What is XMLHTTP? How to use security zones in Internet Explorer
2014-03-13 02:48
591 查看
Types of Security Zones
Internet Zone
This zone contains Web sites that are not on your computer or on your local intranet, or that are not already assigned to another zone. The default security level is Medium.Local Intranet Zone
By default, the Local Intranet zone contains all network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local), as long as they are not assigned to either the Restricted Sites or Trusted Sites zone. The default security level for the Local Intranet zone is set to Medium (Internet Explorer 4) or Medium-low (Internet Explorer 5 and 6). Be aware that when you access a local area network (LAN) or an intranet share, or an intranet Web site by using an Internet Protocol (IP) address or by using a fully qualified domain name (FQDN), the share or Web site is identified as being in the Internet zone instead of in the Local intranet zone. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:303650 Intranet site is identified as an Internet site when you use an FQDN or an IP address
Trusted Sites Zone
This zone contains Web sites that you trust as safe (such as Web sites that are on your organization's intranet or that come from established companies in whom you have confidence). When you add a Web site to the Trusted Sites zone, you believe that files you download or that you run from the Web site will not damage your computer or data. By default, there are no Web sites that are assigned to the Trusted Sites zone, and the security level is set to Low.Restricted Sites Zone
This zone contains Web sites that you do not trust. When you add a Web site to the Restricted Sites zone, you believe that files that you download or run from the Web site may damage your computer or your data. By default, there are no Web sites that are assigned to the Restricted Sites zone, and the security level is set to High.The Restricted Sites zone contains Web sites that are not on your computer or on your local intranet, or that are not already assigned to another zone. The default security level is Medium.
Note Security settings are applied only to files on your computer that are in the Temporary Internet Files folder. These settings use the security level of the Web site from which the files came. All other files are assumed to be safe.
What is XMLHTTP?
XMLHTTP was first introduced as a Microsoft ActiveX control in Microsoft Internet Explorer 5. Over time, this object has been implemented by other browsing platforms and is the cornerstone of Web applications based on Asynchronous JavaScript and XML (AJAX) and Simple Object Access Protocol (SOAP). The XMLHTTP object enables the browser to send and receive asynchronous, out-of-band HTTP requests to the Web server, which responds with XML. The response can be manipulated with client-side script or transformed with Extensible Stylesheet Language Transformations (XSLT). XMLHTTP makes it possible to create responsive Web applications that do not have to refresh the entire page to display new data.Charting the Changes
In Microsoft Internet Explorer 6 and earlier, XMLHTTP was implemented as an ActiveX object provided by Microsoft XML (MSXML). Beginning with Internet Explorer 7, XMLHTTP is also exposed as a native scripting object.XMLHTTP in IE7 vs. IE6
The native implementation of the XMLHTTP object is designed with cross-browser compatibility in mind. With just a bit of script, it is easy to build a function that works with either version of Windows Internet Explorer, or any browser that supports XMLHTTP. See XMLHttpRequest for complete documentation and examples.var xmlHttp = null;
if (window.XMLHttpRequest) {
// If IE7, Mozilla, Safari, and so on: Use native object.
xmlHttp = new XMLHttpRequest();
}
else
{
if (window.ActiveXObject) {
// ...otherwise, use the ActiveX control for IE5.x and IE6.
xmlHttp = new ActiveXObject('MSXML2.XMLHTTP.3.0');
}
}Internet Explorer 7 supports the legacy implementation of XMLHTTP in addition to the new native object, so pages currently using the ActiveX control do not have to be rewritten. However, it is more efficient to create a native scriptable object than to create an ActiveX object. This is especially beneficial to those AJAX applications that create a new XMLHTTP object for each request.
The native object also supports the use of expandos (custom properties), and properly recognizes the 'this' notation of JavaScript.
ActiveX vs. XMLHTTP
Users and organizations that choose to disallow ActiveX controls can still use XMLHTTP-based Web applications in Internet Explorer 7. However, native XMLHTTP support can be disabled from theAdvanced settings tab of the Internet Options dialog box, as shown in the following screen shot.
Clients can configure their own policy and simultaneously retain functionality across key AJAX scenarios. By default, the native implementation of XMLHTTP is enabled for all MSHTML hosts; however, individual host applications can choose to disable XMLHTTP with the FEATURE_XMLHTTP feature control key. An organization can use Group Policy to disable XMLHTTP for all users of its network.
