Bug Tracker

Ticket #4017 (closed bug: fixed)

Opened 6 years ago

Last modified 2 years ago

IE7 wants to run ActiveX add-on

Reported by: tcrowe Owned by:
Priority: critical Milestone: 1.4
Component: core Version: 1.3.2
Keywords: Cc:
Blocking: Blocked by:

Description

I just started using 1.3.1. When I do and I load my site in IE7 (on XP SP3) I get the following security message:

This website wants to run the following add-on: 'DirectShow/VFW Extension property page' from 'Creative Technology Ltd.'. If you trust the website and the add-on and want to allow it to run, click here...

My site operates properly even if I don't permit the add-on to run. If I drop back to 1.2.6 I don't get the warning.

I'm not sure that this constitutes a bona fide bug, but it is a "trust" problem for me. I want to use 1.3.1 with a client site, but I don't feel comfortable with this showing up.

I ran this problem by the #jquery irc chat. One other person on also noted that they saw this notice all the time. Another stated they did not.

Attachments

jquery-1.3.1-patched-4017-text-plain.js Download (114.6 KB) - added by zepag 5 years ago.
Patched by adding type="text/plain" to the <object> tag used in jQuery.support

Change History

comment:1 Changed 6 years ago by dz

Can you link to your site or a test case where you see this happening?

I went to several pages using 1.3.1 with IE7, and did not see the message.

comment:2 Changed 6 years ago by tcrowe

Take a look at the home page this on website: dev.pcnvchamber.org I have it set up to use jQuery 1.3.1. It's identical to www.pcnvchamber.org except that the production site is using 1.2.6.

One of the people on IRC suggested this warning might have something to do with my IE preferences. I generally try to avoid using IE, though, so my settings should be pretty close to factory default. I only ran into the problem because I was testing to make sure IE worked fine.

comment:3 Changed 6 years ago by dmethvin

I can't repro this in IE7. Can you whittle all the content down to a simple test case, and make sure it works on more than one IE7 setup in your own dev environment?

comment:4 Changed 6 years ago by tcrowe

Sure, I will try to simplify this.

comment:5 Changed 6 years ago by tcrowe

I narrowed this problem down as far as I could. First, I reset all of my IE security levels to default and cleared my cache and cookies. I also disabled ALL of my add-ons. I have IE version 7.0.5730.11, BTW. Next, I stripped down my HTML file until all I had was a bare bones HTML file with an include of jquery-1.3.1.js. Then, I started going through jquery and ripping out code until I hit the following line:

div.innerHTML = ' <link/><table></table><a href="/a" style="color:red;float:left;opacity:.5;">a</a><select><option>text</option></select><object><param/></object>';

If I take that line out, in particular if I take out the "<object><param/></object>" part at the end, then the warning message goes away.

So, finally, I brought up regedit and did a search for "VFW". Sure enough there were numerous references to DLLs with "vfw" in the name and a "vfw" file extension type. These all related to MPEG codecs, Microsoft Video, Quicktime, a video camera I have, etc. Why the object tag and IE7 are picking on VFW, I don't know. Anyway, that's the problem. I don't understand what the point of that code in jQuery is, but maybe it can be removed or recoded.

comment:6 Changed 6 years ago by dmethvin

  • Component changed from unfilled to core

Thanks for doing the extra investigation on this.

The code that you mention is part of the new jQuery.support code for 1.3 I am not sure why it is only happening for your setup and not reported (yet) by anyone else. Have you tried any other systems with IE7 to see if they show the problem?

Also, is this a local intranet site, for example a localhost? Or is it a public Internet site?

comment:7 Changed 6 years ago by tcrowe

Both of the sites mentioned previously (dev.pcnvchamber.org and www.pcnvchamber.org) are public.

I have not tried this against another machine with ie7. Almost all of the computers I have either run linux or Mac OS. I suspect this is an edge case related to software I have installed. In particular, I suspect it may have something to do with a Creative Labs computer video camera I have installed. I will try uninstalling the software for this to see if the problem goes away.

comment:8 Changed 6 years ago by tcrowe

FYI, I removed all of the software for my video camera. I no longer get the warning from IE, so it definitely seems to be related. The particular camera that I have is a:

Creative Live! Cam Video IM Pro Webcam - USB

comment:9 Changed 6 years ago by dmethvin

Okay, now the only question left is why <object><param/></object> would try to open that property page. It seems like it must be a bug in the Creative webcam driver, most likely the entries it puts into the registry. I tried installing that driver here on my system, but it was insisting that I actually have the webcam or it would abort the installation.

comment:10 Changed 5 years ago by liam.jones

I'm getting a similar thing with 1.3.1 on our organisation's work PCs.

