{"id":3254,"date":"2020-12-21T16:51:54","date_gmt":"2020-12-21T08:51:54","guid":{"rendered":"https:\/\/www.aoisnow.net\/blog\/?p=3254"},"modified":"2020-12-21T16:51:54","modified_gmt":"2020-12-21T08:51:54","slug":"tont-32683-%e5%bd%93%e7%bd%91%e7%ab%99%e4%be%9d%e8%b5%96%e5%ae%89%e5%85%a8%e6%bc%8f%e6%b4%9e%e7%9a%84%e6%97%b6%e5%80%99","status":"publish","type":"post","link":"https:\/\/www.aoisnow.net\/blog\/archives\/3254","title":{"rendered":"TONT 32683 \u5f53\u7f51\u7ad9\u4f9d\u8d56\u5b89\u5168\u6f0f\u6d1e\u7684\u65f6\u5019"},"content":{"rendered":"<p>\u539f\u6587\u94fe\u63a5\uff1a<a href=\"https:\/\/devblogs.microsoft.com\/oldnewthing\/20060112-15\/?p=32683\" target=\"_blank\" rel=\"noopener\">https:\/\/devblogs.microsoft.com\/oldnewthing\/20060112-15\/?p=32683<\/a><\/p>\n<p>\u8bd1\u6ce8\uff1a\u539f\u6587\u7b2c\u4e00\u6bb5\u8d85\u7ea7\u957f\uff0c\u4e3a\u65b9\u4fbf\u9605\u8bfb\uff0c\u8fdb\u884c\u4e86\u624b\u5de5\u62c6\u5206\u3002<\/p>\n<p>Perhaps the biggest risk when making a change in the name of security is all the things that may have been relying on the previously-lax security settings. After all, disabling an insecure feature is easy. The hard part is disabling it while retaining compatibility with people who were relying on that feature.<\/p>\n<p>\u53ef\u80fd\u4ee5\u5b89\u5168\u4e4b\u540d\u505a\u51fa\u6539\u53d8\u7684\u6700\u5927\u98ce\u9669\uff0c\u5c31\u662f\u90a3\u4e9b\u4f9d\u8d56\u4ece\u524d\u5e76\u4e0d\u90a3\u4e48\u4e25\u683c\u7684\u5b89\u5168\u8bbe\u7f6e\u7684\u4e1c\u897f\u3002\u6bd5\u7adf\uff0c\u5173\u95ed\u4e00\u9879\u4e0d\u5b89\u5168\u7684\u529f\u80fd\u5e76\u4e0d\u56f0\u96be\uff0c\u56f0\u96be\u7684\u662f\u5728\u5173\u95ed\u5b83\u7684\u540c\u65f6\uff0c\u8fd8\u80fd\u4fdd\u6301\u4e0e\u4f9d\u8d56\u8fd9\u4e9b\u529f\u80fd\u7684\u4eba\u7684\u517c\u5bb9\u6027\u3002<\/p>\n<p>In the security investigations I\u2019ve been involved with, perhaps the largest chunk of my time is spent trying to find a way to mitigate the security hole without breaking existing customers. (And it\u2019s the Line of Business scenario that is the biggest question mark.)<\/p>\n<p>\u5728\u6211\u6240\u53c2\u4e0e\u8fc7\u7684\u5b89\u5168\u5ba1\u67e5\u5de5\u4f5c\u4e2d\uff0c\u53ef\u80fd\u82b1\u8d39\u65f6\u95f4\u6700\u591a\u7684\u5c31\u662f\u627e\u5230\u4e00\u6761\u95e8\u8def\u6765\u51cf\u7f13\u67d0\u4e2a\u5b89\u5168\u6f0f\u6d1e\u7684\u5f71\u54cd\uff0c\u800c\u4e0d\u81f3\u4e8e\u7834\u574f\u65e2\u6709\u5ba2\u6237\u7684\u4f53\u9a8c\u3002\uff08\u5e76\u4e14\u4e5f\u662f\u5546\u4e1a\u7528\u6237\u8fd9\u6761\u7ebf\u4e0a\u7684\u95ee\u9898\u6700\u5927\uff09<\/p>\n<p>Here\u2019s a real-life example: Consider a sports web site which sells a service to subscribers wherein the site creates a pop-up window whenever a