Windows XP SP2的WRSF安全特性导致IE使用window.open和window.showModalDialog的status=no无法关闭状态栏
前段时间在忙一个asp.net物品管理系统,其中用到了window.showModalDialog()来弹出模态的对话框,其中使用了status=no使对话框不显示难看的状态栏,但是发现在Intranet区域即本地网络(http://localhost)原本使用好好的,但是到了Internet区域状态栏却又显示出来了,怎么改代码都无济于事,似乎status=no失去了作用。后来在Microsoft网站上找到了如下资料:
资料源地址:http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx#E6SAE
Internet Explorer Using Feature Control Registry Settings with Security Zone Settings
What do Feature Control Registry Settings and Security Zone Settings do?
Feature Control registry settings are provided in Windows XP SP 2 so that a specific process can be configured to opt-in to a particular security feature. In the following example, Internet Explorer has been configured to use the Windows Restrictions security feature(WRSF):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Internet Explorer\Main\FeatureControl
\FEATURE_WINDOWS_RESTRICTIONS] iexplore.exe=1
Once a process has been configured to use a security feature, the security feature is running and security zone settings can be applied for more precision, if implemented for that feature. In the Security Settings tab of Internet Options, the user can adjust these settings for many of the new Windows XP SP2 feature controls. If you select Enable, it lowers the security settings and allows the behavior to run less securely, or in the same manner as it did in Windows XP Service Pack 1. For example, if Windows Restriction is set to Enable in the Intranet zone, Windows Restrictions will not be applied — script-initiated windows can be opened as freely as in Windows XP SP1. The Windows XP SP2 restrictions can be applied again by setting the security zone setting to Disable, which blocks the less-secure behavior while the feature control is enabled for that process.
For example, if the feature is turned on for Windows Restrictions, this feature:
• |
Forces the status bar to be present in script-initiated Internet Explorer windows with the title bar [those that were created with window.open()]. |
• |
Constrains the size and positioning of script-initiated Internet Explorer windows that have title and status bars to ensure that the title bar and the status bar in these windows is always visible to the user. |
我特意将关键的话语加粗变红,原来这是Windows XP SP2的新安全特性Windows Restrictions security feature(WRSF),为了安全,SP2特意强制将弹出的标题栏和状态栏都显示,让浏览者知道自己正在访问哪个地址哪个网页,防止恶意欺骗。此特性对Internet区域有效,而对本地的Intramet区域无效,就是说在XP SP2下使用代码status=no控制窗口无状态栏已经无效了。解决方法除了上述的修改客户端注册表键值关闭WRSF特性,或者还有一种解决方法就是在客户端上将系统的站点地址加入IE属性“安全”选项中的“本地Intranet”区域。不过这样好像就失去了B/S系统的最大优点,客户端这么多,不可能要求每个使用系统的人都这样设置,所以只能继续让状态栏显示。