Skip to main content

Bug Tracker

Side navigation

#4017 closed bug (fixed)

Opened January 28, 2009 08:29PM UTC

Closed February 28, 2009 08:29PM UTC

Last modified March 09, 2012 09:28AM UTC

IE7 wants to run ActiveX add-on

Reported by: tcrowe Owned by:
Priority: critical Milestone: 1.4
Component: core Version: 1.3.2
Keywords: Cc:
Blocked by: Blocking:
Description

I just started using 1.3.1. When I do and I load my site in IE7 (on XP SP3) I get the following security message:

This website wants to run the following add-on: 'DirectShow/VFW Extension property page' from 'Creative Technology Ltd.'. If you trust the website and the add-on and want to allow it to run, click here...

My site operates properly even if I don't permit the add-on to run. If I drop back to 1.2.6 I don't get the warning.

I'm not sure that this constitutes a bona fide bug, but it is a "trust" problem for me. I want to use 1.3.1 with a client site, but I don't feel comfortable with this showing up.

I ran this problem by the #jquery irc chat. One other person on also noted that they saw this notice all the time. Another stated they did not.

Attachments (1)
Change History (18)

Changed January 28, 2009 09:46PM UTC by dz comment:1

Can you link to your site or a test case where you see this happening?

I went to several pages using 1.3.1 with IE7, and did not see the message.

Changed January 28, 2009 10:48PM UTC by tcrowe comment:2

Take a look at the home page this on website: dev.pcnvchamber.org

I have it set up to use jQuery 1.3.1. It's identical to www.pcnvchamber.org except that the production site is using 1.2.6.

One of the people on IRC suggested this warning might have something to do with my IE preferences. I generally try to avoid using IE, though, so my settings should be pretty close to factory default. I only ran into the problem because I was testing to make sure IE worked fine.

Changed January 29, 2009 12:14AM UTC by dmethvin comment:3

I can't repro this in IE7. Can you whittle all the content down to a simple test case, and make sure it works on more than one IE7 setup in your own dev environment?

Changed January 29, 2009 01:00AM UTC by tcrowe comment:4

Sure, I will try to simplify this.

Changed January 29, 2009 04:22AM UTC by tcrowe comment:5

I narrowed this problem down as far as I could. First, I reset all of my IE security levels to default and cleared my cache and cookies. I also disabled ALL of my add-ons. I have IE version 7.0.5730.11, BTW. Next, I stripped down my HTML file until all I had was a bare bones HTML file with an include of jquery-1.3.1.js. Then, I started going through jquery and ripping out code until I hit the following line:

div.innerHTML = ' <link/><table></table><a href="/a" style="color:red;float:left;opacity:.5;">a</a><select><option>text</option></select><object><param/></object>';

If I take that line out, in particular if I take out the "<object><param/></object>" part at the end, then the warning message goes away.

So, finally, I brought up regedit and did a search for "VFW". Sure enough there were numerous references to DLLs with "vfw" in the name and a "vfw" file extension type. These all related to MPEG codecs, Microsoft Video, Quicktime, a video camera I have, etc. Why the object tag and IE7 are picking on VFW, I don't know. Anyway, that's the problem. I don't understand what the point of that code in jQuery is, but maybe it can be removed or recoded.

Changed January 30, 2009 01:27AM UTC by dmethvin comment:6

component: unfilledcore

Thanks for doing the extra investigation on this.

The code that you mention is part of the new jQuery.support code for 1.3 I am not sure why it is only happening for your setup and not reported (yet) by anyone else. Have you tried any other systems with IE7 to see if they show the problem?

Also, is this a local intranet site, for example a localhost? Or is it a public Internet site?

Changed January 30, 2009 03:25PM UTC by tcrowe comment:7

Both of the sites mentioned previously (dev.pcnvchamber.org and www.pcnvchamber.org) are public.

I have not tried this against another machine with ie7. Almost all of the computers I have either run linux or Mac OS. I suspect this is an edge case related to software I have installed. In particular, I suspect it may have something to do with a Creative Labs computer video camera I have installed. I will try uninstalling the software for this to see if the problem goes away.