If native XMLHTTP has been disabled, developers can override the XMLHttpRequest property of the window object with the MSXML-XMLHTTP control, unless ActiveX has also been disabled, as in the following example.
if (!window.XMLHttpRequest) {
window.XMLHttpRequest = function() {
try {
return new ActiveXObject('MSXML2.XMLHTTP.3.0');
}
catch (ex) {
return null;
}
}
}Security: Cross-Domain and Zone Policy
Before an XMLHTTP request is sent, the URL of the hosting page is compared to the URL in the open method to determine if the URLs are in the same domain. If not, the request is handled according to the policy of the security zone in which the request originates. The native XMLHTTP object uses logic inherited from MSXML-XMLHTTP to determine how to handle cross-domain data requests, based on the following rules:Cross-domain requests are allowed within the same zone if the Internet Explorer security manager has allowed "Access data sources across domains" (URLACTION_CROSS_DOMAIN_DATA) either implicitly or by prompting the user.
If the request is from a more trusted security zone to a less trusted one, the security settings of the originating zone apply. (The security zones, in order of trust, are as follows: Local Machine, Trusted Sites, Local Intranet, Internet.)
All cross-domain requests to or within the Restricted Sites zone are disallowed, regardless of selected security zone policy.
Note In Internet Explorer 7, the default settings for cross-domain data access are set to "deny" for all security zones. Site developers might want to allow cross-site domain access for the Trusted Sites zone, and then add sites to this zone to test software under development. However, this architecture is intended only as a temporary workaround, and is not recommended for fully developed software.
Because the MSXML-XMLHTTP component is used to determine the policy for cross-domain access across zones, a trusted site can access data from a site in the Intranet zone, while the reverse is always denied. Wherever "Query Policy" appears in the following table, the security manager is consulted for the appropriate action: to allow, to deny, or to prompt the user.
| From / To | Local | Trusted | Intranet | Internet | Restricted |
|---|---|---|---|---|---|
| Local | Disallowed | Query Policy | Query Policy | Query Policy | Deny |
| Trusted | Deny | Query Policy | Query Policy | Query Policy | Deny |
| Intranet | Deny | Deny | Query Policy | Query Policy | Deny |
| Internet | Deny | Deny | Deny | Query Policy | Deny |
| Restricted | Deny | Deny | Deny | Deny | Deny |
Internet Explorer only permits the following HTTP methods: "GET", "POST", "HEAD", "PUT", "DELETE", "MOVE", "PROPFIND", "PROPPATCH", "MKCOL", "COPY", "LOCK", "UNLOCK", and "OPTIONS".
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- How to run a user control assembly that is hosted on Internet Information Services (IIS) in Internet Explorer
- What is reflection and how to use it in CSharp ?
- How to use Security Policies in WebLogic SCA Web Service Binding
- How to use SSH Via HTTP Proxy using Corkscrew in Ubuntu
- How To Use Proxy Server To Access Internet at Shell Prompt With http_proxy Variable. [reprint]
- How to use GET and POST methods in HTTP from a MIDlet
- Internet Information Services is not installed. You must have Internet Information Services installed in order to use the SharePoint Products and Technologies Configuration Wizard
- Windows,Introduction to COM - What It Is and How to Use It.
- Introduction to COM - What It Is and How to Use It.(ZT)
- How to use HttpWebRequest to post data to another page which is on another server
- How to disable Internet Explorer Enhanced Security Configuration on a Windows 2008 Server? 如何禁用IE增强安全配置?
- How to use $http and $resource in Angular JS
- How to figure out what package something is in without resorting to Google
- What is UMASK and how to set UMASK in Linux/Unix?
- HOW TO: Change the Owner of a User-Defined Data Type That Is in Use in SQL Server 2000
- MySpace Unraveled: What it is and how to use it safely
- How to use HttpWebRequest and HttpWebResponse in .NET
- http://url is already routed to the Default zone of another application. Remove that mapping or use a different URL
- How to Enable 64-bit Processes for Enhanced Protected Mode in Internet Explorer 11 (IE11)
- HOW-TO: Debug JavaScript in Internet Explorer(step by step)