Meta Refresh

For a while now, I have had a problem when clicking on a button on some web sites that should open another window. The window opens just fine, but is unfortunately a blank page. After reading a post by Robert Kok on the Becky's forums, I learned that meta refresh on the security tab in internet options should be enabled, not disabled as I had it set. Seems some web sites rely on this to work properly and download all components. I changed this setting and my problem is fixed. Great.

sk, who also frequents Becky's, posted that this may be a risky action and since I have heard the same thing before, myself, I need a little advise from someone regarding this.

For me, disabling that setting is a minor problem. For example, after marking all posts read, I will not automatically be returned to the topic index. OK, so one more click, no problem. So if this is a security risk to enable meta refresh, the benefit does not outweigh the risk factor for me.

All opinions and comments, as always, are welcomed. Thanks in advance.

 

Just to clarify what I said and why. (Since Becky's site is down now I can't get the exact quote, but...): What I was referring to is the warning that comes up - from MS - when you use the context help for that particular option. It says: "Specifies how you want to handle potentially risky actions, files, programs, or downloads. Select one of the following...etc."

sk

 

When I originally posted my question, I had in mind sites such as Symantec's. From their home page, if I clicked on the download button, I would get the blank page. Changing meta refresh setting fixed that. But I wasn't even considering the redirect issue from some site that I wasn't familiar with to maybe some place I did not want to be. So your reply was kind of a wake up call. That is exactly why I posted the question. Sometimes things right in front of your face are the hardest to see.

Thanks for the guidance.

 

meta-refresh was designed to force a page to be reloaded after a certain delay, for self-updating sites like webcams.

It has been abused to do redirects by many idiotic web designers who don't know how to do real HTTP redirects. There is almost no situation where a meta-refresh-redirect is a good idea. It breaks navigation and fails to work on older browsers that don't support it, and newer browsers that allow it to be disabled.

I don't know why IE6 doesn't allow it to be set to 'Prompt' like the other options; this would be much more useful than completely disabling it, given that so many badly-designed sites require it.

If you have JavaScript enabled, there is probably no additional security risk in having meta-refresh enabled.

--
Andrew Clover
mailto:and@doxdesk.com
http://www.doxdesk.com/

 

Hi Andrew, thanks for additional info. I have been using the meta-refresh feature very selectively. Most of the time it is disabled, but I have been turning it on at a few forums I visit(here, SpywareInfo, DCS forum). Since it isn't really a big deal to me, I will just use it at a few trusted sites and disable the rest of the time. Spend 95% of my online time at security related sites anyway.

 

I don't have "MetaRefresh" enabled here - haven't noticed any ill-effects.

Guess everyone using IE6 has noticed that there's also now two "Enable install on Demand" entries ("Advanced" tab) - both of which I have disabled. Pete