Good Practices for ActiveX Updates

re: Good Practices for ActiveX Updates

Charles — Mon, 13 Aug 2007 21:13:21 GMT

Thanks for the chatter folks, I'll check in again in 6 months to see if issue tracking is online.

goodbye!

check in again in 6 months

SickOfCharles — Mon, 13 Aug 2007 23:05:18 GMT

Hey Charles make it 12 months so we can miss you less. Quitchurbitchin

re: Good Practices for ActiveX Updates

Sam — Mon, 13 Aug 2007 23:25:02 GMT

I remember when having ActiveX controls "phone home" was considered a security/privacy risk.

And its odd that calling WinVerifyTrust before executing your upgrade binary isn't on the list.

re: Good Practices for ActiveX Updates

Brent — Mon, 13 Aug 2007 23:56:53 GMT

Just found another bug in IE7.

When an element has the :hover pseudo class applied (where the background image changes), mousing over the element (or several if close together (e.g. a menu/list)) causes the favicon in the tab to flicker.

Im guessing that for a split second IE thinks it needs to load a resource, switches to the toilet bowl flushing icon, then realizes it has the resource loaded already, and displays the page's favicon again.

I can partially understand this on the 'very' first mouseover of an un-cahced image, but every flicker after that appears to be a bug.

Im not sure why but if the item has a z-index applied, the effect is even more prevelant.

Dare I ask where the bug tracking site is so I can enter this?

Brent

re: Good Practices for ActiveX Updates

sam — Tue, 14 Aug 2007 02:52:56 GMT

@charles you won't likely see this reply but i'm with you. I've had enough.

sam

re: Good Practices for ActiveX Updates

EricLaw [MSFT] — Tue, 14 Aug 2007 03:16:10 GMT

@Brent: What cache-related headers were returned on your background image?

re: Good Practices for ActiveX Updates

ash — Tue, 14 Aug 2007 06:22:13 GMT

@Brent

Presumably you have checked your server log to ensure the image is not being downloaded repeatedly.

re: Good Practices for ActiveX Updates

Anonymous — Tue, 14 Aug 2007 07:23:40 GMT

So a javascript popup says that "Microsoft Silverlight needs to update, do you wish to continue" and a download for a completly different (malicious) activex control happens, the user gets asked if they want to give admin priveledge to the activex control and then it runs amock on the system.

The best update to ActiveX is turning it off.

re: Good Practices for ActiveX Updates

IE8 — Tue, 14 Aug 2007 09:52:15 GMT

"After much discussion on the team, we've decided that people are right and that we should have a public way for people to give us feedback or make product suggestions."

http://blogs.msdn.com/ie/archive/2006/03/24/560095.aspx

re: Good Practices for ActiveX Updates

trevor — Tue, 14 Aug 2007 15:47:54 GMT

@IE8 Re: "After much discussion on the team, we've decided that people are right and that we should have a public way for people to give us feedback or make product suggestions. http://blogs.msdn.com/ie/archive/2006/03/24/560095.aspx "

Are you pointing out to the community that follows this blog that there is a feedback site? If so, this was torn down almost a year ago.

Or are pointing out that Microsoft realized the extreme importance of such a system, implemented it, then went back on their words and the community by taking the feedback site down?

Either way it is a sad reality.

===================================

1.17 Billion people use the Internet (http://www.internetworldstats.com/stats.htm)

58.5% Are using Internet Explorer

(http://www.w3schools.com/browsers/browsers_stats.asp)

Do 684 Million people not deserve the right to be able to submit a bug report? Do the developers that make applications and sites that run in IE not deserve to have a central repository of bug workarounds so they can fix what is broken in IE?

Its the dawn of another new day, lets sit down and hammer out a plan to get this up and running ASAP.

re: Good Practices for ActiveX Updates

Gareth — Tue, 14 Aug 2007 18:20:59 GMT

In the last paragraph you mention that if the check for the newest version times out, to fail the install. Why?

I should have my product fail to install when;

a) Users internet not connected (an offline install)

b) My website breaks (hopefully only temporarily).

c) User has a proxy server (or similar) which my DLL can't use (eg HTTP Auth).

This sounds like a good way to ensure my product doesn't get installed a lot! It appears to make more sense if the DLL cannot confirm that it is old to install... doesn't it?

re: Good Practices for ActiveX Updates

Brent — Tue, 14 Aug 2007 22:04:43 GMT

@EricLaw[MSFT]

Its not related to caching AFAIK.

Here are the _relevant_ headers

HTTP/1.1 200 OK

Date: Tue, 14 Aug 2007 13:05:05 GMT

Server: Apache/2.0.52 (Win32)

Last-Modified: Mon, 13 Aug 2007 20:49:17 GMT

Content-Length: 693

Cache-Control: max-age=2592000

Expires: Thu, 13 Sep 2007 13:05:05 GMT

Content-Type: image/gif

@ash, no the image only gets downloaded once, firebug headers/fiddler headers and server logs confirm.

I think the toilet bowl spinner kicks in whenever the browser is 'working' on an image, regardless of whether it is cached or not.

An easy test is to set a div, with a class, with a background image that is BIG! (like a 1280x1024 desktop image (GIF/JPG/PNG (it doesn't matter))

then on :hover, swap it for another (any format) of the same BIG size.

hover once, to load the second image. then rollover/off the div several times while watching the spinner.

