- From: David Woolley <david@djwhome.demon.co.uk>
- Date: Sun, 26 Oct 2003 19:28:02 +0000 (GMT)
- To: w3c-wai-ig@w3.org
> I am certain that the web site is fine. The reason the controll is flagged > as unsafe is most likely a caution more than anything else. That is how one gets compromised by internet worms. An Active-X control that is unsafe for scripting means that a script from a web site can make permanent changes to your system, or retrieve private data, by using that control. It means you must have trust the people running the web site and trust that it really is the web site you intended; a minimum requirement for the latter is using SSL (https), but most people don't actually know how to use that securely (but this use of SSL is why the trusted zone in IE can be restricted to SSL sites). A significant proportion of Microsoft security vulnerabilities are the result of Active-X scripts that should have been marked unsafe for scripting but were not. In fact, the main security reason for disabling scripting these days is because you can't run a control that should have been marked unsafe, if you don't use scripting at all. A most fundamental rule of security is never disable a security measure just because someone tells you to; if you are unlucky they are attempting a social engineering attack, but, otherwise, they may well not understand the implications of what they are doing and be doing it because it is convenient.
Received on Sunday, 26 October 2003 14:40:14 UTC