Sign in with
Sign up | Sign in
Your question

MS Security update 891781 - Microsoft Security Bulletin MS..

Last response: in Windows XP
Share
February 28, 2005 11:59:04 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Concerning MS Security update 891781 - Microsoft Security Bulletin MS05-013,
there appears to be no technical documentation on what was done. I now have
scripts that no longer function. What are the workarounds with this update,
is there any technical information on what was done?

My specific problem works when this security update is removed, and doesn't
work when installed... Javascript code is similar to follows:

two servers:

document.domain = 'mydomain.com';
// code here
document.domain='myserver.mydoomain.com';
showModalDialog(calledPage, window, "dialogWidth:" + width +
"px;dialogHeight:" + height + "px;help:no;scroll:no;status:no");

and then the called page on myserver:

var oDOM = dialogArguments.objContent.DOM;

with this, access is denied, when it was working fine before. I don't see a
way around this issue, with this security update, short of asking everyone to
remove the security update.

Thanks
Anonymous
a b 8 Security
March 3, 2005 6:25:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I've had this problem too, except that I'm using the control in a win32
application.

Have you found a workaround, or is there one forthcoming from MS?

Ta, Steve.

"Grover" wrote:

> Concerning MS Security update 891781 - Microsoft Security Bulletin MS05-013,
> there appears to be no technical documentation on what was done. I now have
> scripts that no longer function. What are the workarounds with this update,
> is there any technical information on what was done?
>
> My specific problem works when this security update is removed, and doesn't
> work when installed... Javascript code is similar to follows:
>
> two servers:
>
> document.domain = 'mydomain.com';
> // code here
> document.domain='myserver.mydoomain.com';
> showModalDialog(calledPage, window, "dialogWidth:" + width +
> "px;dialogHeight:" + height + "px;help:no;scroll:no;status:no");
>
> and then the called page on myserver:
>
> var oDOM = dialogArguments.objContent.DOM;
>
> with this, access is denied, when it was working fine before. I don't see a
> way around this issue, with this security update, short of asking everyone to
> remove the security update.
>
> Thanks
March 3, 2005 7:33:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

There is virtually no documentation on this from Microsoft, (only consumer
info, and not technical)- All of microsoft's documentation say that if you
change both pages to a second-level domain for the document.domain, then it
should function. There is one exception, which was another past security
update that stated the showModalWindow and dialogArguments needed to be in a
local variable and then change the document.domain, before passing. I was
able to workaround some of this by creating a local variable with a pointer
to the other object in the other domain (my second-level one), however, the
new MS "fix" seems to break that, as I get null objects back then. -No access
denied, no Permission denied, just Null objects. This was the same code as I
had working for a year.

Instead, what I have done is simply avoided the issue... I have taken any
cross-domain functionality that used to be in the dialog box page I created,
and moved it to it's calling page, that could deal with cross-domains. So, I
set the returnValue of the dialog page to an object with properties that I
wanted passed back for example, and do my code work there on the page after I
called showModalWindow(). I know it's not as pretty, but it's a workaround,
and it seems to work... well, almost...

now, randomly, it seems when I update the DOM object, when in the second
level domain, the calling page doesn't pass its updated contents(from a form)
from time to time. I am going to try again updating it using the
3rdlevel.2ndlvlDomain.com when the form is submitted, so maybe that will give
back the callingpage the rights to see it and pass it on. Like I said, it
seems to be a random thing, there's no consistency to when it happens. But,
for the most part, it's a workaround.

If you recall the code I had before from a past post, this is basically what
i've done to make that work...

> > document.domain = 'mydomain.com';
> > // code here
> > document.domain='myserver.mydoomain.com';
> > showModalDialog(calledPage, window, "dialogWidth:" + width +
> > "px;dialogHeight:" + height + "px;help:no;scroll:no;status:no");

document.domain = 'mydomain.com';
var oDOM = dialogArguments.objContent.DOM;

//get all of my properties from oDOM for dialog
var properties = new Object();
properties.value1=oDOM.whateverValueINeedInDialog;
properties.value2=oDOM.whateverValueINeedInDialog;

document.domain='myserver.mydoomain.com';

var returnValue = showModalDialog(calledPage, window, "dialogWidth:" + width
+ "px;dialogHeight:" + height + "px;help:no;scroll:no;status:no");

if (returnValue ) {
// Put code that takes returnValue and processes what I need done.
}


in dialog page:
var properties = new Object();
properties.value1 = txtForm1.value;
properties.value2 = txtForm2.value;
window.returnValue = properties;
window.close();


Good luck....
!