The text is on the USPTO site.
HTML [patft.uspto.gov].

if the link doesn't work, search under the patent # 6,662,341

More reading that I want to do this morning.....
jb

cheers,

I'll be going over this with a fine tooth comb...

snookie

"This relaxed security allows an HTML author to do things such as: read from a user's local computer; write to a user's local computer"...

That's more than enough to set alarm bells ringing for me. So if you disable Javascript & cookies etc in your browser, HTML in a window can now do whatever it wants.

Hackers will have a field day!

As the advert on the page says in big letters: "Now - how secure are you?"

I wonder if this only applies to Windows and IE though? If so, hopefully there'll be a Mozilla preference to prevent HTML window applications from launching!

It could be another nail in the coffin of IE. Or another attempt by Microsoft to make everyone do things their way.

Mozilla won't read a XUL file from the internet without altering a text file manually.

I wonder if this only applies to Windows and IE though? If so, hopefully there'll be a Mozilla preference to prevent HTML window applications from launching!

Can't imagine that Mozilla WON'T make a preference for that.

That's more than enough to set alarm bells ringing for me. So if you disable Javascript & cookies etc in your browser, HTML in a window can now do whatever it wants.

Hold it.

The way I see it from reading the article linked to in the first post: this will just be another sort of ".exe" file.

When you run an .exe on your computer, it can also do all the things mentioned.

The difference being that instead of it being written in some programming language like c or c++, it would be written in html.

Correct me if I'm wrong though. ;)

agreed. however isn't it something that Mozilla does already?

Hester, it's not quite that simple. To make IE parse an HTML Ap, you have to give it an .hta extension. Then IE treats it exactly like an .exe.

So assuming there's nothing more complicated beneath the surface, it's basically as much of a risk as downloading an executable.

But you would only do that and save it to the desktop then run it. (As in an installer.) How many .exe files do you click on and run from the browser? There is always a warning message beforehand anyway.

The way I saw this was that a page would appear straight away, after clicking a link (or automatically for IE :)) and in that window, the new insecure content would load.

If so, that's like removing the security from the browser altogether.

er.. if you check the patent from point 2 "A method for running an HTML application file, the method comprising:" you'll see that if the .hta isn't stored locally the user is prompted for a "run method response". if the user ok's this the file is then saved locally then run...

as the application that runs the .hta file is determined by the mime-type you should be able to start the application from any browser and receive the "run method response" prompt.

i suspect that there might be ways to make IE 6.0 think the file is already local and therefore bypass the "run method response" prompt. (but thats another story...)

snookie

I wonder if this only applies to Windows and IE though?

Method and apparatus for writing a windows application in

Funny how one word can make a difference sometimes, eh? This must mean that the patent doesn't apply to the same thing on other OSes.
I bet someone in Redmond is now biting their behind for putting that in... ;)

One may choose to see the glass empty with .hta files.

Here's somethings from the glass half-full view.

Exe files are developed from a compiled programming language. Hta files can be developed by lower skilled people using a scripting language. Html is fairly well known and is easy to maintain. Vbscript and Javascript are little more difficult but but are no cost options on Windows machines that have ie installed.

Now think of a Human Resources application within you company. Lots of text in html. The HR people write this in Word and save it as an html file. A little tweeking and it goes on your intranet.

You can turn off the browsers of many of your staff and not have to put up with lost time because of misuse of the internet. The .hta files display and navigate through their own window.

In every organization some staff need Internet access, they keep the browser and are still able to read the .hta files. This is win-win to me.

BTW, CSS style sheets can be part of the .hta file. Hta files can link to regular html files if you want them to. Most of the underlining technology has been around as part of Windows Scripting Host.

I can also think of applications of .hta for Access, Excel and Word. Hta is an evolutionary development, not revolutionary.

I can definitly see the advantages, and I don't think there's any increased danger (except for the fact that IE is involved ;))

>> The way I saw this was that a page would appear straight away, after clicking a link (or automatically for IE ) and in that window, the new insecure content would load.

