Is it possible for a trusted site to serve up an untrusted page?

11 Aug 2006 3:03 PM

Stephen Walch

I am building a server application which I expect to run on servers that are
in the Trusted Sites zone for many of my users. However, I will be serving
up content that, in some cases, comes from third parties and it is
theoretically possible that some of that content might contain malicious
script, components, external links, etc. It is possible for my server to
flag certain pages (or better, parts of pages) as "untrusted", thus
triggering IE's defense mechanisms for that portion of content? Is there an
HTTP or HTML standard for doing that?

I will also be looking at filtering out any suspicious content while
rendering. Any pointers in that are would also be appreciated.

-Steve

13 Aug 2006 12:52 AM

Roger Abell [MVP]

If what you pass down for rendering only gives the browser the
URL to load in that area, then it should know how to categorize
that URL. If you are getting the content on the serverside and
sending it down integral with your provided content then it is your
responsibility to make sure it is appropriate (for your clients' zone
classification of your site).

Show quoteHide quote

"Stephen Walch" <swalch@online.nospam> wrote in message
news:OzsuOdVvGHA.3912@TK2MSFTNGP03.phx.gbl...
>I am building a server application which I expect to run on servers that
>are
> in the Trusted Sites zone for many of my users. However, I will be
> serving
> up content that, in some cases, comes from third parties and it is
> theoretically possible that some of that content might contain malicious
> script, components, external links, etc. It is possible for my server to
> flag certain pages (or better, parts of pages) as "untrusted", thus
> triggering IE's defense mechanisms for that portion of content? Is there
> an
> HTTP or HTML standard for doing that?
>
> I will also be looking at filtering out any suspicious content while
> rendering. Any pointers in that are would also be appreciated.
>
> -Steve
>

14 Aug 2006 7:26 AM

WenJun Zhang[msft]

Hi Stephen,

Your question is regarding to if there is any server-side flags/mechanisms
to let IE browser estimate if a particluar page should be TRUSTED or NOT,
right?

If so, as I know this is not achievable currently. First, IE's security
zone setting is domain based. We can only specify something e.g: if
http://www.microsoft.com is a trusted site/intranet site/internet site,
etc. The trust level setting doesn't append to URL level like:
http://www.microsoft.com/windowsserver2003/iis/ .

Secondary, there shouldn't be an approach for web or server-side scripting
to interact with IE client's security zone setting. Otherwise it will bring
huge security risk.

Since this is mainly an issue about Internet Explorer security, you may get
some additional information from our IE newsgroup:

microsoft.public.internetexplorer.general

Thanks.

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.