shuizhongyueming / ie7-js

Automatically exported from code.google.com/p/ie7-js
0 stars 0 forks source link

Security Error #237

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Visit http://wdsdev.semo.edu/virtual_tour/ in IE, which includes IE9.js
2. Click to a couple different pages
3. At random times, observe the security error that pops up.

What is the expected output? What do you see instead?
I expect no security error, but I see "This page is accessing information 
that is not under its control. This poses a security risk. Do you want to 
continue?" instead.

What version of the product are you using? On what operating system?
I am using the latest version, on XP (but have tested on other OS's and 
gotten similar results) with IE8, and with IE6/7 in IETester.

Please provide any additional information below.
I've tried hosting IE9.js and the blank.gif on our own server, but it still 
throws the security error.

Original issue reported on code.google.com by MrKerric...@gmail.com on 23 Mar 2010 at 4:51

GoogleCodeExporter commented 9 years ago
I'm not getting a security error.

You seem to be including a lot of scripts in that page. Are you that it is 
caused by 
the IE7 script?

Original comment by dean.edw...@gmail.com on 25 Mar 2010 at 7:43

GoogleCodeExporter commented 9 years ago
I'm pretty sure, because when we added this script, it started happening. When 
we 
removed it, it stopped. However, I just tested it on my home machine, and I got 
no 
error... Makes me think it may have something to do with security policies on 
the 
university computers. Does the script in some way access any files other than 
itself? I 
put blank.gif into the same folder as the script on our server, just in case.

Original comment by MrKerric...@gmail.com on 25 Mar 2010 at 9:21

GoogleCodeExporter commented 9 years ago
You need blank.gif if you use the PNG solution. Otherwise there are no other 
dependencies.

Original comment by dean.edw...@gmail.com on 26 Mar 2010 at 12:06

GoogleCodeExporter commented 9 years ago
I have been able to reproduce this issue. It only occurs when this script is on 
a page in combination with certain remote resources.

For example, the Google Fonts API uses a link to a remote css file, like so:
<html>
  <head>
    <link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Tangerine">
    <style>
      body {
        font-family: 'Tangerine', serif;
        font-size: 48px;
      }
    </style>
  </head>
  <body>
    <h1>Making the Web Beautiful!</h1>
  </body>
</html>

If this script is placed on a page utilizing Google Fonts in this way, the 
error appears. I have tested this in IE 7 and IE 8 and it occurs in both. I 
have also tested with both IE9.js and IE8.js. The problem does not occur unless 
the IE script is loaded.

Original comment by jsim...@gmail.com on 16 Feb 2011 at 5:47

GoogleCodeExporter commented 9 years ago
Re-opened by request (issue #306).

Original comment by dean.edw...@gmail.com on 25 Mar 2011 at 7:36

GoogleCodeExporter commented 9 years ago
Hi 
I'm experiencing the same problem. I used the IE9.js file (windows xp, native 
ie7) and I got the error, even though if I have all the scripts in a local 
folder (no google api etc links). I tried the ie8.js and I got no security 
pop-up anymore.
I think I will stick with the ie8.js version (was using it to make the :focus 
behaviour) but it would be great if a solution was found for ie9.js too

Original comment by walterst...@gmail.com on 13 Apr 2011 at 11:29

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
I can confirm that the conflict is with Google Fonts being loaded either before 
or after the script using the <link.. /> tag. Using IE8.js or IE9.js, the 
results are the same. The security dialog pops up in IE7 and IE8.

The workaround I use so far is to NOT declare the Google font specifically for 
IE6-8. I use a body class to specify the browser if it's IE6, IE7 or IE8 and I 
can target specific elements and in the case of these browsers, use a standard 
web font instead of the Google one.

Original comment by joomlaworks on 4 Jul 2011 at 5:00

GoogleCodeExporter commented 9 years ago
I have tested using IE9.js (I know this is the IE7.js board... but it might 
help) and found that when I comment out:

try{var V=new ActiveXObject("Microsoft.XMLHTTP")}catch(ex){}

the prompt goes away.  OBVIOUSLY, the script may not perform as intended - 
however, the formatting issue specific to my issue continues to be resolved 
with the V object object above commented out, and a new V object created with a 
value of 0.

...
//try{var V=new ActiveXObject("Microsoft.XMLHTTP")}catch(ex){}
var V=0;
...

Hope this helps identify the issue.

Original comment by rwcatal...@gmail.com on 25 Sep 2011 at 10:32

GoogleCodeExporter commented 9 years ago
Same issue over here with the IE9.js...

