Meta Refresh

Discussion in 'other security issues & news' started by Vietnam Vet, Jan 1, 2003.

Thread Status:
Not open for further replies.
  1. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    For a while now, I have had a problem when clicking on a button on some web sites that should open another window. The window opens just fine, but is unfortunately a blank page. After reading a post by Robert Kok on the Becky's forums, I learned that meta refresh on the security tab in internet options should be enabled, not disabled as I had it set. Seems some web sites rely on this to work properly and download all components. I changed this setting and my problem is fixed. Great.

    sk, who also frequents Becky's, posted that this may be a risky action and since I have heard the same thing before, myself, I need a little advise from someone regarding this.

    For me, disabling that setting is a minor problem. For example, after marking all posts read, I will not automatically be returned to the topic index. OK, so one more click, no problem. So if this is a security risk to enable meta refresh, the benefit does not outweigh the risk factor for me.

    All opinions and comments, as always, are welcomed. Thanks in advance.
     
  2. sk

    sk Registered Member

    Joined:
    Nov 19, 2002
    Posts:
    241
    Just to clarify what I said and why. (Since Becky's site is down now I can't get the exact quote, but...): What I was referring to is the warning that comes up - from MS - when you use the context help for that particular option. It says: "Specifies how you want to handle potentially risky actions, files, programs, or downloads. Select one of the following...etc."

    sk
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi Vietnam_Vet,

    I am one of those who has disabled the Allow Meta Refresh setting in the default Internet Zone in IE (and, of course, it's disabled in the Restricted Zone, as well ;) ). I did this at the time that I decided to manage my IE security by using all the zones to their full potential. I don't like the idea of one site "redirecting" my browser automatically to another site, especially if it is not a trusted site, so disabling this gives me some additional comfort...

    Overall, I have my Internet Zone set very tightly. The only difference between the Internet and Restricted zones on my machine is that I have a couple security settings at Prompt rather than Disabled in the Internet Zone. (These are: Run ActiveX controls and plug-ins... and Script ActiveX controls marked safe..., plus a couple of the entires in the Misc category.) Allow Meta Refresh is one that's disabled in this zone.

    But, I do have it enabled in the Trusted Zone. I also have a fairly healthy list of trusted sites that I built up over time, and I have no issue with these sites either automatically refreshing their pages or redirecting me to a new page.

    To complete the overall IE zone security model, I use Eric Howes IE-SpyAd to give me a large list of pre-populated Restricted Zone sites. It's my belief that handling IE with securely configured zones is one of the most powerful "security enhancements" on my system.

    Best Wishes,
    LowWaterMark
     
  4. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    When I originally posted my question, I had in mind sites such as Symantec's. From their home page, if I clicked on the download button, I would get the blank page. Changing meta refresh setting fixed that. But I wasn't even considering the redirect issue from some site that I wasn't familiar with to maybe some place I did not want to be. So your reply was kind of a wake up call. That is exactly why I posted the question. Sometimes things right in front of your face are the hardest to see.

    Thanks for the guidance.
     
  5. meta-refresh was designed to force a page to be reloaded after a certain delay, for self-updating sites like webcams.

    It has been abused to do redirects by many idiotic web designers who don't know how to do real HTTP redirects. There is almost no situation where a meta-refresh-redirect is a good idea. It breaks navigation and fails to work on older browsers that don't support it, and newer browsers that allow it to be disabled.

    I don't know why IE6 doesn't allow it to be set to 'Prompt' like the other options; this would be much more useful than completely disabling it, given that so many badly-designed sites require it.

    If you have JavaScript enabled, there is probably no additional security risk in having meta-refresh enabled.

    --
    Andrew Clover
    mailto:and@doxdesk.com
    http://www.doxdesk.com/
     
  6. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi Andrew, thanks for additional info. I have been using the meta-refresh feature very selectively. Most of the time it is disabled, but I have been turning it on at a few forums I visit(here, SpywareInfo, DCS forum). Since it isn't really a big deal to me, I will just use it at a few trusted sites and disable the rest of the time. Spend 95% of my online time at security related sites anyway. :)
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I don't have "MetaRefresh" enabled here - haven't noticed any ill-effects.

    Guess everyone using IE6 has noticed that there's also now two "Enable install on Demand" entries ("Advanced" tab) - both of which I have disabled. Pete
     
Thread Status:
Not open for further replies.