none
HTA : "Safety Settings on this computer prohibit accessing a data source on another domain" RRS feed

  • Question

  • I have an user (run on Windows 7) is suffering the problem  "Safety Settings on this computer prohibit accessing a data source on another domain" with my HTA program. Only some users are facing the problem. Computers I could find with Windows 7, windows 8, Windows 10 all ok. To be able to call help, I have to find the way to 100% reproduce the problem and I have finally reproduced the same problem on a clean installed Windows XP on a VMware virtual machine as shown below,

    works fine with cscript.exe but failed with HTA

    The above picture shows that the same code works fine with cscript.exe (WSH) but failed with HTA on Windows XP, always.

    I have spent a lot of time to google and try Windows 'Administrator Tools' settings, no way to fix it from a bad computer or reproduce it on a good computer. 

    I have simplified the code to 3.hta and 2.js.

    Run 3.hta on bad windows 7 reproduced the problem, on any Windows Xp too.

    Run 2.js (command line "cscript.exe 2.js") is ok on all computers.

    But 3.hta and 2.js are logically totally same !!

    help help thank you thank you 

    ========== 2.js ===============

    var ado; 
    ado = new ActiveXObject("ADODB.Stream");
    var data;
    ado.CharSet = "utf-8";
    ado.Open();
    ado.LoadFromFile("2.js");
    data = ado.ReadText();
    ado.Close();
    WScript.echo(data);

    ========= 3.hta ==================

    <HTML>
    <HEAD>
    <meta http-equiv="x-ua-compatible" content="ie=9">
    <HTA:APPLICATION ID="Debug" 
       caption="yes" 
       maximizebutton="no" 
       minimizebutton="no" 
       sysmenu="yes" 
       BORDERSTYLE="complex"
       BORDER="thick"
    />
    <TITLE>HTA - Debug</TITLE>
    <script language="JScript">
    var ado; 
    ado = new ActiveXObject("ADODB.Stream");
    var data;
    ado.CharSet = "utf-8";
    ado.Open();
    ado.LoadFromFile("3.hta");
    data = ado.ReadText();
    ado.Close();
    </script>
    </HEAD>
    <BODY>
    <H2>HTA - Debug, try to read my own source code "3.hta"</H2>
    <div id=sourcecode></div>
    <script language="JScript"> sourcecode.innerText=data;</script>
    </BODY>
    </HTML>

    ====== end of 3.hta =================

    Friday, August 21, 2015 6:30 AM

All replies

  • This helped me on XP:

    Set this to 0 (zero):

    "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1406"

    Saturday, January 16, 2016 9:16 PM
  • Sorry for such a late reply. But, I have only come across this question right now.

    The main problem here is that Microsoft´s article on HTML Applications misses some important points regarding it.

    HTA files run outside the usual IE security settings regarding only 2 basic setting: "Initialize and script ActiveX controls marked as unsafe for scripting". And cross domain "Iframe" referencing. Notice that when I say referencing is *not* scripting. Even on HTA files you can´t inject script code in an iframe that belongs to a different domain. You can, however reference files located in the user´s local disk, even if the HTA is executed from a network share or HTTP address. Additionally HTA files will run ActiveX and script code even if it is running in the context of the "Restricted Sites" zone of IE, which by default never allows such actions. *BUT*, it will inherit most other security settings, like "Object data" attribute and the "Access data sources accross domains". Judging by what I have seen in the picture, the HTA file is downloaded from the internet, which causes most web browsers to "force" the file in the same context of the web site it came from, which in 99.99% of the cases is the Internet Zone. This is done by adding a simple NTFS Data stream to the downloaded file called "Zone.Identifier". To make sure the HTA will run under the local machine zone context, which by default allows accessing data sources accross domains, you may try using scripting and ActiveX to delete the NTFS Data stream, but let me tell you, it is a bit buggy. So the best solution may be telling your users to right click the downloaded HTA file, selecting "properties" from the menu. Then, on the window that shows the file properties, click the "Unblock" button, then click the "OK" button. That´s it, from now on the HTA file will run in the context of the local machine zone and won´t (by default) display this error anymore. The solution given by our friend which requires editing the registry is valid, but it is not recommended, specially on an enterprise environment because messing with security settings (on any IE zone) may lead to serious security problems and the Administrator won´t like it at all.

    Hope this helps.

    -Edu.

    Saturday, April 23, 2016 7:13 PM
  • I am facing similar issue. Please Help!!