Original comment by k.vander...@gmail.com on 19 Jan 2012 at 5:23

GoogleCodeExporter commented 9 years ago
Getting the same issue with IE9.js in IE8 and IE9 but I'm using fonts loaded 
from fonts.com instead of Google. The problem seems to be fairly random in that 
some people don't get it all and others do. In some cases, it's actually 
causing a completely blank page.

Original comment by ad...@tyssendesign.com.au on 20 Feb 2012 at 9:51

GoogleCodeExporter commented 9 years ago
In order to reproduce: it only happens when your security settings are 
unusually high, and you reference external CSS files on other servers (e.g. 
AddThis widget). Here are the security settings that produce it:

1. Go to Tools->Internet Options.
2. Security tab.
3. Under "Internet", click "Custom level..." 
4. Under "Misc.", change "Access data sources across domains" to "Prompt".

I may have fixed it in the file attached by disabling downloading of external 
CSS files. Having trouble testing because now IE won't show the error either 
way! Try it if you want!

Original comment by phreakh...@gmail.com on 24 Feb 2012 at 2:43

GoogleCodeExporter commented 9 years ago
So very sorry, last attachment had some errors. This one should be better.

Original comment by phreakh...@gmail.com on 24 Feb 2012 at 3:20

Attachments:

GoogleCodeExporter commented 9 years ago
I have built a webpage which has sliding images in a loop..Something similar to 
this:
http://www.pixedelic.com/plugins/diapo/  
My webpage is working perfectly in all other browser: Chrome, Safari, Firefox 
but not with IE8...I am getting the dreaded error message on top of the 
browser: "To help protect your security, Internet Explorer has restricted this 
webpage from running scripts or ActiveX controls that could access your 
computer.Click here for options..."  and then I click on Allow blocked content 
and everything is working fine...Before clicking on "Allow blocked content" the 
slideshow is not displaying anything..all my script and css files gets blocked 
I guess...All my script , jquery, css, image files are in separate folders but 
all folders and the main html file are in same folder...I tried using IE8.js as 
well as IE9.js by including it in the main html file but that didn't fix the 
issue...I don't know what to do because I want to bypass this error message 
whenever I open the webpage in IE and not click on "Allow blocked content" 
everytime I open it in IE. Any help, will be much appreciated...

Original comment by ntiwari1...@gmail.com on 1 Mar 2012 at 5:53

GoogleCodeExporter commented 9 years ago
I found a simple solution to the problem I mentioned above. There is something 
called Mark of the web and requires us to include a single line of code: 
<!-- saved from url=(0023)http://www.contoso.com/ --> 
Here is the link :http://msdn.microsoft.com/en-us/library/ms537628.aspx

But I am facing a new problem now: all my script files have been slowing down. 
The looping of the images in the slideshow is slower now after I added the mark 
of web code. 

Original comment by ntiwari1...@gmail.com on 1 Mar 2012 at 6:56

GoogleCodeExporter commented 9 years ago
I too just started having this issue -- IE8 browser (in Win 7) plus IE9.js 
script plus google web fonts. 

the problem lies with an interaction between IE9.js and the google web fonts 
call.
I confirmed this by removed IE9.js and the alert goes away.

Original comment by pgur...@gmail.com on 2 Aug 2012 at 5:57

GoogleCodeExporter commented 9 years ago
This bug is a real pain. Is this being actively worked on or not?

Original comment by p...@mcilreavy.com on 21 Mar 2013 at 10:08

GoogleCodeExporter commented 9 years ago
I came across this same frustrating issue recently when looking for a way to 
get :before to work in IE7. To be clear, phreakh...@gmail.com did post the best 
solution - stop the library from pulling external CSS by modifying the 
loadFile() function at the top of the file.

I did it slightly differently - I only reassign href to the returned makePath() 
when the original href string matches some desired conditions for CSS 
references I'm looking for:

    function loadFile(href, path) {
      try {
          if (href.match("my-css-i-want-updated.css") != null) { // or could even be something like (href.substring(0,2) != "//")
            href = makePath(href, path);
          } else {
            throw "Chris's fix";
          }
          if (!fileCache[href]) {
            ...
          }
      } catch (e) {
        // ignore errors
        fileCache[href] = "";
      }
      return fileCache[href] || "";
    };

Of course, then, your external CSS from things like widgets won't be affected 
by this library.

[To be honest though, we're deciding against using this library because while 
the idea of what it does (grabs all your CSS, then creates its own new CSS to 
better serve old IE and places it on the page, then trashes your CSS, then 
reconstructs the page markup to fit its created CSS) is great, it isn't 
practical for a site that is inherently extremely heavy.]

Original comment by christop...@driversed.com on 13 Sep 2013 at 12:58