Event 1034 - Cross-Domain Barrier and Script URL Mitigation

• Logged Message
• What Is It?
• When Is This Event Logged?
• Example
• Remediation
• Related topics

Logged Message

Windows Internet Explorer 8 and Windows Internet Explorer 7 block redirected navigation in Document Object Model (DOM) objects if there is a potential threat of cross-domain exploitation. Internet Explorer 8 and Internet Explorer 7 also block any script URLs requiring cross-domain access that could be a potential threat.

What Is It?

Introduced in Internet Explorer 7 and continuing in Internet Explorer 8 there is script URL mitigation for cross-domain exploits, in which a webpage from one domain can either read or manipulate the contents of a webpage located on a different domain. A script URL is a URL that starts with script protocols like JavaScript or Microsoft Visual Basic Scripting Edition (VBScript) (for example, javascript:doFormPost()). Since script URLs typically run scripts on an Windows Internet Explorer window, they become easy targets for cross-domain exploits.

In earlier versions of Internet Explorer, script URLs were treated like any other URL, allowing navigation to occur. This navigation also allowed the script source to have access and run in the current window. In Internet Explorer 7 and Internet Explorer 8, script URL mitigation removes the script from the script URL, effectively stopping navigation from places that are considered unsafe. Internet Explorer 7 and Internet Explorer 8 then run the script in the domain context of the webpage from where it came instead of actually navigating to the page.

How This Issue Appears to the User

If for any reason the script URL navigation occurs from a questionable location or Internet Explorer is unable to retrieve the domain context, the navigation is blocked. If the webpage relies on this blocked navigation, it might become partially unusable, so that when the user clicks a link or button, nothing happens.

When Is This Event Logged?

This event is logged when an attempt is made to run a script URL in a cross domain scenario.

Example

Perform the following steps to see this event logged in the compatibility tool:

1. Create a webpage with the following contents. For this example call it 1034.html.

   <html>
     <head><title>Test of Intranet and Restricted Script Links</title></head>
     <body>    
       <iframe src="http://127.0.0.1/1034r.html">
     </body>
   </html>
   

2. Create another webpage with the following contents. For this example call it 1034r.html.

   <html>
     <head><title>Test of Restricted Script Link</title></head>
     <body><a href="javascript:alert('I am from the restricted zone')">Restricted Alert Link</a></body>
   </html>
   

3. Install the files in the root directory of the local web server. On an Microsoft Internet Information Services (IIS) server this means putting the files in this directory:

   .\wwwroot

4. In Internet Explorer, select the Tools > Internet Options menu item. Select the Security tab. Select Restricted Sites, and click the Sites button.

5. Add http://127.0.0.1/ to the list and close the Restricted sites dialog box.

6. Close the Internet Options dialog box.

7. Browse to the file:

   https://localhost/1034.html

8. Click the Restricted Alert Link hyperlink.

The link attempts to execute a script URL in another domain. Internet Explorer prevents this. The user doesn't see any indication in the browser window but the XDOM Barrier event is logged to the compatibility tool.

Remediation

To enable the script URL to redirect the navigation to a website, you can change the way the script runs by using an event handler, an inline script, or provide a call to the execScript method.

Using an Event Handler

You can change the script URL to include an event handler, as follows:

<a href="javascript:alert('hi')"> Click</a> 
 
<a onclick="javascript:alert('hi')"> Click</a>.

Using an Inline Script

You can run the script URL code, by using an inline script tag. For example:

<script type="text/jscript">
   doSomething()
</script>

Using the execScript Method

You can call the execScript method to run your script URL code.

window.location = javascript:doSomething() 

window.execScript("javascript:doSomething()")

How Can I Work Around This Issue?

You can work around the script URL mitigation security feature by setting registry named value.

Security Warning:

If you disable this security feature, you will be more prone to cross-domain attacks.

Disabling the feature should only be used as a temporary measure during troubleshooting—to compare behavior of the application when the feature is enabled or not. It is not recommended that the feature be left disabled on an on-going basis.

You manage the Cross-Domain Barrier and Script URL Mitigation through a security feature control registry key (FEATURE_SCRIPTURL_MITIGATION). Internet Explorer (Iexplore.exe) needs to run under this feature control to disable the feature and this can be achieved by setting the following registry key:

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\iexplore.exe = 0x00000000

Note  When enabled, script URLs are limited to 2047 characters.

 

Related topics

Internet Explorer Application Compatibility

Events 1030 through 1037