Calls to Response.Redirect to Custom Lotus Notes URLs fails in IE7
Robertson @discussions.microsoft.com Keith Robertson (Fujitsu TAM)
(Native & Compatibility Modes)
Background
The customer Intranet utilises the asp response object method redirect to
link users to absolute external links (resources outside of the website's own
relative structure). Two examples:
1. The General Register Office link executes an asp...
response.redirect("http://www.ips.gov.uk/cps/rde/xchg/ips_live/hs.xsl/55.htm")
2. The "Phone Directory" link executes an asp...
response.redirect("Notes://server/002567860060D7D1") (APS line of code)
There seems to be a change in the opertation code between IE6/IE7.
Up to Internet Explorer 7 (i.e in IE6) both these links function as expected
and the response.redirect is returned to the requesting browser which then
automatically submits a new request for the URL in the redirect parameter.
The General Register Office link successfully opens the GRO website.
The Phone Directory link successfully launches the user's Lotus Notes client
application and then opens the Notes Corporate Directory database (NCD).
Note: This is dependant on the user having the location of their Lotus Notes
installation (notes.exe) present in their registry as a URL:Notes Protocol.
This is in place as part of a standard ONS PC installation and is not a
factor in the problem detailed below.
Problem
While IE6, IE7 and Mozilla Firefox can all handle and process the
response.redirect for URLs with the http:// protocol (i.e. the GRO link
above) each browser handles the response.redirect to a Notes:// protocol in a
different way.
As stated above, IE6 successfully resolves the response.redirect and
launches the user's Notes application and opens the NCD.
Firefox also launches the user's Notes application and opens the NCD,
however by default it also displays a system page to the user stating "Object
Moved - This object may be found here" and includes a link to the Notes URL.
IE7 however is unable to handle the Notes:// redirect and returns "Internet
Explorer cannot display the webpage".
Investigation
Our initial investigation suggests that this fails with IE7 at the point
where it should interrogate the registry for the path to Lotus Notes – ie an
external program. IE7 simply doesn’t do this. For the response.redirect it
doesn’t make any difference whether friendly error messages are off or on –
both give the error ‘Internet Explorer cannot display the webpage’. Neither
IE7 or IE8 are even trying to go to HKCR\Notes\... (which IE6 does) to get
the path to run Notes or just open the requested database.
Our Theory & Requirement
We think this is probably "by design" - especially having looked at
MS07-061. The behaviour that the ASP code is exhibiting could be misconstrued
as an attack, and we think the code might be attempting to cross a security
boundary that became enforced in IE7 and later. I have also requested that
this issue be raised with IBM - because it's quite possible that other Lotus
Notes customers have hit the same thing, and IBM may have a solution or
workaround. If our theory is right, though, and that it is "by design", then
I need you to tell me, please.
This is what’s added to the registry on PCs for Notes 5 for example:
[HKEY_CLASSES_ROOT\Notes]
@="URL:Notes Protocol"
"URL Protocol"=""
[HKEY_CLASSES_ROOT\Notes\DefaultIcon]
@="C:\\PROGRAM FILES\\NOTES\\notes.exe"
[HKEY_CLASSES_ROOT\Notes\shell]
[HKEY_CLASSES_ROOT\Notes\shell\open]
[HKEY_CLASSES_ROOT\Notes\shell\open\command]
@="C:\\PROGRAM FILES\\NOTES\\ notes.exe %1”
UPDATE - I originally posted this in the IE forum, and they said I should
raise it with you. They suggested trying a couple of things, which we will
do, but I'm not confident!
"I suggest you add the URL to your intranet website to see if any difference:
1. In Internet Explorer, on the Tools menu, click Internet Options.
2. On the Security tab, click Local Intranet and click Site button.
3. Click Advanced button and add the site URL to the list.
4. Click OK to exit.
5. I also suggest you run IE as administrator (If you have using Vista and
Windows 7 computers with UAC enabled) and test again to see if any different
behavior. "
I believe this problem is about IE 7/8 having tighter security and that the
behaviour implicit in the function that is failing could be used to breach
security - so I think it's "by design". Surely IBM/Lotus or you should be
aware of this issue already??
I look forward to hearing from you.
Thanks in advance,
Keith.
rhhjr
automatic redirection to notes: in IE7:
- Add a meta refresh tag to the output html document that points to the
Notes DocLink.
PRO: I believe IE7 controls this behavior with the setting "Allow META
REFRESH" and it is enabled by default in the Internet, Intranet, and Trusted
Security Zones.
CON: The practice of redirecting via meta refresh tags is discouraged
because it can affect the users ability to navigate through their history,
however since the window we pop up to handle the Centralized View Original
request essentially has no history this doesn't seem like a big deal.
- Add javascript to the output html document that changes the window
location on a time delay to the Notes DocLink.
PRO: The javascript redirection seems to be allowed under default IE7
Security Zone settings.
CON: I'm sure there is one but I can't think of any other than javascript is
disabled but you wouldn't get this far in the website if that was the case.