game\u2019s score has changed or some other significant event has occurred. That way, you can leave your browser minimized and go about your day, but when something happens in the game, it will pop up an alert. The round of security changes in Windows XP SP2 broke this site because the rules on positioning of pop-up windows were tightened so that pop-up windows could not appear outside the browser itself. This prevents pop-up windows from being used to cover important browser elements (such as the status bar, the address bar, or a security dialog) and makes it harder for pop-ups to masquerade as system dialogs. But it also broke this company\u2019s business model. And of course, if Microsoft does something that cause you to lose money, you sue. There were probably corporations that had internal web sites that relied on the ability to position pop-ups without restriction. Those corporations no doubt also complained about this change in the name of security.<\/p>\n<p>\u6765\u4e3e\u4e00\u4e2a\u73b0\u5b9e\u7684\u4f8b\u5b50\uff1a\u5047\u8bbe\u6709\u4e00\u4e2a\u4f53\u80b2\u7f51\u7ad9\u5411\u5ba2\u6237\u9500\u552e\u4e00\u79cd\u670d\u52a1\uff0c\u8fd9\u79cd\u670d\u52a1\u4f1a\u5728\u67d0\u573a\u6bd4\u8d5b\u7684\u6bd4\u5206\u53d1\u751f\u6539\u53d8\u3001\u6216\u6709\u91cd\u5927\u4e8b\u9879\u53d1\u751f\u65f6\u5f39\u51fa\u4e00\u4e2a\u7a97\u53e3\uff0c\u5982\u6b64\u4f60\u4fbf\u53ef\u4ee5\u5c06\u6d4f\u89c8\u5668\u7a97\u53e3\u6700\u5c0f\u5316\u53bb\u505a\u522b\u7684\u4e8b\uff0c\u800c\u5f53\u6bd4\u8d5b\u51fa\u73b0\u53d8\u5316\u65f6\u4fbf\u4f1a\u5f39\u51fa\u63d0\u793a\u3002Windows XP SP2\u7684\u4e00\u8f6e\u5b89\u5168\u66f4\u65b0\u7834\u574f\u4e86\u8fd9\u4e00\u673a\u5236\uff0c\u56e0\u4e3a\u5f39\u51fa\u7a97\u53e3\u7684\u89c4\u5219\u6536\u7d27\u4e86\uff0c\u73b0\u5728\u5f39\u51fa\u7a97\u53e3\u4e0d\u80fd\u5728\u4e0a\u7ea7\u7a97\u53e3\u8303\u56f4\u4e4b\u5916\u5f39\u51fa\u4e86\u3002\u8fd9\u4e00\u6539\u53d8\u662f\u7528\u6765\u653e\u7f6e\u7a97\u53e3\u906e\u853d\u6d4f\u89c8\u5668\u7684\u91cd\u8981\u5143\u7d20\uff08\u5982\u72b6\u6001\u680f\u3001\u5730\u5740\u680f\uff0c\u6216\u67d0\u4e2a\u5b89\u5168\u5bf9\u8bdd\u6846\uff09\u7684\uff0c\u4e5f\u8ba9\u5f39\u51fa\u7a97\u53e3\u5192\u5145\u7cfb\u7edf\u5bf9\u8bdd\u6846\u7684\u51e0\u7387\u5927\u51cf\u3002\u7136\u800c\u8fd9\u9879\u63aa\u65bd\u4e5f\u7834\u574f\u4e86\u8fd9\u5bb6\uff08\u4f53\u80b2\u7f51\u7ad9\uff09\u516c\u53f8\u7684\u5546\u4e1a\u6a21\u578b\u3002\u7406\u6240\u5f53\u7136\u7684\u662f\uff0c\u5982\u679c\u5fae\u8f6f\u516c\u53f8\u7684\u6240\u4f5c\u6240\u4e3a\u8ba9\u4f60\u8499\u53d7\u4e86\u7ecf\u6d4e\u635f\u5931\uff0c\u4f60\u5f53\u7136\u4f1a\u9009\u62e9\u8d77\u8bc9\u3002\u540c\u6837\u7684\uff0c\u4e5f\u6709\u4e00\u4e9b\u4f01\u4e1a\u7684\u5185\u90e8\u7f51\u7ad9\u4f9d\u8d56\u65e7\u6709\u7684\u8bbe\u8ba1\uff0c\u6765\u5c06\u5f39\u51fa\u7a97\u53e3\u4e0d\u53d7\u9650\u5236\u5730\u8fdb\u884c\u5b9a\u4f4d\uff0c\u8fd9\u4e9b\u4f01\u4e1a\u4e5f\u65e0\u4e00\u4f8b\u5916\u5730\u62b1\u6028\u8fd9\u9879\u4ee5\u5b89\u5168\u4e4b\u540d\u505a\u51fa\u7684\u6539\u53d8\u3002<\/p>\n<p>As