Friday, July 20, 2007

Launching Active Content

Changes in the Internet security landscape in recent years have had an unanticipated impact on developers of content delivered via portable media such as CD-ROMs and flash drives. The problem is that many portable media applications launch in a browser, and Microsoft's Internet Explorer no longer trusts so-called 'active content' on a CD-ROM, flash drive, or even the user's hard disc. This has been the case since an update to IE when XP Service Pack 2 was introduced (in mid-2004).

So what is 'active content' and why is it a problem? According to Webopedia, active content refers to content that is either interactive or dynamic. Examples include JavaScript applications and presentations that rely on Windows Media and Flash player ActiveX objects to embed video in web pages. These are common in eLearning and corporate marketing presentations distributed on portable media. Active content could be a problem if used to transmit software viruses or worms.

Individual users can force their IE browser to allow active content by opening 'Tools, Internet Options', selecting the 'Advanced' tab and scrolling down to the tickbox for 'Allow active content to run files on my computer'. This solution is well-documented, relatively safe, and not very difficult for users.

But there are also some clever tricks that content developers can employ to enhance the user experience, and prevent users from seeing security warnings about untrusted active content. The method I use forces the content to load from a network path. The use of a network path tells IE that the content is on the Internet (rather than in the local file system), and that the content is therefore trustworthy. This is one of many possible workarounds, but I find it is the most elegant.

To implement the solution, I created a batch file which is invoked when the media autoplays. It is lengthy, but how it works is pretty simple. The script uses the command 'net share' to create a network sharename for the current folder (where the content is located). It then tries to open a designated HTML entry page using a UNC path (eg- '\\computername\sharename\index.htm'). If either of these fail, the script simply opens the entry page as a local file, and leaves it to the user to manage their security settings. Typically it would fail if the user does not have rights to create a network share, such as in a secure enterprise network. But in most cases with novice users, the presentation autoruns seamlessly.

Following Microsoft's release of XP SP2, Macromedia also decided that Flash content should not be trusted when run locally. So they implemented a security model that forces users to explicitly allow local Flash content. But there were several problems with the implementation, most notably that one needs an Internet connection to change the settings - a convenience that is not always available for users viewing content on portable media. And Flash developers using CDs to distribute content, such as those producing eLearning modules, were upset because the CDs no longer worked properly after their users upgraded the Flash Player (to version 8 or later).

To implement a solution for a presentation that includes Flash, I created another simple batch file which is invoked when the portable media autoplays. This script creates a 'trust file' containing an entry which states the location of the current folder (where the content is located). The trust file may also include other locations for portable media (eg- 'd' and 'e' drives). The trust file tells the Flash Player plugin that content in these locations and contained subdirectories can be trusted. Once this script executes, any Flash content in the presentation can play seamlessly when launched.

These two batch files have proved handy for me. Please feel free to use and share them, and do comment if you note any problems with the implementations.

[On 16 June 2008, I posted an update to my instructions on launching active content. This post explains how you can replace the Net-Share script with one I call IE-Fix, that directly modifies the registry to tweak IE settings. Please review that post.]

7 comments:

Luther said...

This is great - thank you so much - this is just what I need!

Could you provide some brief instructions on actually implementing the script on a CD (it's the Flash one I'm after).

I owe you one!

Bill Claxton said...

1. Save the script in a text file and name it 'flashfix.bat'.

2. Open another file and paste in the following:
[autorun]
icon=web_content\images\cd_silver.ico
label=Multimedia Presentation
shell\viewreadme\command=notepad \readme.txt
shell\viewreadme=&Read Description
open=shellexecute /f:flashfix.bat /r:min

3. Save that file as 'autorun.inf'. Note that the open command will be autorun when the CD is inserted. The files 'readme.txt' and 'cd_silver.ico' (or equivalent icon file) should be present. Otherwise remove those lines.

4. Shellexecute is shareware. Download 'shellexecute.exe' from the developer's website (yes, the site name is spelled with 2 o's): http://develooper.com/code/shellexecute/

5. Place the 'flashfix.bat', 'autorun.inf' and 'shellexecute.exe' files in the root directory of the folder where you CD-ROM content is.

6. The syntax of 'Shellexecute' is a bit odd. The command "shellexecute /f:flashfix.bat /r:min" tells it to run the batch file minimised. Run "shellexecute /?" to learn more about syntax for this utility.

7. In case you want both the network sharing and flashfix, chain the two batch files.

8. Burn a CD and test. Alternatively, use the 'subst' DOS command to create a virtual drive and test with that before burning.

Good luck!

Luther said...

Thanks for taking the time to write out the instructions!

I get an error message, however:
"Error opening /f:flashfix.bat /r:min"

I tried changing the autorun.inf file to read just:
"open=shellexecute flashfix.bat" which does execute the script, but then how do you cause the content itself (in this case an .html page) automatically open?

Thanks again!

Bill Claxton said...

Apologies for the late reply Luther. At the end of the 'flashfix.bat' file, simply add the line 'start index.htm' (or whatever HTML page you wish to launch.

Start will launch the default browser based on the filename association. More info on use of the 'start' command may be found here (http://www.computerhope.com/starthlp.htm).

Anonymous said...

Bill,

Thank you for the script. The UNC share works except if the computer's network is disabled or the network cable is unplugged. In this case, a windows error window pops up and stays there until "OK" is clicked...then the remainder of the batch file runs.

I guess NET SHARE can't share without the network present, even if the share is only intended for the host machine.

Might there be a way around this issue? I don't know enough about batch file syntax to solve this.

Thanks,
-VE

Bill Claxton said...

I have posted an update to my instructions on launching active content. This post explains how you can replace the Net-Share script with one I call IE-Fix, that directly modifies the registry to tweak IE settings.

Anonymous said...

thanks for the information

www.code-heaven.blogspot.com