windows xp sp2 rc2

re: windows xp sp2 rc2

Cameron Watters — Mon, 21 Jun 2004 22:46:00 GMT

Back in March, there was some back-and-forth in the comments of this post:

http://blogs.msdn.com/jeffdav/archive/2004/03/22/94080.aspx

regarding the behavior of the popup blocker WRT Macromedia Flash content, etc. The crux of the issue then (and now) is whether or not the popup blocker would block popups launched from within MM Flash content by default. Back then the answer was yes.

I have not yet had a chance to try out Win XP SP2 RC2. Has that behavior changed at all? Is the appropriate solution still (as you indicated in the aforementioned post from March) for the plugin developer (in this case Macromedia) to modify the plugin to support the new interface that notifies the browser of the proper context for requests (user initiated or otherwise)?

re: windows xp sp2 rc2

jeffdav — Mon, 21 Jun 2004 22:50:00 GMT

Cameron--

That would be the point of the UseHooks key described in the post. By default we do hook messages going to Flash, to allow user initiated windows to open from Flash.

ActiveX controls can still initiate the user initiated context by Exec()'ing the correct command to mshtml.dll.

-jmd

re: windows xp sp2 rc2

Cameron Watters — Mon, 21 Jun 2004 22:54:00 GMT

Update to my previous comment:

A more careful reading suggests that, by default, popups initiated from the Flash plugin (which I'm hoping falls into the designation of an ActiveX control?) will not be blocked? Is that a correct reading of the rules for the "Medium" (later described as the default) level?

Sorry, I failed to put it all together the first time through.

re: windows xp sp2 rc2

jeffdav — Mon, 21 Jun 2004 22:59:00 GMT

That is correct.

windows xp sp2 rc2 (from: jeffdav)

Test .Text Blog — Tue, 22 Jun 2004 03:41:00 GMT

re: windows xp sp2 rc2

Peter Torr — Tue, 22 Jun 2004 01:24:00 GMT

One thing I really dislike is "negative" options like "BlockUserInit."

It's intuitively difficult for people to deal with double negatives, and it makes the configuration overly complicated and ugly. Just looking at the settings for High and Low, wouldn't it be nicer if High was F,F,F,F and Low was T,T,T,T?

Then you could just say "High turns it all off" and "Low turns it all on" and customers could easily keep up with it. As it is, having negative options makes it easy for bugs (either bona fide "code defects" or end user "configuration errors") to creep in. We're only human, after all :-)

I would rename it "AllowUserInit" or something along those lines.

re: windows xp sp2 rc2

jeffdav — Tue, 22 Jun 2004 01:31:00 GMT

Peter--

I agree. Keep in mind these are registry thingies that most people never need to see. When I started writing this, "BlockUserInit" and "PlaySound" were the only keys. As I learned more and more about the numerous ways to navigate IE, more options were added. I would have liked to have rationalized all these settings in the end, but I waited too long and now we are too close to RTM.

One of my dreams is to someday rewrite the Internet Control Panel and rationalize all these random IE registry keys... but think of all the apps I would break!

Configure the pop-up blocker in XP SP2 RC2

KC on Exchange and Outlook — Tue, 22 Jun 2004 07:29:00 GMT

XP SP2 change?

JD on MX — Tue, 22 Jun 2004 07:56:00 GMT

XP SP2 change? My thanks to Cameron Watters for posting this... he cites a post today from "jeffdav" of Microsoft's Internet Explorer team, and in the followup, it seems like Jeff says that the behavior of blocking windows requested from...

Flash & Windows XP SP2

h2os :: blog — Tue, 22 Jun 2004 16:51:00 GMT

I'll post more on this later once I've had a chance to install Windows XP SP2 RC2 and poke around...

