Loading ...
Sorry, an error occurred while loading the content.

Re: Crossframe and XP SP2

Expand Messages
  • Foteos Macrides
    ... From: Dennis Sandow Subject: Re: Crossframe and XP SP2 Object Caching In previous versions of Windows, some Web pages could access objects cached from
    Message 1 of 2 , Sep 2, 2004
    • 0 Attachment
      ----- Original Message -----
      Subject: Re: Crossframe and XP SP2

      Object Caching

      In previous versions of Windows, some Web pages could access objects cached from another Web site. In Internet Explorer 6 for Windows XP SP2, a reference to an object is no longer accessible when the user browses to a new domain.

      For Windows XP SP2, there is a new security context on all scriptable objects so that access to all cached objects is blocked. In addition to blocking access when browsing across domains, access is also blocked when browsing within the same domain (fully qualified domain name). A reference to an object is no longer accessible after the context has changed due to navigation.

      Prior to Internet Explorer 5.5, navigations across HTML pages (or across frames) purged instances of MSHTML, which is the Microsoft HTML parsing and rendering engine. With the Internet Explorer 5.5 native frames architecture, an instance of MSHTML remains across navigations. This introduced a new class of vulnerabilities, because objects could be cached across navigations. If an object can be cached and provide access to the contents of a Web page from another domain, there is a cross-domain security hole.

      If your application receives Access Denied errors, you must recache the object before you access it using a script.
      -------------------------------------------------------------------

      Does this mean that preloads (invoked on the home page for "instant access" in popups on subsequent pages) are now obsolete ??

      Dennis
       
      Dennis,
       
      The passage you cite from the msdn documentation:
       
       
      states clearly (IMHO) that the XP SP2 object caching restriction to documents as well as domains applies for all navigation, not only for framesets.  So it indeed would be expected to influence the common "trick" involving image preloads via a site's splash (entry) page.  The script block for preloading the images should be placed in every document at that site which uses the images, to ensure that the cached images can be accessed.  This would be expected to increase the network chatter associated with If-Modified-Since queries, but should not require that the images keep being downloaded again and again with navigation to different documents in the same domain.  Plus, it is unwise to rely solely on the splash page, anyway, because that might not always be a user's entry document for the site.
       
      Has anyone with XP SP2 installed actually tried this?
       
      XP SP2 also is reported to support a popup blocker for IE with lots of configuration settings.  Can that block DHTML popups, and if so, does the default configuration do so?
       
      Fote
      --
    • Robert E Boughner
      ... objects cached from another Web site. In Internet Explorer 6 for Windows XP SP2, a reference to an object is no longer accessible when the user browses to
      Message 2 of 2 , Sep 2, 2004
      • 0 Attachment
        --- In overlibmws@yahoogroups.com, "Foteos Macrides" <fote@m...> wrote:
        > ----- Original Message -----
        > From: Dennis Sandow
        > Subject: Re: Crossframe and XP SP2
        > Object Caching
        > In previous versions of Windows, some Web pages could access
        objects cached from another Web site. In Internet Explorer 6 for
        Windows XP SP2, a reference to an object is no longer accessible when
        the user browses to a new domain.
        >
        > For Windows XP SP2, there is a new security context on all
        scriptable objects so that access to all cached objects is blocked. In
        addition to blocking access when browsing across domains, access is
        also blocked when browsing within the same domain (fully qualified
        domain name). A reference to an object is no longer accessible after
        the context has changed due to navigation.
        >
        > Prior to Internet Explorer 5.5, navigations across HTML pages
        (or across frames) purged instances of MSHTML, which is the Microsoft
        HTML parsing and rendering engine. With the Internet Explorer 5.5
        native frames architecture, an instance of MSHTML remains across
        navigations. This introduced a new class of vulnerabilities, because
        objects could be cached across navigations. If an object can be cached
        and provide access to the contents of a Web page from another domain,
        there is a cross-domain security hole.
        >
        > If your application receives Access Denied errors, you must
        recache the object before you access it using a script.
        > -------------------------------------------------------------------
        >
        >
        > Does this mean that preloads (invoked on the home page for
        "instant access" in popups on subsequent pages) are now obsolete ??
        >
        > Dennis
        >
        > Dennis,
        >
        > The passage you cite from the msdn documentation:
        >
        >
        http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/overview/XpSp2Compat.asp
        >
        > states clearly (IMHO) that the XP SP2 object caching restriction to
        documents as well as domains applies for all navigation, not only for
        framesets. So it indeed would be expected to influence the common
        "trick" involving image preloads via a site's splash (entry) page.
        The script block for preloading the images should be placed in every
        document at that site which uses the images, to ensure that the cached
        images can be accessed. This would be expected to increase the
        network chatter associated with If-Modified-Since queries, but should
        not require that the images keep being downloaded again and again with
        navigation to different documents in the same domain. Plus, it is
        unwise to rely solely on the splash page, anyway, because that might
        not always be a user's entry document for the site.
        >
        > Has anyone with XP SP2 installed actually tried this?
        >
        > XP SP2 also is reported to support a popup blocker for IE with lots
        of configuration settings. Can that block DHTML popups, and if so,
        does the default configuration do so?
        >
        See this post on the overlib group --
        http://groups.yahoo.com/group/overlib/message/8240 which indicates
        that it does indeed block DHTML popups.
      Your message has been successfully submitted and would be delivered to recipients shortly.