All IE8 security settings


There are occasions when you have problems with Internet Explorer (IE) having problems with Javascript or plugins that at least partially stem from the browser's security level, for example it can cause Drupal's Ubercart e-commerce module to not let IE users to checkout (a bad thing). For those occasions, here are all of the IE8 security settings listed out in a single table in all their gory detail.

To see them go to the Tools browser menu, click on the Internet Options menu item and then the Security tab, then click Custom Level to see how each setting is adjusted based on the specific security level.

IE Security Settings
Setting Medium (default) Medium-High High
.NET Framework
Loose XAML: enable enable disable
XAML browser applications: enable enable disable
XPS documents: enable enable disable
ActiveX controls and plugins
Allow previously unused ActiveX controls to run without prompt: enable disable disable
Allow scriptlets: disable disable disable
Automatic prompting for ActiveX controls: disable disable disable
Binary and script behaviors: enable enable disable
Display video and animation on a webpage that does not use external media player: disable disable disable
Download signed ActiveX controls: prompt (recommended) prompt (recommended) disable
Download unsigned ActiveX controls: disable (recommended) disable (recommended) disable (recommended)
Initialize and script ActiveX controls not marked as safe for scripting: disable (recommended) disable (recommended) disable (recommended)
Only allow approved domains to use ActiveX without prompt disable enable enable
Run ActiveX controls and plug-ins: enable enable disable
Script ActiveX controls marked safe for scripting: enable enable disable
Automatic prompting for file downloads: disable disable disable
File download: enable enable disable
Font download: enable enable disable
Enable .NET framework setup
: enable enable disable
Access data sources across domains: disable disable disable
Allow META REFRESH: enable enable disable
Allow scripting of Microsoft web browser control: enable disable disable
Allow script-initiated windows without size or position contraints: disable disable disable
Allow webpages to use restricted protocols for active content: prompt prompt disable
Allow websites to open windows without address or status bars: enable disable disable
Display mixed content: prompt prompt prompt
Don't prompt for client certificate selection with no certificates or only one certificate exists: disable disable disable
Drag and drop or copy and paste files: enable enable prompt
Include local directory path when uploading files to a server: enable disable disable
Installation of desktop items: prompt (recommended) prompt (recommended) disable
Launching applications and unsafe files: prompt (recommended) prompt (recommended) disable
Launching programs and files in an IFRAME: prompt (recommended) prompt (recommended) disable
Navigate windows and frames across different domains: disable disable disable
Open files based on content, not file extension: enable enable disable
Submit non-encrypted for data: enable enable prompt
Use Pop-up Blocker: enable enable enable
Use SmartScreen Filter: enable enable enable
Userdata persistence: enable enable disable
Websites in less privileged web content zones can navigate into this zone: enable enable disable
Active scripting: enable enable disable
Allow Programmatic clipboard access: prompt prompt disable
Allow status bar updates via script: enable disable disable
Allow websites to prompt for information using scripted windows: enable disable disable
Enable XSS filter: enable enable enable
Scripting of Java applets: enable enable disable
User Authentication
Login: Automatic logon only in Intranet zone Automatic logon only in Intranet zone Prompt for user name and password

FYI these were obtained from a Windows XP SP3 virtual machine and may behave differently on different versions of Windows.

Synology NAS updates work better in Firefox than Safari


A small thing I noticed this morning is that Safari wasn't able to complete the DSM 3.0 update - after selecting the file and hitting the upload button it didn't proceed any further. Firefox 3.6, on the other hand, had no problem with the task and was only too happy to process the update. Oh, and the DSM 3.0 OS is gorgeous!

Bye bye Dreamhost & GoDaddy, hello HotDrupal, NameCheap & Google


After several hears calling Dreamhost the home for my website, I've moved the site to, a web hosting firm that specializes in Drupal hosting. So far, so good.