If I swap out 1.2.6 for 1.3.1 on an internal site it starts displaying the info bar in IE6 and 7 stating "Your security settings do not allow websites to use ActiveX controls installed on your computer.".

The same happens if I visit pages on jquery.com too (in fact it's displaying at the top of this page right now).

The really strange thing is if I refresh my internal site's page a handful of times it sometimes displays the information bar and sometimes it doesn't.

I've not yet worked out which addon is causing this behaviour and the information bar message offers no clues... I don't have a Creative webcam though.

comment:11 Changed 5 years ago by jods

I can confirm this is an issue. I'm trying to run an intranet application inside a very restrictive environment.

Upgrading jQuery from 1.2.6 to 1.3.1 made the Internet Explorer 6 "Run ActiveX..." yellow toolbar appear.

I can't publish my application to production because of this.

comment:12 Changed 5 years ago by jods

This is an important issue for me, so I did a bit of research.

Repro is easy: deactivate ActiveX in IE options and include jQuery 1.3.* (tested with 1.3.1 and 1.3.2) on your page. Yellow blocking bar appears.

dmethvin has spoted the issue right on. The jQuery.support code testing browser features include a "<object><param /></object>" part, which is what makes IE tickle.

I had to find a workaround, so I removed that <object> part, and set the correponding support feature (objectAll) to false. Bug solved on my site.

This is probably not a good fix for everyone since I don't really understand the consequences of doing so, though. Although I searched for references to objectAll but didn't find any... My application doesn't use any object tag, so I don't really care about this.

comment:13 Changed 5 years ago by zepag

It seems that this is linked to the fact that a non-signed ActiveX cannot be loaded with a secured setup.

It appears that problem is solved in my local setup by replacing the incriminated line with: div.innerHTML = ' <link/><table></table><a href="/a" style="color:red;float:left;opacity:.5;">a</a><select><option>text</option></select><object type="text/plain"><param/></object>';

Probably because the object of type text/plain is almost always properly registered/signed in IE.

Can anyone try the attached patched jQuery and tell me if it solves the issue?

Changed 5 years ago by zepag

Patched by adding type="text/plain" to the <object> tag used in jQuery.support

comment:14 Changed 5 years ago by henkgroenen

I did try the change in ie6, but I still got the security alert.

comment:15 Changed 5 years ago by smarkwal

I had the same issue on 3 different systems: IE 6 on Windows Server 2003, IE 7 on Windows XP and Windows Vista. Common to all installations is that the Security Setting "Run ActiveX controls and plug-ins" is set to "Disabled". Interestingly this setting doesn't affect the ActiveX component used to make Ajax calls.

The reason for the problem is the same as mentioned by tcrowe. If I remove

<object><param/></object>

from the jquery.js file, the warning doesn't appear anymore.

There are no non-standard add-ons installed (at least not on the server).

I have downgraded my project back to jQuery 1.2.6, because there are a lot of people out there that do not have permissions to modify the browser's security settings (especially in large companies).

comment:16 Changed 5 years ago by john

  • Priority changed from minor to critical
  • Status changed from new to closed
  • Version changed from 1.3.1 to 1.3.2
  • Resolution set to fixed
  • Milestone changed from 1.3.2 to 1.3.3

Ok, this check is causing more problems than it's worth so I've removed it from jQuery (apparently we weren't using the check either, so we must've resolved it elsewhere).

Fixed in SVN rev [6268].

comment:17 Changed 5 years ago by dmethvin

See also #4651 if this code is ever resurrected; the <param> tag should always have a name attribute.

comment:18 Changed 5 years ago by kmalone75

I just downloaded the latest version of JQuery (1.3.2), and it appears this is still an issue in IE7 on Windows Server 2008, Service Pack 1. I realize there cannot be many people who actually run their computers on Windows Server 2008, but I thought I would add a comment here anyway.

Note: See TracTickets for help on using tickets.