IE 5.0 Review, Part V: HTML Applications (HTAs) (5)
One of the main advantages of HTAs over regular Web pages, is that they are fully trusted. As such, HTAs are allowed actions that Internet Explorer would never approve of for Web pages. The bottom line is that HTAs do not bother the user with questions and interruptions. They are fully trusted.
There are several implications for being a trusted application. HTAs have read/write access to the system registry on the client machine. HTAs run embedded ActiveX controls and Java applets without any warning. Zone security is off for HTAs, so all operations subject to security zone options are nevertheless permitted for HTAs.
The immediate question one may ask is what happens to content in other domains that the HTA window communicates with. Luckily, HTAs extend their trusted privileges to content in other domains. For example, HTAs allow script access between window objects and cookies. Things get stickier when you use
IFRAMEs. The new
APPLICATION attribute should be used to signal if the
IFRAME is trusted or not. Unless the
APPLICATION attribute is set to yes, the
IFRAMEs have no script access to the HTA containing them. In addition, several rules are imposed on the untrusted
IFRAMEs. The top level frames of the window behave like the top window. You cannot go from a top-level
FRAME to the window containing it. For such a
window.self are identical. Also,
IFRAMEs permit neither a referrer nor an opener URL from the parent HTA. This is the way to to keep unsecure data away from a trusted window.
If all content is safe, the
APPLICATON attribute can be set to "on" for all
IFRAMEs of the application:
<IFRAME SRC="filename.htm" APPLICATON="yes">
IFRAME is permitted to pass information back to its parent window, while the following one doesn't:
<IFRAME SRC="filename.htm" APPLICATON="no">
IFRAME should be implemented as regular HTML. It is also subject to the security setting for its zone.
Produced by Yehuda Shiran and Tomer Shiran
Created: May 10, 1999
Revised: May 10, 1999