XP SP2: Do's & Don'ts for Web Sites Microsoft Pushes Code Mods for Web Sites Ryan Naraine
If you manage a web site that utilizes ActiveX controls, file downloads, pop-up windows, or the Microsoft Java Virtual Machine (MSJVM), chances are you will need to tweak your code to deal with the new security features in Windows XP Service Pack 2 (SP2).
As part of preparations for the final release of the service pack, Microsoft is again urging web developers to closely examine the XP changes and make the necessary code modifications to minimize disruptions.
For instance, web sites using ActiveX controls will run into problems because of the changes made to the Internet Explorer (IE) browser to block those controls in some cases. Microsoft recommends that site owners make sure that all ActiveX controls distributed through a web site are signed and have up-to-date signatures.
"These signatures must be on the .cab files as well as the .dll files. If these are not signed with valid signatures, Internet Explorer will block them from installing," Microsoft warned in the report.
For sites that automatically redirect a page based on whether an ActiveX control was instantiated, Microsoft recommends the placement of a span within object tags detailing that the page could not load.
"If your site does not do this, the user will be moved to the new page after the Information Bar blocks your control, and will not be given a chance to
install the control."
For sites that automatically launch file downloads that are not initiated by the user, Microsoft reports XP SP2 will block these downloads or display a
dialog box asking for user initiation. The company is urging web site owners to make all downloads the result of user-initiated action.
The company also says web sites that contain file types with mismatched Content-Type and/or file extensions must be corrected.
"Both the Content-Type and the file extension must match the type of the file for a download prompt to appear. Be sure this is true for your web pages as well. If the Content-Type is plain/text, then they will not render as HTML," the company explains.
Because SP2 has been fitted with a default pop-up blocker, Microsoft says sites that use the window.createPopup() method will encounter disruptions.
For web sites that depend on the Microsoft Java Virtual Machine (MSJVM), the company is recommending that developers review their code to deal with changes in the service pack. Microsoft also released tutorials for the required code changes.
Earlier this year, Microsoft warned that SP2 will break and disrupt existing applications unless specific code rewrites are made at the developer end.
Windows XP SP2 will make significant changes to deal with increased network protection, memory protection, improved e-mail security, and enhanced browsing security, but these changes will lead to major disruption unless developers tweak their applications.
Enterprise developers are urged to pay attention to the changes in network protection. Specifically, Windows Firewall, the RPC Interface, and DCOM Security enhancements have been modified in SP2.
The XP overhaul will be issued as a "critical" update when it is released to manufacturers in July.
