Security Considerations: DHTML and Default Behaviors
This topic documents a feature of Binary Behaviors, which are obsolete as of Internet Explorer 10.
This document provides information about security considerations related to Dynamic HTML (DHTML) behaviors. This document doesn't provide all you need to know about security issues—instead, use it as a starting point and reference for this technology area.
Security Alerts
The following table lists features that, if used incorrectly, can compromise the security of your applications.
Feature | Mitigation |
---|---|
mediaBar | The Media Bar can load .asx and .asf files that specify multiple media URLs and scripted content. For security reasons, streamed content from unverified sources should be treated as user input. Developers should use caution when displaying content from unverified sources as HTML in the Media Bar content pane. |
saveFavorite | The saveFavorite behavior uses a userData store, which is not encrypted and therefore not secure. Any application that has access to the drive where userData is saved has access to the data. Therefore, it is recommended that you not persist sensitive data like credit card numbers. |
saveSnapshot | The saveSnapshot behavior persists data as plain text in a saved Web page. Text is not encrypted and therefore not secure. Any application that has access to the drive where the page is saved has access to the data and can tamper with it. Therefore, it is recommended that you not persist sensitive data like credit card numbers. |
userData | Data in a userData store is not encrypted and therefore not secure. Any application that has access to the drive where UserData is saved has access to the data. Therefore, it is recommended that you not persist sensitive data like credit card numbers. For security reasons, a UserData store is available only in the same directory and with the same protocol used to persist the store. |