Internet Explorer Window Restrictions

Applies To:Windows Server 2003 with SP1
Note
The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Information Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
Pack 2.
What does Window Restrictions do?
InternetExplorer provides thecapability for scripts to programmatically open additional windows of various types,and to
resizeand reposition existing windows.The Window Restrictions security feature, formerly called UISpoofing Mitigation,
restricts two types of script-initiated windows that have been used by malicious persons to deceive users:
HTML popup windows created by the window.createPopup() method; theappearance of these HTML pop-ups is
determined completely by thecaller.
New InternetExplorer frame windows (also referred to as “pop-up windows”) created by the window.open() method.
These new frame windows can either show or not show interfaceelements (such as a title bar, status bar,address bar,
and so on) depending on the sFeatures parameter of the window.open() call.
The Window Restrictions featurealso constrains script-initiated movement of theframe window to prevent repositioning or
resizing theframe window in such a manner thatkey elements are outsidethevisible display area.This affects thefollowing
methods:
moveTo
moveBy
resizeTo
resizeBy
and thefollowing properties:
Left
Top
Width
Height
The Window Restrictions featurealso forces thestatus bar to be displayed on all windows created by the window.open()
method.
Who does this feature apply to?
Web developers should beaware of these new restrictions to plan changes or workarounds for any possibleimpact to their
Web site.
Application developers should review this featureto plan to adopt changes in their applications.This featureis only enabled by
default for InternetExplorer processes. Developers must register non-InternetExplorer applications to takeadvantage of the
changes
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Script positioning of InternetExplorer windows
Detailed description
Script-initiated placement of new InternetExplorer frame windows and script-initiated positioning of existing frame windows
areconstrained to ensurethatkey security-related interfacecomponents (thetitleand status bars,and address bar if
displayed) remain visibleafter the operation completes.
Scripts cannot position windows so that thetitle bar or address bar areabovethevisibletop of the display.
Scripts cannot position windows such that thestatus bar is below thevisible bottom of the display.
Why is this change important?
Without this change,existing-window movement using the moveTo and moveBy methods and the Left and Top properties,and
new windows thatarecreated by the window.open() method can becalled by scripts and used to spoof a user interface or
desktop or to hide malicious information or activity by one of thethreefollowing methods:
Positioning the window such that thetitle bar, status bar, or address bar are off-screen.
Positioning the window to hideimportantelements of the user interfacefrom the user.
Positioning the window so that it is entirely off-screen.
Thevisiblesecurity features of InternetExplorer windows provideinformation to the user to help the user ascertain thesource
of the Web pageand thesecurity of thecommunication that uses that page.When theseelements are hidden from view, users
might think they are on a moretrusted page or interacting with a system process when they areactually interfacing with a
malicious host. Malicious use of window relocation can present falseinformation to the user, obscureimportant information,
or otherwise”spoof” importantelements of the user interfacein an attempt to motivatethe user to take unsafeactions or to
divulgesensitiveinformation.
What works differently?
This change places constraints on script-initiated positioning of existing InternetExplorer frame windows and of new frame
windows created using the window.open()method, to ensurethat thetitle bar and status bar in these windows arealways
visibleto the user.Scripts cannot movea window off-screen,although the user can still movea window off-screen. If you
maintain a script that creates off-screen windows in InternetExplorer,you need to changeyour code.
How do I resolve these issues?
If your script creates or moves a window off-screen,you should examinethis requirementand alternate ways to accomplish
your goal.
Script sizing of InternetExplorer windows
Detailed description
Script-initiated resize operations on InternetExplorer frame windows areconstrained to ensurethat thetitle bar and status bar
remain visibleafter the operation completes.
Scripts cannot resizeexisting frame windows or create new frame windows in such a manner that thetitle bar,address bar, or
status bar cannot beseen.
When creating a window, the definition of the fullscreen=yes specification is changed to mean “show the window as
maximized,” which will keep thetitle bar,address bar,and status bar visible.
Why is this change important?
Without this change,existing InternetExplorer frame windows can beresized or new frame windows can becreated using the
window.open() method and used to spoof a user interface or desktop or to hide malicious information or activity by sizing the
window so that thestatus bar is notvisible.
InternetExplorer windows providevisiblesecurity information to the user to help them ascertain thesource of the Web page
and thesecurity of thecommunication with that page.When theseelements are not in view, the user might think they are on a
moretrusted page or interacting with a system process when they areactually interacting with a malicious host. Malicious uses
of window sizing can obscureimportant security-related information,and otherwisespoof importantelements of the user
interfacein an attempt to motivatethe user to take unsafeactions or to divulgesensitiveinformation
What works differently?
With this change, thereareconstraints on script-initiated resizing operations on existing InternetExplorer frame windows and
on thesize of the new frame windows created using the window.open() method, to ensurethat thetitle bar and status bar of
these windows is always visibleto the user.Theresult is thata script cannot open a window in kiosk mode,a modethat does
not display thetitle bar,address bar,and status bar, which present important security information to the user.
The user can chooseto display a window in kiosk mode.This election is still persistent.
How do I resolve these issues?
Script-initiated windows will be displayed fully, with theInternetExplorer title bar and status bar.The user or thesite
administrator can manually changethis state.
