Event 1034 - Cross-Domain Barrier and Script URL Mitigation
Windows Internet Explorer 8 and Windows Internet Explorer 7 block redirected navigation in Document Object Model (DOM) objects if there is a potential threat of cross-domain exploitation. Internet Explorer 8 and Internet Explorer 7 also block any script URLs requiring cross-domain access that could be a potential threat.
In earlier versions of Internet Explorer, script URLs were treated like any other URL, allowing navigation to occur. This navigation also allowed the script source to have access and run in the current window. In Internet Explorer 7 and Internet Explorer 8, script URL mitigation removes the script from the script URL, effectively stopping navigation from places that are considered unsafe. Internet Explorer 7 and Internet Explorer 8 then run the script in the domain context of the webpage from where it came instead of actually navigating to the page.
If for any reason the script URL navigation occurs from a questionable location or Internet Explorer is unable to retrieve the domain context, the navigation is blocked. If the webpage relies on this blocked navigation, it might become partially unusable, so that when the user clicks a link or button, nothing happens.
This event is logged when an attempt is made to run a script URL in a cross domain scenario.
Perform the following steps to see this event logged in the compatibility tool:
- Create a webpage with the following contents. For this example call it 1034.html.
<html> <head><title>Test of Intranet and Restricted Script Links</title></head> <body> <iframe src="http://127.0.0.1/1034r.html"> </body> </html>
- Create another webpage with the following contents. For this example call it 1034r.html.
- Install the files in the root directory of the local web server. On an Microsoft Internet Information Services (IIS) server this means putting the files in this directory:
- In Internet Explorer, select the Tools > Internet Options menu item. Select the Security tab. Select Restricted Sites, and click the Sites button.
http://127.0.0.1/to the list and close the Restricted sites dialog box.
- Close the Internet Options dialog box.
- Browse to the file:
- Click the Restricted Alert Link hyperlink.
The link attempts to execute a script URL in another domain. Internet Explorer prevents this. The user doesn't see any indication in the browser window but the XDOM Barrier event is logged to the compatibility tool.
To enable the script URL to redirect the navigation to a website, you can change the way the script runs by using an event handler, an inline script, or provide a call to the execScript method.
You can change the script URL to include an event handler, as follows:
You can run the script URL code, by using an inline script tag. For example:
<script type="text/jscript"> doSomething() </script>
You can call the execScript method to run your script URL code.
You can work around the script URL mitigation security feature by setting registry named value.
If you disable this security feature, you will be more prone to cross-domain attacks.
Disabling the feature should only be used as a temporary measure during troubleshooting—to compare behavior of the application when the feature is enabled or not. It is not recommended that the feature be left disabled on an on-going basis.
You manage the Cross-Domain Barrier and Script URL Mitigation through a security feature control registry key (FEATURE_SCRIPTURL_MITIGATION). Internet Explorer (Iexplore.exe) needs to run under this feature control to disable the feature and this can be achieved by setting the following registry key:
HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\iexplore.exe = 0x00000000