Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to detect Internet Explorer Enhanced Security Configuration in javascript?

Is there any method to tell from javascript if the browser has "enhanced security configuration" enabled?

I keep running into problems with certain controls not working from within dynamically loaded content. This only happens with browsers running on Windows Server 2003/2008 systems - even when I add the server to the "trusted" zone.

Maybe somebody has already develoepd a method for accomplishing this task?

Thanks in advance

like image 418
Hanno Bunjes Avatar asked Jun 22 '10 08:06

Hanno Bunjes


3 Answers

Instead of testing for IE ESC directly, we can test for its effects.

I found that with ESC enabled the onclick events of dynamically added content would not fire. So I am testing those events directly.

var IEESCEnabled = true;
var testButton = $("<button style=\"display: none;\" onclick=\"IEESCEnabled = false; alert('No problems here.');\">Test IE ESC</button>");
testButton.click();
if (IEESCEnabled) {
    alert("We have a problem.");
}
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>

In my application a test like this forwards the user to a page explaining their issue. It is accompanied by a noscript element to check that they have JavaScript running at all.

like image 158
Rob Powell Avatar answered Sep 27 '22 19:09

Rob Powell


I don't think it's possible, and if it still is, than that's a bug that might sooner or later be fixed.

One of the main points of this "extra security" was for the client to have it but not to be detected by the servers, thus leaving them no way to know when to try to circumvent it and when not.

like image 27
Adrian A. Avatar answered Sep 27 '22 20:09

Adrian A.


Isn't javascript disabled when using enhanced security configuration?

Then if you only want to display a message to the user, simply display a message in normal html and hide it with javascript so only users without javascript will see it. If you need to handle it on the server side (e.g. outputting a differerent version of your website) simply include javascript to redirect users to your javascript enabled version. Users without javascript will remain on the non-js page.

If only scriptable activex are disabled, the same method applies, simply insert a activeX and try to "script" it, if it fails you can redirect, show a message etc.

The above of course doesn't detect enhanced security configuration per se, but the symptons that occur when it is enabled. So it probably wouldn't be able to distinguish between users with using enhanced security configuration and users that simply have JS/ActiveX disabled or use a Browser that doesn't support scripting in the first place.

like image 23
Ben Schwehn Avatar answered Sep 27 '22 20:09

Ben Schwehn