed in the client area. There is an exception here: half of the window, it can be displayed outside the left edge or right edge of the IE browser. In the past, the display is displayed the subject, the size of the font, so when you design the window, it may also be necessary to consider the impact of these user interfaces.
General reminder
Detect IE browser in SP2
In SP2 you can detect whether the browser connected to your site is IE via Window.navigator.USERAGENT.
Var g_fissp2 = false;
Function browserversion ()
{
g_fissp2 = (Window.navigator.USERAGENT.INDEXOF ("SV1")! = -1);
IF (g_fissp2)
{
// this Browser is Internet Explorer in SP2.
}
Else
{
// this Browser is Not Internet Explorer in SP2.
}
}
If the USER Agent string is "SV1", the browser is definitely IE.
Does your site use ShowModaSsDialog () or showModalDialog () call?
Through these two ways, do not create an instance to use the ActiveX control, automatically download the file or automatically pop up the window. In this case, the content is intercepted when the information bar will not be displayed, and the user is not convenient to allow these content. These behaviors are recommended to initialize these behaviors through IE.
When is the content being intercepted? Is your site turned to another page?
Intercepting the ActiveX control, file download or pop-up window attempt not to turn to another page, in which case the browser may not display the information bar after the steering page, the user will not be able to see the content.
