惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
Netflix TechBlog - Medium
V
Vulnerabilities – Threatpost
Google Online Security Blog
Google Online Security Blog
Hugging Face - Blog
Hugging Face - Blog
L
LINUX DO - 热门话题
云风的 BLOG
云风的 BLOG
P
Proofpoint News Feed
D
Docker
C
Cyber Attacks, Cyber Crime and Cyber Security
MyScale Blog
MyScale Blog
P
Palo Alto Networks Blog
T
Tenable Blog
P
Privacy International News Feed
Google DeepMind News
Google DeepMind News
小众软件
小众软件
Cisco Talos Blog
Cisco Talos Blog
aimingoo的专栏
aimingoo的专栏
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
A
Arctic Wolf
C
Cybersecurity and Infrastructure Security Agency CISA
C
Cisco Blogs
T
Threat Research - Cisco Blogs
NISL@THU
NISL@THU
The Hacker News
The Hacker News
Project Zero
Project Zero
AWS News Blog
AWS News Blog
Simon Willison's Weblog
Simon Willison's Weblog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Threatpost
V
Visual Studio Blog
The GitHub Blog
The GitHub Blog
The Cloudflare Blog
Last Week in AI
Last Week in AI
Jina AI
Jina AI
Cyberwarzone
Cyberwarzone
The Register - Security
The Register - Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
Vercel News
Vercel News
D
Darknet – Hacking Tools, Hacker News & Cyber Security
MongoDB | Blog
MongoDB | Blog
U
Unit 42
Scott Helme
Scott Helme
A
About on SuperTechFans
WordPress大学
WordPress大学
F
Fortinet All Blogs
大猫的无限游戏
大猫的无限游戏
G
GRAHAM CLULEY
Latest news
Latest news
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
S
Schneier on Security

博客园 - Navicy

博客搬家公告 Dundas for Reporting Services的一些的使用技巧 发现 SQL Server 2005 Reporting Services 的一些BUG 博客更新 基于UML和ASP.NET实现三层B/S结构学籍管理系统开发 Windows的AutoRun.inf文件是近期木马、病毒传播的罪魁祸首 “掌握Ajax”中文系列教程(转载自IBM DeveloperWorks网站) AJAX异步和回调 AJAX和XmlHttpRequest下的WEB开发 Google推出的照片管理软件Picasa VB中类的字段和属性的区别和用法 WinXP NTFS分区文件或文件夹没有“安全”选项卡的解决办法 Windows XP网络共享访问总是弹出输入Guest密码对话框的解决 安装Dreamweaver 8和Fireworks 8简体中文正式版 极品飞车8-地下狂飙2中"speed2.exe"错误解决办法 文件的ContentType类型举例 使用批处理文件命令行方式快速启动和停止IIS、SqlServer Macromedia Studio 8 发布 Windows Vista Beta 1 精彩体验
Windows XP SP2的WRSF安全特性导致IE使用window.open和window.showModalDialog的status=no无法关闭状态栏
Navicy · 2006-05-15 · via 博客园 - Navicy

Internet Explorer Using Feature Control Registry Settings with Security Zone Settings

What do Feature Control Registry Settings and Security Zone Settings do?Feature Control registry settings are provided in Windows XP SP 2 so that a specific process can be configured to opt-in to a particular security feature. In the following example, Internet Explorer has been configured to use the Windows Restrictions security feature(WRSF):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Internet Explorer\Main\FeatureControl
\FEATURE_WINDOWS_RESTRICTIONS] iexplore.exe=1

Once a process has been configured to use a security feature, the security feature is running and security zone settings can be applied for more precision, if implemented for that feature. In the Security Settings tab of Internet Options, the user can adjust these settings for many of the new Windows XP SP2 feature controls. If you select Enable, it lowers the security settings and allows the behavior to run less securely, or in the same manner as it did in Windows XP Service Pack 1. For example, if Windows Restriction is set to Enable in the Intranet zone, Windows Restrictions will not be applied — script-initiated windows can be opened as freely as in Windows XP SP1. The Windows XP SP2 restrictions can be applied again by setting the security zone setting to Disable, which blocks the less-secure behavior while the feature control is enabled for that process.

For example, if the feature is turned on for Windows Restrictions, this feature:

Forces the status bar to be present in script-initiated Internet Explorer windows with the title bar [those that were created with window.open()].

Constrains the size and positioning of script-initiated Internet Explorer windows that have title and status bars to ensure that the title bar and the status bar in these windows is always visible to the user.

        我特意将关键的话语加粗变红,原来这是Windows XP SP2的新安全特性Windows Restrictions security feature(WRSF),为了安全,SP2特意强制将弹出的标题栏和状态栏都显示,让浏览者知道自己正在访问哪个地址哪个网页,防止恶意欺骗。此特性对Internet区域有效,而对本地的Intramet区域无效,就是说在XP SP2下使用代码status=no控制窗口无状态栏已经无效了。解决方法除了上述的修改客户端注册表键值关闭WRSF特性,或者还有一种解决方法就是在客户端上将系统的站点地址加入IE属性“安全”选项中的“本地Intranet”区域。不过这样好像就失去了B/S系统的最大优点,客户端这么多,不可能要求每个使用系统的人都这样设置,所以只能继续让状态栏显示。