Trusting HTAs

One of the main advantages of HTAs over regular Web pages, is that they are fully trusted. As such, HTAs are allowed actions that Internet Explorer would never approve of for Web pages. The bottom line is that HTAs do not bother the user with questions and interruptions. They are fully trusted.

There are several implications for being a trusted application. HTAs have read/write access to the system registry on the client machine. HTAs run embedded ActiveX controls and Java applets without any warning. Zone security is off for HTAs, so all operations subject to security zone options are nevertheless permitted for HTAs.

The immediate question one may ask is what happens to content in other domains that the HTA window communicates with. Luckily, HTAs extend their trusted privileges to content in other domains. For example, HTAs allow script access between window objects and cookies. Things get stickier when you use FRAMEs and IFRAMEs. The new APPLICATION attribute should be used to signal if the FRAME or IFRAME is trusted or not. Unless the APPLICATION attribute is set to yes, the FRAMEs or IFRAMEs have no script access to the HTA containing them. In addition, several rules are imposed on the untrusted FRAMEs and IFRAMEs. The top level frames of the window behave like the top window. You cannot go from a top-level FRAME to the window containing it. For such a FRAME, window.top and window.self are identical. Also, FRAMEs an IFRAMEs permit neither a referrer nor an opener URL from the parent HTA. This is the way to to keep unsecure data away from a trusted window.

If all content is safe, the APPLICATON attribute can be set to "on" for all FRAMEs and IFRAMEs of the application:

<IFRAME SRC="filename.htm" APPLICATON="yes">

The above IFRAME is permitted to pass information back to its parent window, while the following one doesn't:

<IFRAME SRC="filename.htm" APPLICATON="no">

This IFRAME should be implemented as regular HTML. It is also subject to the security setting for its zone.

When you run your HTAs, be sure to take the same precuations as with any executable. Only Install HTAs produced by reliable sources such as your intranet at work, established software vendor, and, of course, Doc JavaScript.