惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

W
WeLiveSecurity
The GitHub Blog
The GitHub Blog
Engineering at Meta
Engineering at Meta
Microsoft Azure Blog
Microsoft Azure Blog
The Register - Security
The Register - Security
Stack Overflow Blog
Stack Overflow Blog
博客园 - 三生石上(FineUI控件)
T
Threat Research - Cisco Blogs
S
SegmentFault 最新的问题
V2EX - 技术
V2EX - 技术
Hacker News: Ask HN
Hacker News: Ask HN
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Proofpoint News Feed
J
Java Code Geeks
Microsoft Security Blog
Microsoft Security Blog
M
MIT News - Artificial intelligence
AI
AI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
P
Proofpoint News Feed
Hacker News - Newest:
Hacker News - Newest: "LLM"
B
Blog
N
News and Events Feed by Topic
N
News | PayPal Newsroom
Google DeepMind News
Google DeepMind News
酷 壳 – CoolShell
酷 壳 – CoolShell
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
WordPress大学
WordPress大学
C
Cybersecurity and Infrastructure Security Agency CISA
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
U
Unit 42
腾讯CDC
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Cloudflare Blog
H
Help Net Security
Recent Announcements
Recent Announcements
P
Privacy & Cybersecurity Law Blog
IT之家
IT之家
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Security Archives - TechRepublic
Security Archives - TechRepublic
L
LINUX DO - 热门话题
Martin Fowler
Martin Fowler
MongoDB | Blog
MongoDB | Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
H
Heimdal Security Blog
博客园 - 聂微东
S
Securelist
大猫的无限游戏
大猫的无限游戏
Cloudbric
Cloudbric
Cisco Talos Blog
Cisco Talos Blog

博客园 - Navicy

博客搬家公告 Dundas for Reporting Services的一些的使用技巧 发现 SQL Server 2005 Reporting Services 的一些BUG 博客更新 基于UML和ASP.NET实现三层B/S结构学籍管理系统开发 Windows的AutoRun.inf文件是近期木马、病毒传播的罪魁祸首 “掌握Ajax”中文系列教程(转载自IBM DeveloperWorks网站) AJAX异步和回调 AJAX和XmlHttpRequest下的WEB开发 Google推出的照片管理软件Picasa VB中类的字段和属性的区别和用法 WinXP NTFS分区文件或文件夹没有“安全”选项卡的解决办法 Windows XP网络共享访问总是弹出输入Guest密码对话框的解决 安装Dreamweaver 8和Fireworks 8简体中文正式版 极品飞车8-地下狂飙2中"speed2.exe"错误解决办法 文件的ContentType类型举例 使用批处理文件命令行方式快速启动和停止IIS、SqlServer Macromedia Studio 8 发布 Windows Vista Beta 1 精彩体验
Windows XP SP2的WRSF安全特性导致IE使用window.open和window.showModalDialog的status=no无法关闭状态栏
Navicy · 2006-05-15 · via 博客园 - Navicy

Internet Explorer Using Feature Control Registry Settings with Security Zone Settings

What do Feature Control Registry Settings and Security Zone Settings do?Feature Control registry settings are provided in Windows XP SP 2 so that a specific process can be configured to opt-in to a particular security feature. In the following example, Internet Explorer has been configured to use the Windows Restrictions security feature(WRSF):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Internet Explorer\Main\FeatureControl
\FEATURE_WINDOWS_RESTRICTIONS] iexplore.exe=1

Once a process has been configured to use a security feature, the security feature is running and security zone settings can be applied for more precision, if implemented for that feature. In the Security Settings tab of Internet Options, the user can adjust these settings for many of the new Windows XP SP2 feature controls. If you select Enable, it lowers the security settings and allows the behavior to run less securely, or in the same manner as it did in Windows XP Service Pack 1. For example, if Windows Restriction is set to Enable in the Intranet zone, Windows Restrictions will not be applied — script-initiated windows can be opened as freely as in Windows XP SP1. The Windows XP SP2 restrictions can be applied again by setting the security zone setting to Disable, which blocks the less-secure behavior while the feature control is enabled for that process.

For example, if the feature is turned on for Windows Restrictions, this feature:

Forces the status bar to be present in script-initiated Internet Explorer windows with the title bar [those that were created with window.open()].

Constrains the size and positioning of script-initiated Internet Explorer windows that have title and status bars to ensure that the title bar and the status bar in these windows is always visible to the user.

        我特意将关键的话语加粗变红,原来这是Windows XP SP2的新安全特性Windows Restrictions security feature(WRSF),为了安全,SP2特意强制将弹出的标题栏和状态栏都显示,让浏览者知道自己正在访问哪个地址哪个网页,防止恶意欺骗。此特性对Internet区域有效,而对本地的Intramet区域无效,就是说在XP SP2下使用代码status=no控制窗口无状态栏已经无效了。解决方法除了上述的修改客户端注册表键值关闭WRSF特性,或者还有一种解决方法就是在客户端上将系统的站点地址加入IE属性“安全”选项中的“本地Intranet”区域。不过这样好像就失去了B/S系统的最大优点,客户端这么多,不可能要求每个使用系统的人都这样设置,所以只能继续让状态栏显示。