tags:

views:

807

answers:

6
+1  Q: 

Looking for doc on why IE "yellow bar" shows when opening a HTML file that contains JavaScript

I have a site, from which you can download an HTML file. This HTML file contains a form with hidden fields, which is right away posted back to the site using JavaScript. This is a way of allowing users to download to their own machine data that they edit on the site.

On some machines, you get an IE "yellow bar" when trying to open the file you saved. The "yellow bar" in IE is warning that the HTML is trying to run an Active X (which it is not, there is only JavaScript doing a submit() on a form). However if you receive the exact same HTML file by email, save it, and open it, you don't have this problem. (It looks like IE is putting some more constraint on what can be done in a HTML file you saved from web site.)

My question is: where can I find documentation on this IE security mechanism, and possibly how can I get around it?

Alex

A: 

I don't 100% follow what your JavaScript is submitting to, but if you're submitting back to the original site from the downloaded copy you'll have a problem using JavaScript as all browsers treat cross-domain JavaScript as a security violation.

JavaScript isn't allowed to read or write to any site not on the current domain

Slace  2008-09-27 00:19:04
I don't have a problem with that on my Windows box. The script is just submitting form data to "another" site, but you are not on a site to start with since you loaded the HTML file from disk.
Alessandro Vernet  2008-09-27 01:42:16
+4  A: 

The yellow bar is because your page is executing in the Local Machine security zone in IE. On different machines, the Local Machine security zone might be configured in different ways, so you can see the yellow bar on some machines and not see it on other machines.

To learn more about the IE's URL Security Zones, you can start reading here: http://msdn.microsoft.com/en-us/library/ms537183.aspx

Franci Penov  2008-09-27 00:20:35
Thank you for the answer! I guess that must be a difference in the way the Local Security zone is configured on different machines. It is not clear to me how this is configured, but since doing this configuration clients machine is not option, I guess in the end it doesn't matter :).
Alessandro Vernet  2008-09-27 01:45:48
I can only mark one answer as accepted, but please see this comment from mattlant about unblocking the file:http://stackoverflow.com/questions/142573/looking-for-doc-on-why-ie-yellow-bar-shows-when-opening-a-html-file-that-contai#142594
Alessandro Vernet  2008-09-27 01:48:54
+1  A: 

I am not usre about any specific documnet, but if you open the properties for the file in windows explorer on the general tab is the file blocked? if so click unblock and try again and see if you gte the same issue. This is typical security for files downloaded fom the internet.

Other than that i am afraid i dont know what else to suggest.

mattlant  2008-09-27 00:21:23
Yes, most likely this is part of the problem and explains the difference between files downloaded from the web and saved from an email. Thank you for the answer!
Alessandro Vernet  2008-09-27 01:47:45
A: 

As Franci had said it is becaue you are in the local machine security context and this allows scripts to create objects and execute code that could do harm to your PC. For example you can create a File System Object and perform tasks that an untrusted page shouldn't perform generally because it could be malicious in nature.

Quintin Robinson  2008-09-27 00:31:18
A: 

Have you tried changing the file name from yourname.html to yourname.hta to see if the security problem goes away?

More on HTML Applications (.HTA files): http://msdn.microsoft.com/en-us/library/ms536496%28VS.85%29.aspx

BoltBait  2008-09-27 00:54:01
+3  A: 

Look here for details on the MOTW - Mark Of The Web

If you add this to your locally served pages, IE will not show the yellow bar.

http://msdn.microsoft.com/en-us/library/ms537628(VS.85).aspx

scunliffe  2008-09-27 02:09:33
Interesting; I didn't know such a thing existed. But I don't see any <!-- saved from url=... in the HTML file I save (see point 1 under "Adding the Mark of the Web to HTML Documents").So I am wondering if this is an IE4-specifc thing, even if the article doesn't seem to indicate that.
Alessandro Vernet  2008-09-27 03:06:16
scunliffe  2008-10-01 21:37:11

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security