Taskpane security problem

R

Roland

hi all

the InfoPath forms i'm developing use a custom taskpane which provides
navigational and other editing features.

the taskpane accesses the InfoPath script domain via the Extension
property, and conversely my InfoPath script accesses the taskpane's
script domain using the HTMLDocument property. all DOM manipulation
is performed within the InfoPath script domain. i have also
successfully implemented IE's drag-and-drop functionality within the
taskpane itself.

i've now noticed a problem running the form (URN-based, fully trusted)
on a test machine that differs from my development machine:

dev: InfoPath SP1 on Windows 2000 SP3 running IE 6.0.2800.1106.
test: InfoPath SP1 on Windows XP Tablet PC Edition having recently
been upgraded to XP SP2, running IE
6.0.2900.2096.xpsp_sp2_rtm.040803-2158.

the problem is that my drag-and-drop features no longer work on the
Tablet PC. i think i have isolated it to being a change in Internet
Explorer's security model in XS SP2.

to test this, i opened my taskpane.htm file in IE directly from
windows explorer. apart from the obvious error of not being able to
access the XDocument property, the taskpane loads and renders just
fine on my dev machine. all my drag-and-drop features work ok too.
the page runs in the "My Computer" domain, based on the icon in the
status bar.

however, trying the same thing on the Tablet PC, the new "Information
Bar" appears with the message "To help protect your security, Internet
Explorer has restricted this file from showing active content that
could access your computer." Goddammit!

After a bit of research, i found some info on the new security
"features" of IE in XP SP2. one of these is the "LMZ Lockdown" which
(defaults to enabled) limits all active content in the Local Machine
Zone, and instead displays the Information Bar allowing the user to
determine whether the page should load any active content.

So i tried to disable this through the Tools -> Internet Options ->
Advanced -> Security -> "Allow active content to run in files on My
Computer" option. restarting IE and reloading my taskpane.htm file
this time runs the script without the Info Bar warning, and my
drag-and-drop features spring back into life.

great, or so i thought: opening my fully-trusted InfoPath form still
has no drag-and-drop ability, regardless of the above setting. the
taskpane area within InfoPath doesn't display the Info Bar, and even
if it did, requiring the user to select "Allow Blocked COntent" each
time the form opens would be kinda dumb, as well as directly
contradicting IP's security guidelines and best practices.

so, what security zone does script in the taskpane run within, ie. is
it "Internet" or "Intranet" ? i don't see a "Local Machine" or "My
Computer" zone in IE's security settings...

i have tried twiddling with both the Internet and Intranet zone's
security settings for active content, but nothing seems to affect the
behaviour. i can't add the form to the Trusted Sites zone because
it's already local (ie. runs directly from the cache on My Computer).

because my form is fully trusted, i would expect it to run in the "My
Computer" domain, and this seems to be confimed by the "Security
Levels, E-Mail Deployment, and Mobile Form Templates" and "Form
Security Model" chapters of the InfoPath SDK.

however this appear not to be consistent with my test: although my
taskpane operates fine when opened directly from My Computer, it still
fails when hosted by InfoPath. does InfoPath somehow change the
security zone for the taskpane area?

i don't want to have the user change their IE security settings, not
that i've found any that make it work, but clearly something in IE 6
XPSP2 has changed such that this feature no longer works within
InfoPath.

nothing i've tried seems to recover my functionality, and i would be
very grateful for more info on the InfoPath <-> IE security
relationship, and specifically, why this particular version
combination (IP SP1 and IE 6 XPSP2) means a loss of functionality.

thanks
roland
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top