不让浏览器启动本地应用程序的充分理由
我知道这可能是理所当然的,但请继续阅读。
我还知道,即使在 Intranet 环境中,让浏览器运行并与本地应用程序交互通常也不被认为是一个好主意,甚至可能是最糟糕的主意。
我们使用 Citrix 进行家庭办公,人们非常喜欢它。 现在,他们希望在工作中拥有同样的环境,一个漂亮的页面,其中每个重要的应用程序/文档/文件夹都以有序的方式很好地排列和分类。 这些人并不是特别精通技术; 我什至不认为他们能够理解远程交付的应用程序和本地应用程序之间的区别。
所以,有人问我是否可能。 当然可以,因为 IE 具有良好的 ActiveX 控件。 我什至制作了一个工作原型(这就是令人痛苦的地方)。
但现在,我怀疑了。 即使在“本地 Intranet”区域中允许此类“危险”ActiveX 控件,这难道不是疯狂吗? 人们会使用同一个浏览器上网,我可以完全信任IE吗? 难道微软不会在未来的更新/版本中禁用这些控件吗? 如果某个网站或任何类型的恶意软件只是将另一个网站列入信任列表怎么办? 有了这种程度的控制,你还可以卸载所有保护措施,然后胡作非为,直到被 IT 部门绞死。
我即将向我的上级提出这样一个事实:即使他们认为这是可行的,这也将是一件非常糟糕的事情。 所以我迫切需要良好而有力的论据,因为“我们不这样做”是行不通的。
当然,如果没什么好害怕的,那也很好。 但我强烈怀疑这一点。
I know this might be a no-brainer, but please read on.
I also know it's generally not considered a good idea, maybe the worst, to let a browser run and interact with local apps, even in an intranet context.
We use Citrix for home-office, and people really like it. Now, they would like the same kind of environment at work, a nice page where every important application/document/folder is nicely arranged and classified in an orderly fashion. These folks are not particularly tech savvy; I don't even consider thinking that they could understand the difference between remote delivered applications and local ones.
So, I've been asked if it's possible. Of course, it is, with IE's good ol' ActiveX controls. And I even made a working prototype (that's where it hurts).
But now, I doubt. Isn't it madness to allow such 'dangerous' ActiveX controls, even in the 'local intranet' zone? People will use the same browser to surf the web, can I fully trust IE? Isn't there a risk that Microsoft would just disable those controls in future updates/versions? What if a website, or any kind of malware, just put another site on the trust list? With that extent of control, you could as well uninstall every protection and just run amok 'till you got hanged by the IT dept.
I'm about to confront my superiors with the fact that, even if they saw it is doable, it would be a very bad thing. So I'm desperately in need of good and strong arguments, because "let's don't" won't do it.
Of course, if there is nothing to be scared of, that'll be nice too. But I strongly doubt that.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
啊...我知道 2实现此目的的方法:
您可以将 Internet Explorer 嵌入到应用程序中,然后连接到它并拦截某些类型的 URL 等等,
几年前我看到这样做了 - 一个电话应用程序本身嵌入了 Internet Explorer,并加载了一些特殊格式的网页。
网页中有这样的内容:
通常这将是一个损坏的 URL,但是当用户单击此链接时,包含嵌入式 IE 的应用程序会收到通知,并继续执行它自己的自定义代码以从该 URL 拨打号码。
您可以让 VB 人员编写一个应用程序,该应用程序基本上只包装 IE,并具有用于执行应用程序的处理程序。 然后,您可以编写普通网页,其中包含指向打开的应用程序的链接,VB 应用程序将启动它们。 这允许您将自己的安全内容(例如,仅启动预设列表中的应用程序等)写入VB应用程序,并且由于VB正在启动它们,而不是IE,因此不会涉及任何IE安全问题。
第二种方式是使用浏览器插件。
例如,Skype 附带一个 Firefox 插件,它可以在网页中查找电话号码,并附加特殊链接。 当您单击这些链接时,它会调用 Skype - 您可以执行类似的操作来启动 Citrix 应用程序。
然后你就会被绑定到 firefox。 为 IE 编写插件比为 FF 困难得多,除非被迫,否则我不会走这条路。
Ahh... I know of 2 ways to accomplish this:
You can embed internet explorer into an application, and hook into it and intercept certain kinds of URL's and so on
I saw this done a few years ago - a telephony application embedded internet explorer in itself, and loaded some specially formatted webpages.
In the webpage there was this:
Normally this would be a broken URL, but when the user clicked on this link, the application containing the embedded IE got notified, and proceeded to execute it's own custom code to dial the number from the URL.
