[thelist] Response.Redirect (ASP)

Ken Schaefer ken.schaefer at gmail.com
Sun Jan 16 02:33:57 CST 2005


I don't believe you are so locked in. It all depends on the security
zone of the current page, and where you are linking to.

As for the iFrame type worries that you allude to - probably a third
of all the IE vulnerabilities we always complain about are related to
these types of cross-domain handling issues. Somehow, we use code to
"trick" IE into thinking that it's safe for the parent page to access
content in the child page. That's fine if the parent page is trusted
to do so (eg it's also in the "trusted sites", or "my computer" zone),
but not OK if it's in the "internet" zone.

As for links from one page in the internet zone, to another, I think
that'll work just fine won't it? Doesn't <a
href="file://c:\boot.ini">click</a> work?

Cheers
Ken


On Fri, 7 Jan 2005 10:51:52 -0500, Joshua Olson <joshua at waetech.com> wrote:
> > -----Original Message-----
> > From: Rob Smith
> > Sent: Friday, January 07, 2005 10:29 AM
> >
> > Ken,
> >
> > I'm connecting from an https:// to an excel file located on
> > another server
> > via the \\Network protocol. Now, obviously it works when the files are
> > located on the web server itself. It's worked before. Maybe I
> > just need to
> > walk my happy rear over the guys desk and recopy what I think
> > the path is.
> 
> Rob,
> 
> It is possible to access network resources using the UNC (such as
> \\server\folder\etc) through Internet Explorer.  However, that necessitates
> that you can somehow get the browser to have in its address bar the UNC for
> the file.  When you are using the HTTP protocol (or HTTPS) through IE you
> are, effectively, locked into the web-centric protocols (http, https, ftp,
> mail, etc).  That means going from http://www.domain.com to \\server\folder\
> is NOT going to work without the user typing in the address themselves.
> 
> Imagine, if you would, the security risk that would open up if you could
> click on a link on a bad webpage which opens the following within a hidden
> frame: \\localhost\c$\somefile !!  I don't think even MS is that careless.
> 
> <><><><><><><><><><>
> Joshua Olson
> Web Application Engineer
> WAE Tech Inc.
> http://www.waetech.com/service_areas/
> 706.210.0168 
> 
> 
> --
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>


More information about the thelist mailing list