Internet Explorer Window Restrictions

  • Article

Applies To: Windows Server 2003 with SP1

Note

The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Information Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.

What does Window Restrictions do?

Internet Explorer provides the capability for scripts to programmatically open additional windows of various types, and to resize and reposition existing windows. The Window Restrictions security feature, formerly called UI Spoofing Mitigation, restricts two types of script-initiated windows that have been used by malicious persons to deceive users:

  • HTML popup windows created by the window.createPopup() method; the appearance of these HTML pop-ups is determined completely by the caller.

  • New Internet Explorer frame windows (also referred to as "pop-up windows") created by the window.open() method. These new frame windows can either show or not show interface elements (such as a title bar, status bar, address bar, and so on) depending on the sFeatures parameter of the window.open() call.

The Window Restrictions feature also constrains script-initiated movement of the frame window to prevent repositioning or resizing the frame window in such a manner that key elements are outside the visible display area. This affects the following methods:

  • moveTo

  • moveBy

  • resizeTo

  • resizeBy

and the following properties:

  • Left

  • Top

  • Width

  • Height

The Window Restrictions feature also forces the status bar to be displayed on all windows created by the window.open() method.

Who does this feature apply to?

Web developers should be aware of these new restrictions to plan changes or workarounds for any possible impact to their Web site.

Application developers should review this feature to plan to adopt changes in their applications. This feature is only enabled by default for Internet Explorer processes. Developers must register non-Internet Explorer applications to take advantage of the changes

What existing functionality is changing in Windows Server 2003 Service Pack 1?

Script positioning of Internet Explorer windows

Detailed description

Script-initiated placement of new Internet Explorer frame windows and script-initiated positioning of existing frame windows are constrained to ensure that key security-related interface components (the title and status bars, and address bar if displayed) remain visible after the operation completes.

Scripts cannot position windows so that the title bar or address bar are above the visible top of the display.

Scripts cannot position windows such that the status bar is below the visible bottom of the display.

Why is this change important?

Without this change, existing-window movement using the moveTo and moveBy methods and the Left and Top properties, and new windows that are created by the window.open() method can be called by scripts and used to spoof a user interface or desktop or to hide malicious information or activity by one of the three following methods:

  • Positioning the window such that the title bar, status bar, or address bar are off-screen.

  • Positioning the window to hide important elements of the user interface from the user.

  • Positioning the window so that it is entirely off-screen.

The visible security features of Internet Explorer windows provide information to the user to help the user ascertain the source of the Web page and the security of the communication that uses that page. When these elements are hidden from view, users might think they are on a more trusted page or interacting with a system process when they are actually interfacing with a malicious host. Malicious use of window relocation can present false information to the user, obscure important information, or otherwise "spoof" important elements of the user interface in an attempt to motivate the user to take unsafe actions or to divulge sensitive information.

What works differently?

This change places constraints on script-initiated positioning of existing Internet Explorer frame windows and of new frame windows created using the window.open()method, to ensure that the title bar and status bar in these windows are always visible to the user. Scripts cannot move a window off-screen, although the user can still move a window off-screen. If you maintain a script that creates off-screen windows in Internet Explorer, you need to change your code.

How do I resolve these issues?

If your script creates or moves a window off-screen, you should examine this requirement and alternate ways to accomplish your goal.

Script sizing of Internet Explorer windows

Detailed description

Script-initiated resize operations on Internet Explorer frame windows are constrained to ensure that the title bar and status bar remain visible after the operation completes.

Scripts cannot resize existing frame windows or create new frame windows in such a manner that the title bar, address bar, or status bar cannot be seen.

When creating a window, the definition of the fullscreen=yes specification is changed to mean "show the window as maximized," which will keep the title bar, address bar, and status bar visible.

Why is this change important?

Without this change, existing Internet Explorer frame windows can be resized or new frame windows can be created using the window.open() method and used to spoof a user interface or desktop or to hide malicious information or activity by sizing the window so that the status bar is not visible.

Internet Explorer windows provide visible security information to the user to help them ascertain the source of the Web page and the security of the communication with that page. When these elements are not in view, the user might think they are on a more trusted page or interacting with a system process when they are actually interacting with a malicious host. Malicious uses of window sizing can obscure important security-related information, and otherwise spoof important elements of the user interface in an attempt to motivate the user to take unsafe actions or to divulge sensitive information

What works differently?

With this change, there are constraints on script-initiated resizing operations on existing Internet Explorer frame windows and on the size of the new frame windows created using the window.open() method, to ensure that the title bar and status bar of these windows is always visible to the user. The result is that a script cannot open a window in kiosk mode, a mode that does not display the title bar, address bar, and status bar, which present important security information to the user.

The user can choose to display a window in kiosk mode. This election is still persistent.

How do I resolve these issues?

Script-initiated windows will be displayed fully, with the Internet Explorer title bar and status bar. The user or the site administrator can manually change this state.

