By Matt Loney, 11 December 2003 09:25
NEWS Microsoft has been awarded a patent by the US Patents and Trademarks Office on writing Windows applications in HTML, making it possible to bypass the built-in security that browsers offer.
According to the application, the patent (no. 6,662,341) covers writing a standard HTML file that runs in its own window outside of the browser. This means, according to the filing, that the author of an HTML application file won't face the security constraints imposed by a browser. This relaxed security allows an HTML author to do things such as: read from a user's local computer; write to a user's local computer and perform scripting of frames between domains.
The patent paves the way for what it calls HTML applications - a new file type that windows would interpret as a standalone application that could be run outside of the browser.
"Most existing Windows application development environments require knowledge of specialised computer languages such as C++, or Visual Basic," says the patent. "Learning a specialised computer language is often difficult for non-technical individuals. However, many non-technical individuals can use HTML and scripting languages, such as VBScript and Jscript [Microsoft's implementation of JavaScript]."
Because HTML and scripting languages are run inside a web browser, they inherit the browser's user interface and security mechanisms. "Because non-technical individuals have knowledge of HTML and scripting languages, it would be advantageous to leverage such existing knowledge to implement a Windows application," says the patent. "Such applications should be free to define their own user interface elements and to run as trusted code on the system, that is, outside of the security model imposed by the web browser. The present invention is directed to achieving this result."
Microsoft's patent appears to be platform agnostic, making it likely to apply to all operating systems including Linux and Unix. The operating system would recognise files to be run as applications by the HTML application file extension, .hta.
Microsoft did not immediately respond to requests for comment.
Matt Loney writes for ZDNet UK
Comments
There are 3 comments. Join the discussion
1. Ian Savell
What do Microsoft think they are playing at!
Apart from the obvious security implications, how are people who can't write a program but can just about put a script together going to create anything other than a disaster?
The world already loses enough money from buggy spreadsheets and dodgy databases, what happens when someone's home-brewed untested HTA application trashes your data files or hangs your PC?
The whole point of browser security and java sandboxes is to minimise the damage caused by dodgy applications and scripts downloaded from the internet!
Lets be magnanimous - MS are obviously patenting the idea so they can keep it from ever happening!
2. anonymous
Pick a security hole, any security hole.... You've pick the "Blue Screen of Death", am I right or am I right...
3. Adam Carden
Actually (responding to other comments) for those obviously not in the know.
Microsoft designed a released the HTA
(HTML Application) quite a few years ago and it has been used a great deal in a number of Microsoft products including all versions of Commerce Server (the business desk is HTML Application)
And although developers have been free to use this technology for many years the majority of developers avoid for many reasons.