Reproducable:

IE6: Never (doesn't support :hover)

IE7: Always

Safari: Never

Firefox: Never

Opera 9: Sometimes

thanks

kawaguti's chronical record — Tue, 14 Aug 2007 22:09:30 GMT

IEBlogで、ActiveXコントロールのダウンロードはどうあるべきか、という...

re: Good Practices for ActiveX Updates

Aaron Margosis — Wed, 15 Aug 2007 00:54:37 GMT

Enterprise users should never be able to install ActiveX controls through IE, *except* via the ActiveX Installer Service on Vista. Enterprise users should be running as Standard User, not as admins with the option to elevate. Barring AxIS, ActiveX installation and updating has to be through another mechanism.

re: Good Practices for ActiveX Updates

Forex Blog — Thu, 16 Aug 2007 16:07:58 GMT

In my view activeX updates must be turned on. When they want to be updated allow them to update.Microsoft is the number one company and in case they have decided to make update it is better for all of us (the end users) to download and install the update. Microsoft will not try to harm our computers so I believe them about everything. Every time I get asked about an update I do it. This is my view and I am not asking you to update too, only telling what I think. Big thanks to all microsoft developers that work hard everyday!

re: Good Practices for ActiveX Updates

Json — Thu, 16 Aug 2007 19:06:55 GMT

This is great advice - but can you please give some concrete examples?

I am developing in .Net 2.0, and created an ActiveX component:

1) what is the best practice to create it: Object tag or call new()?

2) How do I attach events to ActiveX controls in cross browser

3) What about marking it safe for scripting?

A complete project shell would be favorite!

re: Good Practices for ActiveX Updates

webkatalog eintragen — Thu, 16 Aug 2007 22:22:39 GMT

"it’s not a good idea to automatically install updates or even give the user this option. Automatically installing updates doesn’t give the user control and doesn’t give them context for the UAC prompt as mentioned above."

Bingo! Give the user the control back!

... I waited years to hear such a statement. Thank your! It is great to hear this out of your mouth ;P

re: Good Practices for ActiveX Updates

Christian — Fri, 17 Aug 2007 11:42:18 GMT

This suggestions are completely unacceptable!

"add a timeout to the server check and fail the install if no response is received before the timeout"

I work in an corporate environment and the very last thing I want is that an installation of a PC or software failes if prerequisites just decide that they need to phone home.

the way to reliable systems is to NOT depend on ANY online service and have stable versions.

Yet you suggest so balantly offensive things like mandatory update checks, not possible to turn off, additional admin-executables, and failed und unreliable, unpredictable magic installations!

That is really disgusting!

re: Good Practices for ActiveX Updates

hAl — Fri, 17 Aug 2007 13:03:31 GMT

Is there sample code availabe for these methods ?

re: Good Practices for ActiveX Updates

Fliesen — Wed, 22 Aug 2007 16:32:11 GMT

I specially agree with the third point. The user always must have the chance to decide if he really want to update or not. Using vista for serveral month now and all the unasked updates installing themselves really go on my nerves!

re: Good Practices for ActiveX Updates

Kamine — Wed, 22 Aug 2007 16:40:23 GMT

I can totally agree with Fliesen. Getting an update in the wrong moment without wanting it is like an illness.

re: Good Practices for ActiveX Updates

文学诗词情感 — Thu, 23 Aug 2007 10:37:40 GMT

看过了,谢谢

http://www.solarain.cn 文学诗词情感

http://www.suilu.com 网站建设及推广

Developing Safer ActiveX Controls Using the Sitelock Template

IEBlog — Tue, 18 Sep 2007 20:23:15 GMT

Last Friday, Microsoft released a new version of the SiteLock Template for ActiveX Controls . The SiteLock

Securing ActiveX Controls

codesecurely.org — Wed, 17 Oct 2007 07:20:14 GMT

I was reading my buddy Alex Smolen's post the other day on Java Applet Security and figured I would see

Good Practices for ActiveX Updates

CSV -> DHTML — Sat, 15 Dec 2007 10:46:52 GMT

http://blogs.msdn.com/ie/archive/2007/08/13/good-practices-for-activex-updates.aspx

Add-on Management Improvements in Internet Explorer 8

IEBlog — Thu, 20 Mar 2008 22:20:42 GMT

One of our goals with Internet Explorer 8 was to improve the experience of managing add-ons by bringing

IE8 Security Part II: ActiveX Improvements

IEBlog — Wed, 07 May 2008 21:30:34 GMT

Hi, I’m Matt Crowley, Program Manager for Extensibility with Internet Explorer. The team was very excited

Internet Explorer 8 의 애드온 관리 개선(Internet Explorer 8)

IE8 팀 블로그 — Thu, 05 Mar 2009 09:51:05 GMT

이 글은 Internet Explorer 개발 팀 블로그 (영어)의 번역 문서입니다. 이 글에 포함된 정보는 Internet Explorer 개발 팀 블로그 (영어)가 생성된 시점의

IE8 보안 2부 : ActiveX 보안 개선

IE8 팀 블로그 — Tue, 17 Mar 2009 11:48:41 GMT

    아래 글은 IEBlog에 올라온 IE 8 보안 관련 글 중 두번째 글을 번역한 것입니다. 현재 파트 5까지 나와있는데 시리즈로 번역할 예정입니다. 이 글 뿐