Microsoft KB Archive/884698

= Custom values that are saved to the navigator object are not persisted after you refresh the Web page in Windows XP Service Pack 2 =

Article ID: 884698

Article Last Modified on 8/13/2007

-

APPLIES TO


 * Microsoft Windows XP Service Pack 2
 * Microsoft Windows XP Service Pack 2

-





Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.



SUMMARY
''Microsoft Windows XP Service Pack 2 (SP2) uses a new security context on all scriptable objects. In this new security context, access to all cached objects is blocked. This behavior occurs regardless of whether you are navigating across Fully Qualified Domain Names (FQDNs) or within the same FQDN. After you change the context by viewing a different page or by refreshing the current page, the reference to an object is no longer accessible.''



SYMPTOMS
Custom values that are saved to the navigator object are not persisted after you refresh a Web page. Additionally, these custom values are not persisted if you leave the Web page and then return to it.



CAUSE
If an object provides access to the contents of a Web page from another domain, and this object can be cached, a cross-domain security vulnerability exists. To help protect against this vulnerability in Windows XP SP2, the new security context on all scriptable objects blocks access to all cached objects.



RESOLUTION
To change this behavior, use one of the following methods:  Use cookies.

For more information about how to use cookies, visit the following Microsoft Developer Network (MSDN) Web sites:

Cookie theory

http://msdn2.microsoft.com/en-us/library/ms970178.aspx

JavaScript and cookies

http://msdn2.microsoft.com/en-us/library/ms970259.aspx

 Change the userData behavior.

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

For more information about the userData behavior, visit the following Microsoft Developer Network (MSDN) Web sites:

userData behavior

http://msdn2.microsoft.com/en-us/library/ms531424.aspx

Introduction to persistence

http://msdn2.microsoft.com/en-us/library/ms533007.aspx

Important If you use these behaviors incorrectly, you can compromise the security of your application. The saveFavorite behavior, the saveSnapshot behavior, and the userData behavior persist data as plain text in a saved Web page. This text is not encrypted. Therefore, any application that has access to the drive where the page is saved also has access to the data and can tamper with it. We recommend that you do not persist sensitive data like credit card numbers. Change the registry setting.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Use one of the following registry settings to revert the object caching to pre-SP2 behavior. If you use this method, you must do this on every client computer.

Important We do not recommend that you do this.

Value: IExplore.exe

Setting: 0 (Off), 1 (On)

Value: IExplore.exe

Setting: 0 (Off), 1 (On)





STATUS
This behavior is by design.



Steps to reproduce the behavior
<ol>  Save the following code in an .html file, and then open the file in Microsoft Internet Explorer.

<script language=&quot;javascript&quot;>

if (navigator.CustomTag == null) {   document.write(&quot;No value present&quot; + &quot;<BR>&quot;) navigator.CustomTag = 200 document.write(&quot;Value has been set to: &quot; + navigator.CustomTag + &quot;<BR>&quot;) } else {   document.write(&quot;Value present&quot; + &quot;<BR>&quot;) document.write(&quot;Value is: &quot;+ navigator.CustomTag) }

</li> Press F5.</li></ol>

On a computer that is running Microsoft Windows XP with SP2, the value is not set. On a computer that is running Windows XP without SP2, the value is persisted.

<div class="references_section">