开发者

Are .htc files (like CSS3Pie or border-radius.htc) active-x controls?

I'm trying to find a quick (even dirty if needed) solution to implement rounded corners into a client space for my company.

Security and IT team tells me that border-radius.htc (http://code.google.com/p/curved-corner/downloads/detail?name=border-radius.htc) or even CSS3Pie are active-x components.

And so, they pose a security threat, so thet won't impl开发者_运维问答ement this.

Are .htc-files activex components?

Thanks!


HTC behaviors are not ActiveX components and do not pose a security risk. (*)

The common confusion stems from the fact that IE's proprietary 'behavior' CSS property can reference two kinds of implementations: binary implementations (of which there are several built-in to IE and other custom ones can be loaded via the <object> tag), and hypertext implementations (aka HTC files, e.g. CSS3 PIE).

While the former is still not technically ActiveX, it does allow arbitrary binary code to be run on the user's machine which could certainly be considered a security risk. As a result, this type of behavior is practically never used on the internet.

HTC behaviors, on the other hand, are essentially just HTML+JavaScript and therefore are subject to all the same sandboxing and security precautions as if you just included JS into your page via a <script> tag. In fact it is even more locked-down, as IE does not even allow HTC files to be loaded cross-domain (much to my frustration).

If this explanation is still not convincing enough for your Security/IT team, and if you're wanting to use CSS3 PIE specifically, there is a plain-JS version of the library which you can use instead of the HTC file which should avoid any fears they may have. However there are some downsides to that approach as listed on that page.

I hope that helps.

(*) I am not a security expert. ;)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