Script management of InternetExplorer status bar
Detailed description
InternetExplorer has been modified to always display thestatus bar in InternetExplorer frame windows created using the
window.open()method.
Why is this change important?
Without this change, windows thatarecreated using the window.open() method can becalled by scripts and spoof a user
interface or desktop or hide malicious information or activity by hiding importantelements of the user interfacefrom the user.
Thestatus bar is a security feature of InternetExplorer windows that provides InternetExplorer security zoneinformation to
the user.This zonecannot bespoofed,and lets the user know exactly what security zonethe displayed content is in.When the
status bar is hidden from view, the user might think they are on a moretrusted page when they areactually interacting with a
malicious host.
What works differently?
On all windows created by the window.open() method, thestatus bar will be displayed so that thesecurity zoneis visibleto the
user.The’status=no’ or ‘status=0’ specifications in the sFeatures parameter of the window.open() method areignored.
Application impact depends on the operation carried out on the window as follows:
window.open() method calls will not need to be modified, becausethe optional width and heightvalues passed in the
sFeatures parameter specify thesize of thecontentarea of the windows and do not includethetitle bar, status bar,and
other window attributes.
resizeTo() method calls might need to be modified becausethesize parameters of the resizeTo() method arefor the
entireInternetExplorer frame window. Application that have been creating new frame windows with no status bar using
the windows.open() method and subsequently resizing them using the resizeTo() method will need to be modified to
account for thefact that the windows now havea status bar.
InternetExplorer HTML pop-up window placement
Detailed description
HTML pop-up windows are now constrained so that they:
Do notextend abovethetop or below the bottom of thecontent window from which they arecreated.The”content
window” is thetop-level DOM window object for the page;visually it is thearea wherethe HTML content is displayed,
and extends from the bottom of thelowest displayed interfacecomponentat thetopic of theInternetExplorer frame
window (thetitle bar, menu, tool bar, or address bar) to thetop of thestatus bar).
Are not taller in height than thecontent window.
Overlap thecontent window horizontally.
Appear immediately abovethecontent window, so that other windows (such as a dialog box) cannot be hidden.
Areautomatically repositioned to satisfy theconstraints aboveif thecontent window moves.
Why is this change important?
Pop-up windows arecreated by the window.createPopup() method and arealso called chromeless windows becausethey do
not havethe border “chrome” components, such as theaddress bar, title bar, status bar,and toolbars.Without theconstraints
previously described, these windows:
Can be opened on top of a dialog boxand obscure or replaceimportantelements.
Can be used to overlay theaddress bar with a differentaddress.
Can simulatea full-screen Windows desktop with a password dialog box.
Unrestricted chromeless windows can deceivethe user in several ways:
A chromeless pop-up window that is opened on top of a dialog box can obscure or replaceimportantelements of the
dialog box, such as warning textand selection or action controls. (Theseincludecheck boxes, option buttons,and so on.)
This might lead the user to a responsethat might beinappropriate or harmful.
A chromeless pop-up window can overlay theaddress bar with an address that is different from theactual address of the
page, which gives the user a falsesense of security. In thesame way, it can overlay thestatus notification area, so it might
indicatethat InternetExplorer is displaying a secure Web page(which displays a URL beginning with https://) Because of
this, the user might think that security is in effect for the page when no such security exists.
A chromeless pop-up can usetheentire display.With this method,a malicious user can simulatea full-screen Windows
desktop with a password dialog box, with a malicious script that captures the user’s privateauthentication information.
What works differently?
HTML pop-up windows areconstrained horizontally,vertically,and in order of placement on top of other windows.
An HTML pop-up window mustappear between thetop and bottom of its parent window’s chrome, so it does not overlap the
InternetExplorer address bar, title bar, status bar, or toolbars.
Horizontally,an HTML pop-up window mustalways overlap somearea of its parent window.
An HTML pop-up window must stay immediately on top of its parent, so it cannot be placed over other windows.
Theseconstraints mightaffect theappearance of an HTML pop-up window if it has been designed to display in an area that is
larger or separatefrom its parent window.The HTML pop-up windows might berepositioned and mightalso betruncated,
which might obscuresome of theinformation displayed in that window.
How do I resolve these issues?
Redesign the HTML pop-up window to fit into theconstraints of this mitigation.
What settings are added or changed in Windows Server 2003 Service Pack 1?
Thereis only onesetting for this feature.This setting either enables the Windows Restrictions or does notenablethem.For
application compatibility, this featureis notenabled by default for non-InternetExplorer processes.
InternetExplorer Windows Restrictions Settings
Setting
name
Location Previous
default
value
Default
value
Possible
values
IExplore.exe
Explorer.exe
Msimn.exe
WMPlayer.exe
HKEY_LOCAL_MACHINE (or Current User)\Software\Microsoft \Internet
Explorer\Main \FeatureControl \FEATURE_WINDOW_RESTRICTIONS\
Not
applicable
1 0 – Off
1 – On
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Thescript will call thesame methods for thecreation of an InternetExplorer window with chrome(using the window.open()
method) or an InternetExplorer chromeless pop-up window (using the window.createPopup() method). However, the design
might need to bereviewed to ensurethat pop-up windows areappropriately visibleto the user and that thestatus bar contains
accurateinformation.