You could get your VB guy to write an application which basically just wraps IE, and has handlers for executing applications. You could then code normal webpages with links to just open applications, and the VB app would launch them. This allows you to write your own security stuff (like, only launch applications in a preset list, or so on) into the VB app, and because VB is launching them, not IE, none of the IE security issues will be involved.
The second way is with browser plug-ins.
For example, skype comes with a Firefox plug-in, which looks for phone-numbers in web-pages, and attaches special links to them. When you click on these links it invokes skype - you could conceivably do something similar for launching your citrix apps.
You'd then be tied to firefox though. Writing plugins for IE is much harder than for FF, I wouldn't go down that path unless forced to.
微软正在谨慎行事。 一方面,他们定期通过 Windows 更新发送 ActiveX Killbit,以删除/禁用行为不当的应用程序。 另一方面,最新版本的Sharepoint 2007(不能代表早期版本)允许通过单击浏览器中的链接来打开Office 文档,并在本地应用程序中进行编辑。 编辑完成后,更改将传输回服务器并刷新网页(通常)。 这只是 IE 的问题,因为 Firefox 会抛出错误消息。
不过,我可以看到其背后的逻辑。 在微软将所有应用程序都“放在云中”之前,在某些情况下需要弥合旧客户端应用程序和更加以网络为中心的业务环境之间的差距。 虽然可能存在非网络解决方法,但越来越多的信息工作者开始期望他们的大部分工作将在浏览器中完成。 除了系统管理员之外,任何使与桌面的集成变得更容易的事情都不会受到任何人的反对。
Microsoft is walking a fine line. On one hand, they regularly send ActiveX killbits with Windows Update to remove/disable applications that have been misbehaving. On the other hand, the latest version of Sharepoint 2007 (can't speak for earlier versions) allows for Office documents to be opened by clicking a link in the browser, and edited in the local application. When the edit is finished, the changes are transmitted back to the server and the webpage (generally) is refreshed. This is only an IE thing, as Firefox will throw up an error message.
I can see the logic behind it, though. Until Microsoft gets all of their apps 'in the cloud', there are cases that need to bridge the gap between the old client-side apps and a more web-centric business environment. While there is likely a non-web workaround, more and more information workers have come to expect that a large portion of their work will be done in a browser. Anything that makes the integration with the desktop easier is not going to be opposed by anyone except the sysadmins.
我没有使用 Citrix 太多次,但这是什么?与执行本地应用程序有关吗? 我根本不明白“像 Citrix 这样的人”和“执行本地应用程序的浏览器”有什么关系?
如果人们从家里访问您的 Citrix 服务器,并且希望在办公室获得相同的体验,那么购买一台便宜的 PC,并运行与他们在家用计算机上运行的完全相同的 Citrix 软件。 把这台电脑放在角落里并告诉他们去使用它。 他们会欣喜若狂。
这么说吧。 IE 内置了对 AX 控件的支持。 它使用其安全机制来防止它们运行,除非在受信任的站点中。 默认情况下,根本不信任任何站点。
如果您完全使用 IE,那么您就会受到这些安全机制的支配。 无论您是否告诉它信任本地 Intranet 都不是重点,并且不会影响任何其他区域的操作。
无论您是否允许本地 Intranet 中的 ActiveX,那些需要您每隔几周在 MS 发布补丁时重新启动计算机的旧安全漏洞将继续存在并导致问题。
自 XP-SP2 以来,Microsoft 一直在使 ActiveX 控件的使用变得越来越困难。 我不知道这些天你必须点击多少看起来可怕的警告消息和“这可能会毁掉你的计算机”对话框才能让它们运行,但数量相当多。 随着时间的推移,这种情况只会变得更糟。
I haven't used Citrix very many times, but what's it got to do with executing local applications? I don't see how "People like Citrix" and "browser executing local applications" relate at all?
If the people are accessing your Citrix server from home, and want the same experience in the office, then buy a cheap PC, and run the exact same Citrix software they run on their home computers. Put this computer in the corner and tell them to go use it. They'll be overjoyed.
Put it this way. IE has built-in support for AX controls. It uses it's security mechanisms to prevent them from running unless in a trusted site. By default, no sites are trusted at all.
If you use IE at all then you're putting yourself at the mercy of these security mechanisms. Whether or not you tell it to trust the local intranet is beside the point, and isn't going to affect the operation of any other zones.
The good old security holes that require you to reboot your computer every few weeks when MS issues a patch will continue to exist and cause problems, regardless of whether you allow ActiveX in your local intranet.
Since XP-SP2, Microsoft has been making it increasingly difficult to use ActiveX controls. I don't know how many scary looking warning messages and "This might destroy your computer" dialogs you have to click through these days to get them to run, but it's quite a few. This will only get worse over time.