More info on the popup blocker in XP sp2

E-Bitz - SBS MVP the Official Blog of the SBS — Wed, 23 Jun 2004 03:31:00 GMT

Excellent information on the new IE pop up blocker from JeffDav of the IE Core team

Jerry's Security Weblog — Wed, 23 Jun 2004 05:13:00 GMT

re: windows xp sp2 rc2

A.R. — Fri, 25 Jun 2004 09:41:00 GMT

You might consider focusing more on security holes than on "UI bugs"..
A list of some of them can be found here: http://iebug.com/

re: windows xp sp2 rc2

jeffdav — Fri, 25 Jun 2004 16:03:00 GMT

Many of the UI Bugs I have fixed were security bugs. Web sites that use poorly desgined UI to trick users are just as dangerous as ones that use more sophisticated attacks. There is a team of developers who work to secure IE at a lower level; I work on the Browser UI team.

createPopup() windows rendered useless by XP SP2

Ian Paterson — Sun, 27 Jun 2004 21:49:00 GMT

I'm afraid that with Windows XP SP2, chromeless popup windows (created with createPopup()) have so many restrictions that they are rendered useless. The only significant functionality offered by a popup that cannot be achieved with an ordinary HTML DIV element is that it may be positioned slightly outside (to the right or left of) the window border.

Most importantly, popups no longer appear in front of all windows. It is now impossible for a window underneath the top window to alert the user that it needs the user's attention (e.g. when a message arrives in Outlook Web Access) WHILE still allowing the user to continue working in the top window (e.g. if the user is busy typing a sentence in the top window then their text is not lost when a standard window gains focus).

Would there not be enough security if popup windows were limited in size/position AND also forced to have chrome (title and status bars) when the programmer wants them to appear on top of all windows?

Do you know how OWA and other similar applications running on SP2 will inform users that new messages have arrived?

explorer bar - discuss

Shaffer — Thu, 08 Jul 2004 06:11:00 GMT

we have developed software and i believe a user is having problems because the 'discuss' feature may be checked. The user claims she has no discuss option in her explorer bar. Is this possible? She says she is using Windows XP Professional and IE 6.0. I'm using the same OS and browser and have 'discuss' in my explorer bar.

Please advice.

explorer bar - discuss

Shaffer — Thu, 08 Jul 2004 06:12:00 GMT

re: windows xp sp2 rc2

jeffdav — Thu, 08 Jul 2004 06:51:00 GMT

I think discuss comes with office, yes? I never use it, so I am not 100% sure. :)

re: Internet Explorer in XP SP2 RC2

Tony Schreiner's WebLog — Tue, 13 Jul 2004 07:55:00 GMT

re: windows xp sp2 rc2

HK — Sat, 24 Jul 2004 01:11:00 GMT

BlockUserInit - Whether or not to block windows deemed to be the result of a user initiated action. When on, pop-up blocking is hardcore. Default is off.
UseTimerMethod - Whether or not to use a timer to detect user initiated actions. Some sites do things asynchronously to mouse clicks... mostly sites where you submit data which results in a popup.
UseHooks - Whether or not to hook messages going to ActiveX controls. If this is false, then the control may not be able to open a new window.
AllowHTTPS - Whether or not to blindly allow pop-ups from sites using https.

The default values are High: T,F,F,F; Med: F,F,T,F; Low: F,T,T,T.
If you go change one setting by hand and it does not match the template for any of those levels, the level will show as “Custom” in the settings dialog.

You don't actually SUPPORT the stuff you're programming, right? You see, if you were Mr. "I-don't-know-much-about-my-computer-but-I-heard
-theInternet-is-so-dangerous" and you hear of a strange new virus that's spreading via websites or anything like this or you are annoyed by popupwindows that still came through the popupblockers, you would tend to disable anything.

Many banks use popups to initiate a secure connection to the user. It's also used to look up for the browser they're using and presenting the right javascript-code to let the user do their banking-stuff. They have verified their identity by a trusted root certification authority.

If they're clever, they ordered the more expensive special certificate that's neccessary to enable strong in enryption mode in MSIEs that fell under the old export-restrinctions concerning strong encryption:
http://www.verisign.com/products/popInfo/encryption.html

On behalf of all my collegues trying to support the various types of MSIE, please do the following on the default high settings:

Enable to pop up windows which are encrypted, provided they have a certificate that's issued by a trusted root certification authority. Call this setting: "Enable Popups from trusted, encrypted sites (e.g. Webshops, Online-banking-applications). Note: By disabling this setting, some Webshops or Online Banking might stop working correctly.

