15. February 2007 18:13
A little while ago, I pontificated that the simple way to solve security problems with feeds containing scripts and activex controls was to display the feed content in an IE browser window set to the security zone of the url of that item. I also noted that the latest version of Sharpreader displays items in the restricted zone.
Tonight, I just happened to be spelunking in the Sharpreader code base (don't ask - Reflector is just too easy a tool to reach for) and came across the method used. Instead of setting the zone of the IE control, it instead sets all URLs that come from 127.0.0.1 as being in the restricted zone. This affects all programs for the current user. A little heavy handed, but it gets the job done.
It's all done through registry settings, a method I hadn't seen before. So, for future reference, here's the knowledge base article that describes what's going on. (Sharpreader sets the Ranges value.)
(Incidentally, there's a rather sneaky flaw in my original argument. Unlike a web page, where the URL is an intrinsic value, an RSS item's URL is given to it in the RSS feed. Since it's not intrinsic, you can't necessarily trust it. You'd want to make sure that an RSS feed coming from evil.com that sets the URL of each of its items to update.microsoft.com - a default trusted site - doesn't get into the trusted zone. Similarly, an RSS feed coming from update.microsoft.com that has items with a URL of evil.com (for whatever reason) also shouldn't get the trusted zone. The algorithm to choose the URL to use for display would have to be smart about this. Perhaps get the zone of both URLs and pick the most restrictive? I'm not sure what the answer is here.)