ansaurus

Question

In what case does IE8 block Javascript and how to avoid it ?

Answer 1

+3 A:

As Ken Browning said in a comment to your question, this alert happens with javascript when on a High Security Zone, where local pages are.

If someone has the Internet as a High Security Zone, then the warning will pop up.

You can add localhost to the Trusted Sites Zone.

voyager 2009-10-07 17:05:37

To clarify: IE defaults local files as 'High Security' because it's easy to get someone to download a file and then open it locally on their machine, thus making viruses and phishing much easier. By default, 'The Internet' is not a High Security Zone and thus JS isn't normally blocked. If the user sets 'The Internet' as a High Security Zone, any page with JS will always display that message and block JS/ActiveX.

jakeisonline 2009-10-07 17:08:42

that's it ! i'm waiting a little bit if ken want to anwser since he should have the "accepted"

e-satis 2009-10-07 17:10:14

Its ok, I where going to say the same thing anyway, he just beat me to it :)

voyager 2009-10-07 17:11:56

Good answer. If I had the knowledge that @jakeisonline shared with us, I would have posted an answer.

Ken Browning 2009-10-07 17:29:45

Answer 2

+4 A:

js can't access the filesystem, so what's so point ?

Actually JS can traditionally do some bad stuff running from the My Computer Zone, like install ActiveX objects. A lot of past IE exploits used this to leverage filesystem access into arbitrary-code access.

So faced with this problem Microsoft decided to solve the problem, not by simply removing the My Computer zone — oh no, that would be far too easy — but by adding an extra layer of complexity. So Internet Explorer gained an option, on by default, to lock down content from the filesystem, whilst allowing other applications that used embedded WebBrowser controls to continue as before, on the grounds that maybe some applications were relying on the loose settings in their internal HTML interfaces.

(They weren't, really, in the consumer space, but then we never know what shades of foulness may exist in the bespoke Enterprise app world.)

After the embarrassment of IE getting hacked all the time, MS overcompensated by making the lockdown settings for filesystem pages considerably more restrictive than even normal web pages from the Intenet. So you can't run JavaScript from files off the filesystem, for no particularly good reason.

At this point web authors whinged, so MS responded not by removing the excessive lockdown — oh no, that would be far too easy — but by adding an extra layer of complexity. So now you can get out of the My Computer Zone simply by placing at the top of your file:

<!-- saved from url=(0014)about:internet -->

This cryptic incantation is known as the Mark of the Web. The newline at the end of it has to be a Windows CRLF, which nicely shafts you if you're using plain LF line-endings. Including this string puts you in the normal Internet Zone where JScript works but you get no other special privileges.

The amusing thing is that since then, the normal security settings in the My Computer Zone have been tightened up so that it's pretty much the same as the default Internet Zone. So the net result is the same as if they'd just got rid of the bloody My Computer Zone in the first place, only with lots of extra complication for the user and annoyance to the web author.

Thank you so very much Microsoft.

bobince 2009-10-07 21:32:18

Answer 3

A:

Is this avaliable in IE8? It seems not.

owen 2010-04-17 15:06:19

ansaurus

tags:

views:

answers:

In what case does IE8 block Javascript and how to avoid it ?

related questions