Coffeehouse Thread

79 posts

David finally took down Goliath

Back to Forum: Coffeehouse
  • User profile image
    W3bbo

    AndyC said:
    W3bbo said:
    *snip*

    I'm no web expert, I merely hear the swears from across the office. A quick perusal of Twitter feeds apparently reveals that "setting text-decoration on buttons doesn't work" was the latest. Whatever that means?

    text-decoration:; works fine on <button /> but I don't know about <input type="button/submit" />. But that's a very minor thing, why would you want underlined or strike-through on text on a button anyway?

    Little tidbit: <button type="submit" /> isn't correctly implemented in IE6 so you can't use it in ASP.NET without some hackery. Also PocketIE doesn't support it at all, despite being finalised over 10 years ago.

  • User profile image
    SlackmasterK

    W3bbo said:
    AndyC said:
    *snip*

    text-decoration:; works fine on <button /> but I don't know about <input type="button/submit" />. But that's a very minor thing, why would you want underlined or strike-through on text on a button anyway?

    Little tidbit: <button type="submit" /> isn't correctly implemented in IE6 so you can't use it in ASP.NET without some hackery. Also PocketIE doesn't support it at all, despite being finalised over 10 years ago.

    W3bbo said:
    you can't use it in ASP.NET without some hackery.

    How so? I've run and used ASP.NET with IE6, even including AJAX, with no problems. Care to clarify?

  • User profile image
    magicalclick

    fknight said:
    magicalclick said:
    *snip*

    Short of pushing out an update disabling ActiveX under IE and XP, which would make loads of business software and numerous websites all of a sudden non-functional, what else should they do (other than patch whatever needs to be patched, of course)?

    Seeing as the latest vulnerability is mitigated completely in Windows Vista and Windows 7 due to it's improved security, I would say they've done what they needed to do as far as ActiveX without breaking existing applications that depend on it.  

    If a seven year old operating system and web browser is as much a security problem as it's perceived to be and there's evidence that Vista and Windows 7 solve those, I'm pretty confident as to what the logical answer is.

     

    While that Vista and Win7 is protected someone, that doesn't change the fact that ActiveX open to other attacks. To cover all the possibilities are hard. I think it is more important to move to a new design wtih security in mind. ActiveX is simply a dirty man's trick to make something happen, but just like C++, too much freedom comes with a price, and in our current computer era, this is not somehting we should cheat as old days.

    As for backward compatibility, I am sure you can reenable the old style dirty ActiveX.

     

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • User profile image
    AndyC

    magicalclick said:
    fknight said:
    *snip*

    While that Vista and Win7 is protected someone, that doesn't change the fact that ActiveX open to other attacks. To cover all the possibilities are hard. I think it is more important to move to a new design wtih security in mind. ActiveX is simply a dirty man's trick to make something happen, but just like C++, too much freedom comes with a price, and in our current computer era, this is not somehting we should cheat as old days.

    As for backward compatibility, I am sure you can reenable the old style dirty ActiveX.

     

    All binary extensions are susceptible to such problems and they really aren't going to go away. You can put more barriers in the way, but you can't really get total mitigation without crippling the whole purpose of extensions in the first place. Ultimately browser plugins need to be developed with security as their #1 priority. And sadly few are.

  • User profile image
    Cream​Filling512

    magicalclick said:
    CreamFilling512 said:
    *snip*

    I didn't think about NSAPI. This is not about comparing who is worse, but to think about a safer way to the same stuff as ActiveX. Something like ReadOnly ActiveX, and then, you have special user granted WriteToMyDocumentOnly ActiveX, and then, the finally Admin granted nasty ActiveX. I think it is better to kill ActiveX and think of something with security in mind.

     

    The whole IE process with ActiveX controls is running with Vista's super-low privilege mode and doesn't have write access even to the user profile.

  • User profile image
    W3bbo

    SlackmasterK said:
    W3bbo said:
    *snip*

    How so? I've run and used ASP.NET with IE6, even including AJAX, with no problems. Care to clarify?

    The <button /> element is incompatible with the HtmlButton control class and you cannot respond to server-side events for it.

    So you can use it, but you can't take full advantage of WebForms with it.

  • User profile image
    magicalclick

    CreamFilling512 said:
    magicalclick said:
    *snip*

    The whole IE process with ActiveX controls is running with Vista's super-low privilege mode and doesn't have write access even to the user profile.

    Sounds great. What does that exactly do? Does that mean when I unlock the ActiveX control on IE8, the virus still can't attack my machine while using my Admin account?

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.