    I have a single page application which use angular js,  and activeX object to access MS-ACCESS data base in the back end. The data base and .html page are located in same folder in LAN. While i am opening the .HTML file from the LAN using internet explorer it is working fine. it can read and write data from the MS-ACCESS data base. but while my friend who has read/write access to the same location is opening the .HTML file the file is opening but it can not read/write to the data base. it shows "SAFETY SETTING ON THIS SYSTEM PROHIBITS ACCESSING DATA FROM OTHER DOMAIN" . I don't have  authority to change security settings on internet explorer. i am using windows 7. Please HELP!!HELP!! Thank you in advance. 


    • Edited by happysusant Friday, March 10, 2017 10:25 AM
    Friday, March 10, 2017 10:24 AM
  • I was attempting to get the members of an AD group when I got this error.

    Instead, I put the code into Notepad, saved it, then renamed the file extension from .txt to .vbs, and then just double-clicked to run the file.  Instead of outputting my result to a textbox on the page, I wrote it out to a text file, and instead of taking the input from a textbox and clicking a button, I added a User Input prompt, using this:

    Set objShell = CreateObject("WScript.Shell")
    Set objFSO=CreateObject("Scripting.FileSystemObject")
    
    Function GetMembers()
    
    	Dim strGroupName, objGroup, strInput
    
            strInput = UserInput( "Enter a group name:" )
    	
    	'strGroupName = "Some_Hard_Coded_Group_For_Testing"
      	strGroupName = strInput
    
    	'VERIFY A GROUP NAME WAS PASSED 
    	If strGroupName = "" Then 
      	  MsgBox "NO GROUP PASSED" 
    	  MsgBox  "Usage:  scriptName <groupSamAccountName>" 
    	End If 
    
            Set objGroup = getGroup(strGroupName)
    
    	Dim objMember, outFile
    
    	' How to write file
    	outFile="C:\Users\MY_NAME\Documents\members.txt"
    	Set objFile = objFSO.CreateTextFile(outFile,True)
    
        	For Each objMember in objGroup.Members
                If (LCase(objMember.Class) <> "group") Then
    		'objFile.Write objMember.sAMAccountName & vbCrLf   
    		objFile.Write objMember.displayName & vbCrLf   
                End If
            Next
        Set objGroup = Nothing
        objFile.Close
    
        WScript.Echo "Open file at: " & outFile
    End Function
    
     
    Function getGroup(strGroupName) 
    
      Dim objConn, objRecSet, strQueryString, objRootDSE, strQueryFrom, strContainer, strDNSDomain
      Const adsOpenStatic = 3 
       
       Set objRootDSE = GetObject("LDAP://RootDSE") 
       strQueryFrom = "LDAP://" & objRootDSE.get("defaultNamingContext") 
    
       Set objConn = CreateObject("ADODB.Connection") 
       objConn.Provider = "ADsDSOObject" 
       objConn.Open 
     
       strQueryString = "SELECT AdsPath FROM '" & strQueryFrom & "' WHERE samAccountName = '" & strGroupName & "'" 
     
       Set objRecSet = CreateObject("ADODB.Recordset") 
     
       objRecSet.Open strQueryString, objConn, adsOpenStatic 
     
       If objRecSet.recordCount = 1 Then 
          Set getGroup = GetObject(objRecSet("AdsPath")) 
        Else 
          MsgBox ucase(strGroupName) & " was not found in the domain. (" & objRootDSE.get("defaultNamingContext") & ")" 
        End If 
    End Function 
    
    
    ' Start Here
    GetMembers()
    
    'strInput = UserInput( "Enter some input:" )
    'WScript.Echo "You entered: " & strInput
    
    Function UserInput( myPrompt )
    ' This function prompts the user for some input.
    ' When the script runs in CSCRIPT.EXE, StdIn is used,
    ' otherwise the VBScript InputBox( ) function is used.
    ' myPrompt is the the text used to prompt the user for input.
    ' The function returns the input typed either on StdIn or in InputBox( ).
    ' Written by Rob van der Woude
    ' http://www.robvanderwoude.com
        ' Check if the script runs in CSCRIPT.EXE
        If UCase( Right( WScript.FullName, 12 ) ) = "\CSCRIPT.EXE" Then
            ' If so, use StdIn and StdOut
            WScript.StdOut.Write myPrompt & " "
            UserInput = WScript.StdIn.ReadLine
        Else
            ' If not, use InputBox( )
            UserInput = InputBox( myPrompt )
        End If
    End Function

    Basically just change your game up by taking input from an Input box, and export your result to a file, instead of using a web page.  Everything else you're doing should be the same.


    • Edited by navyjax2 Thursday, April 19, 2018 9:44 PM
    Thursday, April 19, 2018 9:43 PM