Microsoft KB Archive/875345

= A security update is available that increases the enforcement of the cross-domain security model that is used by Internet Explorer =

Article ID: 875345

Article Last Modified on 11/30/2007

-

APPLIES TO


 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer (Programming) 6.0
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.01

-





INTRODUCTION
A security update is available that increases the enforcement of the cross-domain security model in Internet Explorer. This article is intended to notify developers of these changes and to provide information about possible workarounds that developers can use if their code is affected by these changes.



MORE INFORMATION
Security bulletin MS04-025 increases the enforcement of the cross-domain security model in Internet Explorer. For additional information about security bulletin MS04-025, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx

For additional information about the cross-domain security model, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms533028.aspx

Changes to Internet Explorer-based code
If your Internet Explorer-based code is affected by these changes, we recommended that you examine the security implications of your product and explore the following changes to your Internet Explorer-based code.

DHTML script access is removed during navigation
Script access to the Internet Explorer object model is removed immediately when the security context changes during navigation. This behavior prevents script in one security context from accessing the object model in another security context. To work around this new behavior, update your DHTML script so that it does not rely on access to objects after navigation.

Enforcement of context for script URLs that are executed from binary code
The context to execute a script URL from binary code that uses the IDispatch interface and the IDispatchEx interface is now enforced. For example, if a binary object such as an ActiveX control tries to use the JavaScript protocol to execute script, this execution will now fail. To work around this new behavior, use the execScript method or the setTimeout method to execute script from your binary code.

For additional information, visit the following Microsoft Web sites:

javascript Protocol

http://msdn2.microsoft.com/en-us/library/Aa767736.aspx

IHTMLWindow2::execScript Method

http://msdn2.microsoft.com/en-us/library/Aa741364.aspx

IHTMLWindow2::setTimeout Method

http://msdn2.microsoft.com/en-us/library/Aa741500.aspx

Additional query words: access denied permission denied script error KB867801 cross-frame

Keywords: kbbug kbpending kbinfo KB875345

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.