Re: [www-vrml] SP2 vs. The Plugins

["George Birbilis" <birbilis@kagi.com>]

> Oh BTW the missing status bar in SP1 or later version of XP
> is actually a bug, the bar comes and goes at will. Which is
> not a good thing when there is where the security "padlock"
> icon is displayed.

it's available from View menu of IE, but maybe if a page writes to the
status bar via JavaScript, IE shows the statusbar automatically if it's
hidden (haven't tried it). BTW, a page can hide the statusbar when they open
a new HTML window (these are called "window decorations" in Netscape
terminology I think). I agree the "padlock" and other status/feedback icons
are a problem, but web browsers were designed like that originally cause
Netscape envisioned them as an application platform that would replace
classic desktop OS GUIs, like Windows. Few custom app GUI designers would
like to have that bar at the bottom of their window

> > That was already a case and so is with signed applets
> > etc. You can't split
> > that in two prompts, one before downloading the resource
> > and one after (once
> > the OS checked the file downloaded OK, is signed with a
> > valid certificate,
> > has not been tampered with etc.). You can't split that in
> > two files either,
> > you have to prompt the user ONCE before installing. The
> > activeX control is
> > thus considered an integral part of the page
> > functionality and the whole
> > page isn't considered yet downloaded till that downloads
>
> But this is exactly what happens when you download an .exe
> program of a website or CD !
> Firstly it asks if you wish to 'run' or 'save' the file. If
> you then choose 'run' it downloads the file and then
> presents the install wizard etc.

In the case you mention (download a file), you're in fact prompted only once
if you select to "run" the file, not twice. The executable you run may not
show any GUI etc. and just run. There's no install wizard, it just happens
that most stuff you download, AFTER THEY RUN, show a GUI since they're
self-extractable archives that contain an installation GUI (much friendlier
than unix tarballs, but it's executable code that before you run you don't
know what it is).

BTW, it seems XP SP2 now marks executables downloaded from the internet
somehow in your system (maybe in metainfo at the filesystem, don't suppose
it modifies the .EXE cause it would break some installers if it did so
[they'd think the EXE was cracked]). Whenever you run those executables in
the future, it shows a dialog saying this was downloaded from the net, it
checks if they're digitally signed or not, if the signature is valid (file
not tampered with) and aks if you're sure you want to run them (plus has
option to not prompt for that specific file again in the future). Much
better for new users in security means. In previous Windows versions (e.g.
on a Win2000), I had reported to MS that it wasn't even checking if a file
was signed and tampered with (invalid signature) to warn you before you run
that file (you had to right click the file yourself before running it and
see its property pages to check if there was a signature and if it was valid
which was too much for everyday use)

> > (place the site in
> > non-trusted zone to avoid the download in the first place
> > if you care about
> > speed, or change the settings for the "Internet zone" and
> > make it NEVER
> > download ActiveX controls is you want speedup and are
> > sure you won't need
> > and will not want to use ActiveX controls ever)
>
> Try writing a step by step tutorial on the process of doing
> this and you will realize that this is not exactly a user
> friendly task.

very easy:

1) click on the address bar (if not visible, select menu option
View/Toolbars/Address bar)
2) click at the first character of the host part of the URL address (e.g.
the first "w" char of www.someserver.com)
3) shift+click at the last character of the host part of the URL address
(e.g. the last "m" char of www.someserver.com) to select that part
4) right click on the selected URL address part and select "Copy" from the
popup menu
5) go to "Tools/Internet Options..." menu
6) click on the "Security" tab
7) click on "Restricted sites"
8) press the "Default Level" button so that you see the reading "High" at
the "Security level" scrollbar
9) press the "Sites..." button (a new dialog will open)
10) right click in the textbox labeled "Add this website to the zone:" and
select "Paste" from the popup menu
11) press the "Add" button
12) press OK to close the "Restricted sites" dialog
13) press OK to close the "Internet Options" dialog

btw, you can also access that same "Internet Options" dialog from the menus
of various other programs, Microsoft and non-Microsoft ones (they all use
the same settings)

> I think you have missed my point here which is simply...
> ... why is it so hard to actually stop certain ActiveX
> controls from downloading.
>
> And by this I mean for the average computer user, who
> firstly may not know just which website the control was
> downloaded from, and be willing to dig through the
> numerious places of Internet Option to figure out what
> changes what. This is suppost to be as simple as possible,
> its not rocket science.

