Cross-Domain Barrier and Redirect Mitigation

Windows Internet Explorer 7 introduces new redirect mitigation for cross-domain exploits. A cross-domain exploit occurs when a Web page from one domain can either read or manipulate the contents of a Web page located on a different domain. Typically, a malicious Web site implements this exploit when a Web site redirects an object. Therefore, if there is any possible threat of a cross-domain exploit through redirected navigation in a DOM object, Internet Explorer 7 blocks the navigation and logs the blocked Web site URL.

What Are the Possible Causes of This Issue?

The following examples show two common functionalities that are blocked by Internet Explorer 7, due to the redir.asp file directing the Web site to another domain.

Example 1

XML Script Data Island
<script language ="text\xml" src="redir.asp">

Example 2

Object tag "data" attribute
<object type="text/xml" data="redir.asp">


This object tag example also depends on the value of the URLACTION_CROSS_DOMAIN_DATA registry setting.

How Can I Fix This Issue?

You can fix this issue, by hosting all of your Web site data on the same domain, enabling you to avoid redirection to another domain.

How Can I Work around This Issue?

You can work around the redirect mitigation security feature, by turning off the following registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\ FEATURE_Cross_Domain_Redirect_Mitigation]"iexplore.exe"=dword:00000000

What Happens if I Disable This Security Feature?

If you disable this security feature, you will be more prone to cross-domain attacks.

See Also


Known Internet Explorer Security Feature Issues