Thursday, April 28, 2011

How to tell IE a HTML file on my disk is not a security risk?

Our build script creates a HTML log with some embedded javascript. When I open that in Internet Explorer, I get the yellow warning bar that IE has blocked running "scripts or activex controls".

Since it is a local file, I cannot add it to trusted sites (IE expects a domain here).

I do not want to change security settings for the default zone.

Any idea how to permanently unblock it?

IE version is 7.0.5730.13 on XP Pro.

From stackoverflow

  • Probably not what you want to hear but I'm not sure you can. Does Firefox/Opera/Safari complain when you run it in any of those? If it works then that seems like the simplest solution to me.

    peterchen : That would mean either changing the build script to look for whereever firefox is installed, or changing the default browser. Not simple, or to many side effects.

  • You could set up a local server and save such files in a domain you can now add to the trusted sites, but opening the file in any other browser than IE is easier.

  • Embed the Mark of the Web:

    <!-- saved from url=(0016)http://localhost -->
    Simon Lieschke : See http://msdn.microsoft.com/en-us/library/ms537628(VS.85).aspx for more information on this.
    peterchen : Works perfectly! :D

  • Due to a world of virus, trojans, worms etc on the internet. I believe this is something you cannot get rid of, (or it will require a lot of messing) due to the extra security provided by Microsoft in later version of IE.

    Is there a chance you could use something else to load your HTML logs into. e.g Notepad

  • You can add Local Machine Zone and configure security for it:

    http://www.microsoft.com/windows/IE/community/columns/improvements.mspx

    Simon Lieschke : That's only something that should be done temporarily. If you leave it configured then you run the risk of a saved web page you open down the track running with elevated privileges on your machine. Using the Mark of the Web feature would be safer.
    Arvo : I agree, at least for this situation. I've used relaxed Local Machine Zone security to test IE handling of javascript on web pages locally - in that case MOTW was not a good option.

  • You could add The Mark of the Web to the document so that IE will act as if it's from a certain security zone.

  • Another option, if it's only IE you need to view it in is to save it as a .hta file.

    This makes it a HTML application.

    It's as simple as changing the suffix to .hta. Although there are other options you can specify.

    For more info:

    http://msdn.microsoft.com/en-us/library/ms536496(VS.85).aspx

Posted by Ku XI at 8:02 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)