Because the user should never know what the page needs in order to show,
they care just to see the page! If the page author says it needs an ActiveX
control, the author knows better if their page will or won't show without
that ActiveX control (e.g. Flux VRML/X3D browser). The user should ONLY be
warned and made aware of the usage of a potentially hazardous item in that
page, if there's a security issue involved. That is they should never see
any warnings, prompts etc. if they have that site in their "Trusted sites"
zone, or if that control is digitally signed by a publisher that they have
already selected to "always trust" at a previous time they had been asked
about some content from that publisher (those publishers are in the
"Content" page of the "Internet Options" dialog, at the "Publishers..."
button and you can add/remove such too manually from there).

The problem of an unsigned control eating up bandwidth to first download and
then having you reply you don't trust it is unsolvable, since the browser
HAS to download the full archive of the control to unpack it and see if it's
signed or not and if the content hasn't been tampered with (say infected by
a virus or some trojan injected in the CAB archive etc.) after it had been
signed. So unless you disable ActiveX controls permantently in your internet
zone (good only if you don't use Flash, VRML/X3D etc.), or per web host or
site (say add them in the "Restricted sites" zone), you'll suffer that time
penalty of getting the controls downloaded first and you getting prompted
after (prompting you twice would be a usability nightmare, plus a page can
contain several such items)

> Let just say for example CompanyZ brings out an ActiveX
> control which contains a bug that causes problems for
> certain computers, do you think the media will be able to
> explain just how the prevent this ActiveX control from
> bwing downloaded.

by being downloaded it doesn't mean it RUNS!
so it can't cause absolutely ANY problem if the user doesn't decide to trust
and install it when prompted

in fact with XP SP2, the user's space isn't intruded by some popup dialog
that asks if they trust an ActiveX control, the default setting is to block
them and a sound is played, plus a security bar shown at the top of the
window (under the menubar if that's visible) that prompts you some item was
blocked and to right click there to see more info and be prompted to unblock
that item if you wish. Then the user from there can select to trust a
publisher (say Macromedia) or a website so that they don't get that default
ActiveX control blocking behaviour. That's a bit more problematic for
website designers, but much better for the users who would just press "Yes"
in any popup dialog they saw when they were trying to visit a webpage

> > I do agree though that while a page downloads one
> > shouldn't see a blank
> > window but something better INSIDE the window (not at
> > some status bar or at
> > some rotating browser icon)
>
> well this area would be a good place to put information
> about the plugin itself, perhaps a jpg the content author
> supplies to be shown untill the plugin is ready.

the problem is the control might be invisible or 0x0 sized in the page, or
many control might be there, so it wouldn't always help (although I agree
that showing an optional placeholder with ActiveX control download info
[similar to the optional show-placeholder setting for images IE has] would
be nice [to define in the OBJECT parameters in the HTML]). I was thinking of
the whole page showing something (some progress icon) instead of a blank
screen till some of its content gets ready to render. Cause as it is now
users (esp. on modems) think the browser just "crashed" (cause the window
remains blank for some time and if there's no status bar, you just rely on
the rotating "e" icon to understand it's still working and not "crashed")

cheers,
George

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
George Birbilis <birbilis@kagi.com> [Microsoft MVP for 2004-J#]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ QuickTime VCL and ActiveX controls (for PowerPoint/VB/Delphi etc.)
+ Plugs VCL and ActiveX controls (InterProcess/Internet communication)
+ TransFormations, VB6 forms to ASP.net WebForms convertion
http://www.kagi.com/birbilis
+ Robotics
http://www.mech.upatras.gr/~robgroup
........................................................................

-------------------------------------------------------------------------
for list subscription/unscrubscription,
go to http://www.web3d.org/cgi-bin/public_list_signup/lwgate/listsavail.html