My main reasons for the move were:

  • Dreamhost throttled its web server to the point that my site was no longer able to run without throwing errors on 3/4 of logged-in pageviews, which caused rather horrid problems including causing most of the pages to stop work & menus disappear.
  • Dreamhost had no intention of changing this as it is part of their business plan - throttled, limited hosting at discounted rates.
  • While I could have gotten a VPS (virtual private server, kind of like a full server sliced into more manageable pieces) and had more, I didn't want to spend that much nor did I want to have to manage the server itself.

I'd like to say that I've never really had any problems with Dreamhost themselves, they've been very reliable over the past few years, it was just simply that with my site stopped being able to work I had to move elsewhere.

HotDrupal has been really good over the past few days while I got my account set up. They don't offer the earth, like some, instead they offer specialized yet flexible hosting and cover all of the basic needs if you don't specifically need to host a Drupal site.

I also took the opportunity to move the domain registration away from GoDaddy to NameCheap (affiliate link), a company that doesn't need to promote its services with scantily clad female racecar drivers. I've previously moved other domains to NameCheap and this was final one. Again, so far I like their services - lots of features for decent rates and they don't waste your time with tons of obstructive & annoying sales pitches on what felt every single page load like GoDaddy does.

Lastly, I've moved the domain's email hosting to Google Apps, just so that I could separate email from the website hosting, which will give me more flexibility to move it around as necessary, and avoid filling up my disk quota with my gb's of IMAP email.

I'll let you know how it goes.

Thanks to Dave Reid for the NameCheap recommendation.

Time to deprecate the Popups module

While working on a Drupal project this week which used popup windows to create nodes that were linked via node reference fields, I started running into major stability problems between a variety of modules that were being used, particularly Popups_Reference and Vertical_Tabs. Popups_Reference is a pretty neat little module that uses the Popups API module to provide the interface and lets you add buttons underneath a modal, which Vertical Tabs is a new interface style used heavily in Drupal 7 which presents form framesets as a series of vertically-aligned tabs; this module is a port of the D7 code for Drupal 6.

I happened to tweet about fixing Popups_Reference and had several people reply that Popups API had been deprecated in favor of Modal Frame API (Bangpound) and I should try using NodeRelationships instead (JerDavis, Hefoxed). Looking at the Popups API project page it actually says:

This module is not currently maintained. Please check out, or contact me if you would like to become a maintainer.

While the project could be continued, with ModalFrame having lots of support from other modules and being a core part of Drupal 7, it makes sense to just deprecate Popups API entirely and move all modules to using ModalFrame instead.

Towards the goal of deprecating Popups API I have added / updated tickets for a number of modules to promote this effort:

In the interest to helping to organize the effort I've added an issue tag "Popups API deprecated" which can be used to quickly see which modules have been migrated or deprecated.

If you use one of the modules above I strongly urge you to get involved and help the effort to migrate it to using ModalFrame.

A word of caution on CMS plugins for the Kaltura video platform


When the Kaltura video platform was announced in 2007 it made lots of people interested to know more. The promise of a commercially supported open-source video hosting platform, along with the choice of either running your own hosted content server or paying someone else, would be a great choice for both large firms looking to cut costs where they can, small & mid-size sites that want to use an open platform, and (us) developers who want to tinker with something.

Personally speaking, I was very excited about the potential, but was very frustrated when they kept breaking their previously published launch dates for public code releases. During 2008 I got involved with the Drupal CMS and in 2009 researched Kaltura as a standard platform for my then employer. Unfortunately, at the time several components were missing for our needs, so we went back to a different provider.

Skip ahead a year and I notice the excellent Drupal developer Dave Reid complaining that the Kaltura Drupal module had spyware problems along with a link to a discussion about it. After more than a year of the issue sitting there untouched by the module's maintainers (a Kaltura employee), Dave led the discussion to what quickly became a major issue for the Drupal webmasters group. As it turned out, the module was radioing home during both the install and uninstall processes, and despite multiple requests to remove the tracking code nothing was done about it.

After much discussion during which the original developer lost their CVS access, a patch was applied that removed the offending code, an official security notice was published and the latest version is now bug-free.

Happy days for Drupal site maintainers.

The question remains, however: of Kaltura's official extensions how many still include the tracker code?


Subscribe to Front page feed