Application Security Testing: An Integral Part of DevOps
An Editor friend and some of my co-workers have taken occasion to remind me that some people don't like Internet Explorer or don't see why anyone would ever develop Web applications just for Internet Explorer. Some of these same smart people have expressed the opinion that they don't like ActiveX in Web applications much either. I respect their opinions. Everyone is entitled to an opinion.
I understand. I have read the Cathedral and the Bazaar by Eric Raymond. I have even exchanged a couple of emails with him. I understand that some people think open source software and uniform standards is the way to go. However, I think about these kinds of issues-open source versus proprietary solutions and IE-only development versus multi- browser platform development-differently, from my own perspective.
Enabling and Disabling Script Debugging in IE8
Visual Studio 2008 automatically enables script debugging for Internet Explorer 8 sessions started from Visual Studio. You know longer have to uncheck this option (Disable script debugging (Internet Explorer)) in the IE Tools|Options in the Advanced tab. In fact, regardless of the debugging settings script debugging will be enabled for IE8 sessions started from Visual Studio.
There exists a potential for performance problems associated with script debugging always being on. For a registry hack that disables script debugging refer to my DevExpress blog entry here.
Enabling ActiveX in IE8
Internet Explorer security is established by zone. There are five zones: Internet, Local Intranet, Trusted Sites, Restricted Sites, and My Computer. The Internet zone is represented by Web sites on your computer that haven't been assigned to another zone. The Local Intranet zone is represented by network connections established using a UNC path, Web sites that by-pass the proxy server, or sites that have not been assigned to the Restricted or Trusted zone. Also, if you use a fully qualified domain name (FQDN) or IP address then the site is considered part of the Internet zone. The Trusted Sites zone is for adding web sites that you trust, like FedEx.com, Dell.com, Amazon.com, and the Restricted Sites zone is for web sites that you don't trust. My Computer is exactly what it sounds like.
If you want to enable ActiveX support for desktop development then you want to adjust the Local Intranet zone. If you add ActiveX controls to your public web site then your users will need to adjust the Internet zone.
- In Internet Explorer 8 select Tools|Options
- Change to the Security tab and click Local intranet in the zones section
- Click Custom level
- In the Security Settings dialog scroll to the ActiveX controls and plug-ins
- Change the "Initialize and script ActiveX controls not marked as safe for scripting" from Disable to Enable or Prompt. (If you want to remember that you have turned on ActiveX support then select Prompt)
- Click OK to close the Security Settings dialog
- Click OK to close the Internet options dialog
Click here for larger image
Figure 1: If you see this dialog then you need to enable ActiveX objects for the Local Intranet zone.
Figure 2: To let ActiveX objects that you create in script run on your workstation's browser set "Initialize and script ActiveX controls not marked as safe " to Enable or Prompt.