Slightly more secure RSS-to-local-HTML

RSS aggregators which work by generating an HTML page which they save on the local machine, and then instruct the user’s browser to display that page, have a security problem: Internet Explorer loves HTML from the local machine too much. Pages loaded off your hard drive in IE run in what they call “an implicit zone” which “is treated with a high level of trust.” That means that bad things, like downloading unsigned ActiveX components, don’t happen based on what you have said you want for the various zones you control (Trusted Sites, Internet, Restricted Sites), they happen will ye, nil ye. And that means that aggregators written to behave that way have a special responsibility to remove absolutely everything that might be even remotely risky from the HTML they generate.

However, a bit farther down that page, there’s an interesting safety valve that’s been added to Windows XP Service Pack 2: not only does iexplore.exe run with a special “Local Machine Lockdown zone” where the most insane features aren’t wide open, it also adds a feature, intended to prevent security from flying out the window as soon as a user uses File/Save As..., which displays anything containing a comment like

<!-- saved from url=(0025) -->

in the Internet zone. So to provide a little extra margin of safety, all an aggregator needs to do is throw a fake “saved from url=” comment into its generated HTML, and IE will display it in a zone where things are no more risky than they are for any web page. Sweet!

(This brief break from “why don’t you just download Firefox and make it your default browser?” brought to you by the thrill of seeing Redmond get something right.)


Comment by Michel Valdrighi #
2004-04-05 07:24:11

If I understand this correctly, even using Firefox as default browser wouldn’t protect you from content rendered by the IE component in aggregators that use it.

Such aggregators are numerous on Windows…

How long until we see new versions of these aggregators including ”protection from rogue feeds?” ;)

Comment by Phil Ringnalda #
2004-04-05 08:22:23