Something like this. Or at least tell the user after enabling the deafault high setting that some webshops or their Online Banking might not work anymore. Explain the User how to add sites to the white-list. Note: The secured Window opened by many sites originates from an unsecured site.

Explorer has to check wheter the Window which is attempting to open originates from one of the trusted sites. Otherwise, User has to add both the unsecured and the secured URL to it's trusted sites. This is a very annoying behaviour of the MSIE since the beginning of MSIE using the zone-model. It would be sufficient to allow any site to open a secured Window from a site that's in the white list as long as every single item is from the same secured trustworty domain (disallowing cross-frame-attacs from an unsecured frame).

To sum up:

1. Why just the option to allow *every* secured site to open a Popup even thogh User has no confirmation that the issuer of that certificate is trustworthy? Why not allowing only identified Companies to open a Popupwindow/Use Java Script and stuff even on high settings? Make it adjustable, so that the user could diallow this option on purpose, OK.

2. Is there a way to explain to Users what to do to get the requested Webshop- or bankingfunctions?

Sorry for writing so long, but Norton Internet Security already gives us enough headache. But this is going to be a major problem to us. We don't spam, we don't do anything bad. We're just trying to keep our customers happy.
;(

You wouldn't believe what some Users do to their system without any idea what hey are doing. Now try to give them the service they deserve in our opinion and figure out what they need to do to get out of this mess. But as far as I see it, this is going to be a major problem to us and many, many more.

Sincerely

HK (full name disclosed upon every mail originating from microsoft.com for now I'm saying that I am from Germany).

PS: Please send some greetings to "Sven Freitag", he should be in america working @microsoft right now. Working email-address, no need to edit anything: nospam001@gmx.net

Configure the pop-up blocker in XP SP2 RC2

KC on Exchange and Outlook — Sat, 31 Jul 2004 01:39:00 GMT

Excellent information on the new IE pop up blocker from JeffDav of the IE Core team

Jerry's Security Weblog — Thu, 16 Dec 2004 16:49:00 GMT

h2os.org :: The Life and Times of Cameron Watters :: Flash & Windows XP SP2

h2os.org :: The Life and Times of Cameron Watters :: Flash & Windows XP SP2 — Thu, 27 Apr 2006 01:52:17 GMT

PingBack from http://www.h2os.org/archives/bydate/2004/06/22/flash_windows_xp_sp2

jeff s WebLog windows xp sp2 rc2 | Paid Surveys

jeff s WebLog windows xp sp2 rc2 | Paid Surveys — Sat, 30 May 2009 08:17:40 GMT

PingBack from http://paidsurveyshub.info/story.php?title=jeff-s-weblog-windows-xp-sp2-rc2

jeff s WebLog windows xp sp2 rc2 | Insomnia Cure

jeff s WebLog windows xp sp2 rc2 | Insomnia Cure — Tue, 09 Jun 2009 01:29:22 GMT

PingBack from http://insomniacuresite.info/story.php?id=3782

jeff s WebLog windows xp sp2 rc2 | fix my credit

jeff s WebLog windows xp sp2 rc2 | fix my credit — Wed, 17 Jun 2009 04:46:41 GMT

PingBack from http://fixmycrediteasily.info/story.php?id=17780

jeff s WebLog windows xp sp2 rc2 | low cost car insurance

jeff s WebLog windows xp sp2 rc2 | low cost car insurance — Wed, 17 Jun 2009 07:20:17 GMT

PingBack from http://lowcostcarinsurances.info/story.php?id=3246

jeff s WebLog windows xp sp2 rc2 | bar stools

jeff s WebLog windows xp sp2 rc2 | bar stools — Fri, 19 Jun 2009 09:37:46 GMT

PingBack from http://barstoolsite.info/story.php?id=3777