Posted by Joe Barta on 01/19/06 20:01

Jose wrote:

>> http://www.google.com/search?q=hta
>>
>> Ain't Google a wonderful thing?
>>
>> </cranky>
>>
>> HTA == HTML Application. A twist on a html document. You can make
>> one easily by changing the extension from .html to .hta It then
>> becomes an "application" that uses IE components. It's kinda neat
>> but kinda limited. For more, visit Microsoft's documentation
>> above.
>
> Hmmm. From the docs:
>
>> The power to build HTML Applications (HTAs) brings Microsoft
>> Internet Explorer 5 to the fore as a viable Microsoft Windows
>> development platform. HTAs are full-fledged applications. These
>> applications are trusted and display only the menus, icons,
>> toolbars, and title information that the Web developer creates.
>> In short, HTAs pack all the power of Internet Explorer�its object
>> model, performance, rendering power, protocol support, and
>> channel-download technology�without enforcing the strict security
>> model and user interface of the browser.
>
> This doesn't sound like something I ever want on my machine.

Why not? You download and run executables all the time right?

>> This added functionality provides control over user interface
>> design and access to the client system. Moreover, run as trusted
>> applications, HTAs are not subject to the same security
>> constraints as Web pages. ...if saved to the client machine, it
>> simply runs on demand thereafter. The end result is that HTAs
>> runs like any executable (.exe) written in C++ or Visual Basic.
>
> This definately doesn't sound like something I want on my machine.
> It sounds like a sneaky way to get by security, while restricting
> the normal abilities of the user to interact with the page on the
> user's terms. What am I missing?

I could bypass the hta altogether and use a htm2exe type wrapper...
then it would be a simple exe file that you're used to. Would that
make you feel safer?

> And while I'm at it... what is "trusted"?

Not entirely sure, but I don't think it has the dire connotations you
seem to be attributing to it. It has more to do with the ability to
interact with itself. I ran into a trust issue if I recall in getting
a form to behave the way I wanted it to. I don't remember offhand what
it was, but there was nothing diabolical about it.

> I've run into pages
> that claim that they are "trusted" by someone or other. Why
> should I believe those messages? How can I make my pages say the
> same thing?

The big issue here I think is a psychological one. Plus, we're
naturally afraid of things we're unfamiliar with. The potential harm
of installing and running an hta is actually LESS than installing and
running a typical application... which folks do every day without
batting an eye. What makes you believe that a rogue hta application
could cause you any more grief than that rogue mp3 splitter you
downloaded? Actually, if one is looking to cause grief, an hta is a
pretty impotent way to go about it.

I think as of late we've been conditioned to think of the web as a
dangerous place. And unfortunately, to a degree that's true. Now tell
people they can turn a web page into an application and distribute
it... oh no! But think about it... it's no more dangerous than any
other application. And, if you think about it, because of the many
limitations of hta's, it's profoundly safer.

Joe Barta

• Next in forum: Re: Live clock and associated links
• Prev in forum: Gap in IE, no gap in FF
• Thread view: Re: Trust (was CSS Button Designer)

[Reply to this message]