Event 1034 - Cross-Domain Barrier and Script URL Mitigation

  • Article

Applies To: Windows 7, Windows Vista

Windows® Internet Explorer® provides script URL mitigation for cross-domain exploits, in which a Web page from one domain can either read or manipulate the contents of a Web page located on a different domain. A script URL is a URL that starts with script protocols like JavaScript or VBScript (for example, javascript:doFormPost()). Since script URLs typically run scripts on an Internet Explorer window, they become easy targets for cross-domain exploits.

In earlier versions of Internet Explorer, before Windows Internet Explorer 7, script URLs were treated like any other URL, allowing navigation to occur. This navigation also allowed the script source to have access and run in the current window. In Windows Internet Explorer 8 and Internet Explorer 7, script URL mitigation removes the script from the script URL, effectively stopping navigation from places that are considered unsafe. Internet Explorer then runs the script in the domain context of the Web page from where it came instead of navigating to the page.

How This Issue Appears to the User

If the script URL navigation occurs from a questionable location or Internet Explorer is unable to retrieve the domain context, the navigation is blocked and the user receives a script error message in the Status Bar. If the Web page relies on this blocked navigation, it might become partially unusable, so that when the user clicks a link or button, nothing happens.

What are the Possible Causes of This Issue?

The form element’s submit() or onclick handler provides a reference for two common functionalities blocked by Internet Explorer due to a JavaScript URL:

  • Location.href

  • Window.Open

When Is This Event Logged?

This event is logged when a Web page attempts to run a script URL across a domain.

Note

For more information and examples, see the Event 1034-Cross-Domain Barrier and Script URL Mitigation topic from Internet Explorer Application Compatibility.

Remediation

To enable the script URL to redirect the navigation to a Web site, you can change the way the script runs by using an event handler, an inline script, or provide a call to the execScript method.

Using an Event Handler

You can change the <a href="javascript:alert('hi')" > </a> script URL to include an event handler, such as <a onclick="javascript:alert('hi')" > </a>.

Using an Inline Script

You can run the script URL code, by using an inline script tag. For example:

<script>
  doSomething()
</script>

Using the execScript Method

You can call the execScript method to run your script URL code. For example, you can change window.location = javascript:doSomething() to window.execScript("javascript:doSomething()").

How Can I Work Around This Issue?

You can work around the script URL mitigation security feature by turning off the following registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\ FEATURE_SCRIPTURL_MITIGATION]"iexplore.exe"=dword:00000000

What Happens If I Disable This Security Feature?

If you disable this security feature, you will be more prone to cross-domain attacks. Disabling this feature should only be used as a temporary measure during troubleshooting, to compare the behavior of the application when the feature is enabled and when it is disabled. It is not recommended that this feature be left disabled on an ongoing basis.

See Also

Concepts

Known Internet Explorer Security Feature Issues