Unless they've changed something since I last played with HTAs, that's not how it works.

>> Mozilla won't read a XUL file from the internet without altering a text file manually.

That maybe true but that's not the file type that would be delivered. The file type would be .hta which Moz will execute (all builds up until the one released on 2003-09-29). Moz known security issues [mozilla.org].

The more dangerous part of what I read there is that if your OS is Windows - the app can be run outside of your browser.

Here's a quick primer on HTA applications [msdn.microsoft.com].

bird, read a bit further down:

Microsoft's patent appears to be platform agnostic, making it likely to apply to all operating systems including Linux and Unix. The operating system would recognise files to be run as applications by the HTML application file extension, .hta.

Exe files are developed from a compiled programming language. Hta files can be developed by lower skilled people using a scripting language. Html is fairly well known and is easy to maintain. Vbscript and Javascript are little more difficult but but are no cost options on Windows machines that have ie installed.

The key words are lower skilled. Take a look around at the quality of most web sites maintained by non-technical people, at least there bad coding and poor conforming to standards cant really do much harm. If people can't be bothered to take the time to learn VB then they should not be designing and making programs. Full Stop.

Now think of a Human Resources application within you company. Lots of text in html. The HR people write this in Word and save it as an html file. A little tweeking and it goes on your intranet.

Look mate I don't know where you work but if you have non-technical HR people producing web pages you got a problem. Either they should be submitting that material to a proper IT team or be using some system (that can be controlled by IT) of entering the content into a database for dynamic display on the web.

You can turn off the browsers of many of your staff and not have to put up with lost time because of misuse of the internet. The .hta files display and navigate through their own window.

Thats what you have proxy servers, firewalls, usernames and passwords for.

------------------------------------

In theory it's a decent idea, let the masses program for themselves, but how many are going to screw up badly and erase the c:\windows directory on accident becasue they have not got the technical knowledge to design software in the first place.

I'm not saying that they are idiots, or that they couldnt learn to program but how many actually would do so instead of jumping in at the deep end like a kid who can't swim?

I have not been trained to operate a Blast Furnace, pilot a jumbo jet or fix contacts in a substation so I do not do those things, no matter how easy the controls, I do not understand enough about the processes to do them.

All this will do is create another generation of people who think they can program becasue they can knock up a version of a calculator in a HTA file. Probably the same kind of people who claim to be claim to design web pages in their spare time because they knocked up a one for the local mothers union that comprises red text on a green background all nicely and conveniently laid out with tables and using cool rollover and blink effects.

And just who will have to mop up the mess after those HR bods accidentally deleted their public share by forgetting to set the current directory properly in their app? Us in It of course, if they havent got rid of us all then because "hey we have HTA, anyone can program with that".

bird, read a bit further down:

"Microsoft's patent appears to be platform agnostic, making it likely to apply to all operating systems including Linux and Unix. The operating system would recognise files to be run as applications by the HTML application file extension, .hta."

I saw that, and it's obviously the personal interpretation of the article writer.
The patent itself explicitly talks about Windows and only about Windows as far as I bothered to check. I'm not a patent lawyer, so this may or may not be significant to its factual reach. But at least a naive observer would certainly assume that the relevance of a patent is limited to what the patent actually talks about.

fair 'nuff. IMHO M$ has designs in the works that target one of two ultimate goals - destroying the Linux OS or absorbing it. SO I wouldn't be at all suprized if they incorporated this little gem in the *nix OS.

In the US, the Department of Labor is reporting a one-third decline in programming jobs. Many have been eliminated and others have gone off-shore. Reality says that end-users will increasingly take on HTML page production.

I doubt that many HR departments would want to trust the formatting of HTML pages of HR policies to overseas workers that have English as a second language.

The thrust of .HTA pages in the long-term will be that they will be interacting with other Office products on the end-users hard drive. .HTML pages are not meant to do this.

Someone commented that it was part of the vast effort of Microsoft to defeat Linux on the desktop. I see the updating of Excel spreadsheets on a local drive using .HTA with data from the server as a real requirement and not a marketing ploy.