Script management of Internet Explorer status bar

Detailed description

Internet Explorer has been modified to always display the status bar in Internet Explorer frame windows created using the window.open()method.

Why is this change important?

Without this change, windows that are created using the window.open() method can be called by scripts and spoof a user interface or desktop or hide malicious information or activity by hiding important elements of the user interface from the user.

The status bar is a security feature of Internet Explorer windows that provides Internet Explorer security zone information to the user. This zone cannot be spoofed, and lets the user know exactly what security zone the displayed content is in. When the status bar is hidden from view, the user might think they are on a more trusted page when they are actually interacting with a malicious host.

What works differently?

On all windows created by the window.open() method, the status bar will be displayed so that the security zone is visible to the user. The 'status=no' or 'status=0' specifications in the sFeatures parameter of the window.open() method are ignored. Application impact depends on the operation carried out on the window as follows:

  • window.open() method calls will not need to be modified, because the optional width and height values passed in the sFeatures parameter specify the size of the content area of the windows and do not include the title bar, status bar, and other window attributes.

  • resizeTo() method calls might need to be modified because the size parameters of the resizeTo() method are for the entire Internet Explorer frame window. Application that have been creating new frame windows with no status bar using the windows.open() method and subsequently resizing them using the resizeTo() method will need to be modified to account for the fact that the windows now have a status bar.

Internet Explorer HTML pop-up window placement

Detailed description

HTML pop-up windows are now constrained so that they:

  • Do not extend above the top or below the bottom of the content window from which they are created. The "content window" is the top-level DOM window object for the page; visually it is the area where the HTML content is displayed, and extends from the bottom of the lowest displayed interface component at the topic of the Internet Explorer frame window (the title bar, menu, tool bar, or address bar) to the top of the status bar).

  • Are not taller in height than the content window.

  • Overlap the content window horizontally.

  • Appear immediately above the content window, so that other windows (such as a dialog box) cannot be hidden.

  • Are automatically repositioned to satisfy the constraints above if the content window moves.

Why is this change important?

Pop-up windows are created by the window.createPopup() method and are also called chromeless windows because they do not have the border "chrome" components, such as the address bar, title bar, status bar, and toolbars. Without the constraints previously described, these windows:

  • Can be opened on top of a dialog box and obscure or replace important elements.

  • Can be used to overlay the address bar with a different address.

  • Can simulate a full-screen Windows desktop with a password dialog box.

Unrestricted chromeless windows can deceive the user in several ways:

  • A chromeless pop-up window that is opened on top of a dialog box can obscure or replace important elements of the dialog box, such as warning text and selection or action controls. (These include check boxes, option buttons, and so on.) This might lead the user to a response that might be inappropriate or harmful.

  • A chromeless pop-up window can overlay the address bar with an address that is different from the actual address of the page, which gives the user a false sense of security. In the same way, it can overlay the status notification area, so it might indicate that Internet Explorer is displaying a secure Web page (which displays a URL beginning with https://) Because of this, the user might think that security is in effect for the page when no such security exists.

  • A chromeless pop-up can use the entire display. With this method, a malicious user can simulate a full-screen Windows desktop with a password dialog box, with a malicious script that captures the user’s private authentication information.

What works differently?

HTML pop-up windows are constrained horizontally, vertically, and in order of placement on top of other windows.

An HTML pop-up window must appear between the top and bottom of its parent window’s chrome, so it does not overlap the Internet Explorer address bar, title bar, status bar, or toolbars.

Horizontally, an HTML pop-up window must always overlap some area of its parent window.

An HTML pop-up window must stay immediately on top of its parent, so it cannot be placed over other windows.

These constraints might affect the appearance of an HTML pop-up window if it has been designed to display in an area that is larger or separate from its parent window. The HTML pop-up windows might be repositioned and might also be truncated, which might obscure some of the information displayed in that window.

How do I resolve these issues?

Redesign the HTML pop-up window to fit into the constraints of this mitigation.

What settings are added or changed in Windows Server 2003 Service Pack 1?

There is only one setting for this feature. This setting either enables the Windows Restrictions or does not enable them. For application compatibility, this feature is not enabled by default for non-Internet Explorer processes.

Internet Explorer Windows Restrictions Settings   

Setting name Location Previous default value Default value Possible values

IExplore.exe

Explorer.exe

Msimn.exe

WMPlayer.exe

HKEY_LOCAL_MACHINE (or Current User)\Software \Microsoft \Internet Explorer\Main \FeatureControl \FEATURE_WINDOW_RESTRICTIONS\

Not applicable

1

0 - Off

1 - On

Do I need to change my code to work with Windows Server 2003 Service Pack 1?

The script will call the same methods for the creation of an Internet Explorer window with chrome (using the window.open() method) or an Internet Explorer chromeless pop-up window (using the window.createPopup() method). However, the design might need to be reviewed to ensure that pop-up windows are appropriately visible to the user and that the status bar contains accurate information.