with most security changes that have compatibility consequences, a \u201csafety valve\u201d was added to return to the old insecure behavior for those customers who were relying on it. In this case, you can put the affected sites in the Trusted Sites zone and enable the \u201cAllow script-initiated windows without size or position constraints\u201d setting. But this is just a stop-gap, re-opening the security hole to let this site continue to operate the way it does. The real fix is not to rely on the security hole.<\/p>\n<p>\u5c31\u50cf\u591a\u6570\u5305\u542b\u517c\u5bb9\u6027\u540e\u9057\u75c7\u7684\u5b89\u5168\u66f4\u65b0\u4e00\u6837\uff0c\u5f00\u53d1\u8005\u589e\u52a0\u4e86\u4e00\u9053\u300e\u5b89\u5168\u9600\u300f\u6765\u65b9\u4fbf\u90a3\u4e9b\u4ecd\u7136\u4f9d\u8d56\u65e7\u6709\u7684\u3001\u4e0d\u5b89\u5168\u7684\u884c\u4e3a\u7684\u5ba2\u6237\u3002\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u4f60\u53ef\u4ee5\u5c06\u53d7\u5f71\u54cd\u7684\u7f51\u7ad9\u653e\u8fdb\u300e\u4fe1\u4efb\u7684\u7ad9\u70b9\u300f\u5217\u8868\u4e2d\uff0c\u5e76\u542f\u7528\u300e\u5141\u8bb8\u811a\u672c\u542f\u52a8\u7684\u7a97\u53e3\u4e0d\u53d7\u5927\u5c0f\u6216\u4f4d\u7f6e\u9650\u5236\u300f\u7684\u9009\u9879\u3002\u4e0d\u8fc7\uff0c\u8fd9\u53ea\u662f\u4e00\u9053\u6743\u5b9c\u4e4b\u8ba1\uff0c\u7b49\u4e8e\u5c06\u5b89\u5168\u6f0f\u6d1e\u91cd\u65b0\u6253\u5f00\u6765\uff0c\u8ba9\u90a3\u4e9b\u7f51\u7ad9\u53ef\u4ee5\u7ee7\u7eed\u6309\u7167\u65e7\u6709\u7684\u65b9\u5f0f\u8fd0\u4f5c\u3002\u771f\u6b63\u7684\u4fee\u590d\u65b9\u5f0f\uff0c\u662f\u4e0d\u518d\u4f9d\u8d56\u8fd9\u4e9b\u5b89\u5168\u6f0f\u6d1e\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u539f\u6587\u94fe\u63a5\uff1ahttps:\/\/devblogs.microsoft.com\/oldnewthing\/2006011 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-3254","post","type-post","status-publish","format-standard","hentry","category-tont_history"],"_links":{"self":[{"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/posts\/3254","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/comments?post=3254"}],"version-history":[{"count":0,"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/posts\/3254\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/media?parent=3254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/categories?post=3254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/tags?post=3254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}