Changed January 30, 2009 04:19PM UTC by tcrowe comment:8

FYI, I removed all of the software for my video camera. I no longer get the warning from IE, so it definitely seems to be related. The particular camera that I have is a:

Creative Live! Cam Video IM Pro Webcam - USB

Changed January 31, 2009 03:48AM UTC by dmethvin comment:9

Okay, now the only question left is why

<object><param/></object>
would try to open that property page. It seems like it must be a bug in the Creative webcam driver, most likely the entries it puts into the registry. I tried installing that driver here on my system, but it was insisting that I actually have the webcam or it would abort the installation.

Changed February 04, 2009 12:40PM UTC by liam.jones comment:10

I'm getting a similar thing with 1.3.1 on our organisation's work PCs.

If I swap out 1.2.6 for 1.3.1 on an internal site it starts displaying the info bar in IE6 and 7 stating "Your security settings do not allow websites to use ActiveX controls installed on your computer.".

The same happens if I visit pages on jquery.com too (in fact it's displaying at the top of this page right now).

The really strange thing is if I refresh my internal site's page a handful of times it sometimes displays the information bar and sometimes it doesn't.

I've not yet worked out which addon is causing this behaviour and the information bar message offers no clues... I don't have a Creative webcam though.

Changed February 17, 2009 03:53PM UTC by jods comment:11

I can confirm this is an issue. I'm trying to run an intranet application inside a very restrictive environment.

Upgrading jQuery from 1.2.6 to 1.3.1 made the Internet Explorer 6 "Run ActiveX..." yellow toolbar appear.

I can't publish my application to production because of this.

Changed February 20, 2009 12:02PM UTC by jods comment:12

This is an important issue for me, so I did a bit of research.

Repro is easy: deactivate ActiveX in IE options and include jQuery 1.3.* (tested with 1.3.1 and 1.3.2) on your page. Yellow blocking bar appears.

dmethvin has spoted the issue right on. The jQuery.support code testing browser features include a "<object><param /></object>" part, which is what makes IE tickle.

I had to find a workaround, so I removed that <object> part, and set the correponding support feature (objectAll) to false. Bug solved on my site.

This is probably not a good fix for everyone since I don't really understand the consequences of doing so, though. Although I searched for references to objectAll but didn't find any... My application doesn't use any object tag, so I don't really care about this.

Changed February 20, 2009 06:36PM UTC by zepag comment:13

It seems that this is linked to the fact that a non-signed ActiveX cannot be loaded with a secured setup.

It appears that problem is solved in my local setup by replacing the incriminated line with:

div.innerHTML = ' <link/><table></table><a href="/a" style="color:red;float:left;opacity:.5;">a</a><select><option>text</option></select><object type="text/plain"><param/></object>';

Probably because the object of type text/plain is almost always properly registered/signed in IE.

Can anyone try the attached patched jQuery and tell me if it solves the issue?

Changed February 25, 2009 05:15PM UTC by henkgroenen comment:14

I did try the change in ie6, but I still got the security alert.

Changed February 26, 2009 03:16PM UTC by smarkwal comment:15

I had the same issue on 3 different systems: IE 6 on Windows Server 2003, IE 7 on Windows XP and Windows Vista. Common to all installations is that the Security Setting "Run ActiveX controls and plug-ins" is set to "Disabled". Interestingly this setting doesn't affect the ActiveX component used to make Ajax calls.

The reason for the problem is the same as mentioned by tcrowe. If I remove

<object><param/></object>

from the jquery.js file, the warning doesn't appear anymore.

There are no non-standard add-ons installed (at least not on the server).

I have downgraded my project back to jQuery 1.2.6, because there are a lot of people out there that do not have permissions to modify the browser's security settings (especially in large companies).

Changed February 28, 2009 08:29PM UTC by john comment:16

milestone: 1.3.21.3.3
priority: minorcritical
resolution: → fixed
status: newclosed
version: 1.3.11.3.2

Ok, this check is causing more problems than it's worth so I've removed it from jQuery (apparently we weren't using the check either, so we must've resolved it elsewhere).

Fixed in SVN rev [6268].

Changed May 14, 2009 12:22AM UTC by dmethvin comment:17

See also #4651 if this code is ever resurrected; the <param> tag should always have a name attribute.

Changed November 05, 2009 06:36PM UTC by kmalone75 comment:18

I just downloaded the latest version of JQuery (1.3.2), and it appears this is still an issue in IE7 on Windows Server 2008, Service Pack 1. I realize there cannot be many people who actually run their computers on Windows Server 2008, but I thought I would add a comment here anyway.