Documente online.
Zona de administrare documente. Fisierele tale
Am uitat parola x Creaza cont nou
 HomeExploreaza
upload
Upload




Internet Explorer Object Caching

windows en


Internet Explorer Object Caching

What does Object Caching do?

In previous versions of Windows with Internet Explorer, some Web pages could access objects cached from another Web site. In Windows XP Service Pack 2, a reference to an object is no longer accessible when the user navigates to a new domain.



Who does this feature apply to?

Web developers should review this feature and plan to adopt changes to their Web site.

Application developers should review this feature and plan to adopt changes in their applications.

What new functionality is added to this feature in Windows XP Service Pack 2?

None. Existing functionality has been extended.

What existing functionality is changing in Windows XP Service Pack 2?

Security context is invalidated upon navigation to a different domain

Detailed description

For Windows XP Service Pack 2, there is now a new security context on all scriptable objects so that access to all cached objects is blocked. In addition to blocking access when navigating across domains, access is also blocked when navigating within the same domain. (In this context, a domain is defined as a fully qualified domain name, or FQDN.) A reference to an object is no longer accessible after the context has changed due to navigation.

Why is this change important? What threats does it help mitigate?

Prior to Internet Explorer 5.5, navigations across HTML pages (or to sub-frames) purged instances of MSHTML, which is the Microsoft HTML parsing and rendering engine. With the Internet Explorer 5.5 Native Frames architecture, an instance of MSHTML lives across navigations. This introduced a new class of vulnerabilities, because objects could be cached across navigations. If an object can be cached and provide access to the contents of a Web page from another domain, there is a cross-domain hole.

Once you can get to properties on the inner document, script outside of a page's domain can access the contents of an inner page. This is a violation of the Internet Explorer cross-domain security model.

For example, you can use this method to create scripts that listen to events or content in another frame, such as credit card numbers or other sensitive data that is typed in the other frame.

What works differently? Are there any dependencies?

In those few classes that don't already have them, four more bytes are added for the cached markup. There should be no noticeable impact on speed.

How do I resolve these issues?

For most of these classes of vulnerabilities, Internet Explorer 5 would have crashed, so the application compatibility risk of resolving the exploit should be small. Other applications might need to be addressed on a case by case basis.

What settings are added or changed in Windows XP Service Pack 2?

Setting name

Location

Previous default value (if applicable)

Default value

Possible values

IExplore.exe

Explorer.exe

HKEY_LOCAL_MACHINE (or Current User)\Software \Microsoft \Internet Explorer\Main \FeatureControl \FEATURE_OBJECT_CACHING

None

0 (Off)

1 (On)

Do I need to change my code to work with Windows XP Service Pack 2?

If your application gets Access Denied errors, you must recache the object before you access it using a script. In the following example, the security context is invalidated when the designMode property is set on a document object:

Broken script example

var d = myFrame.document;

d.designMode = "On";

d.open(); <----- ----- ----- ----- -----causes permission denied error

Fixed script example

var d = myFrame.document;

d.designMode = "On";

d = myFrame.document; // re-establish pointer to document object.

d.open();


Document Info


Accesari: 1180
Apreciat: hand-up

Comenteaza documentul:

Nu esti inregistrat
Trebuie sa fii utilizator inregistrat pentru a putea comenta


Creaza cont nou

A fost util?

Daca documentul a fost util si crezi ca merita
sa adaugi un link catre el la tine in site


in pagina web a site-ului tau.




eCoduri.com - coduri postale, contabile, CAEN sau bancare

Politica de confidentialitate | Termenii si conditii de utilizare




Copyright © Contact (SCRIGROUP Int. 2024 )