I noticed some strange behavior when visiting some of the few SharePoint-based blogs out on the wild Internets.
First, on home.infusionblogs.com, I was prompted with “This website wants to run the following add-on”.
It’s apparently signed by Microsoft, but the name is ‘Name ActiveX Control’. Was this a case where someone forgot to name the ActiveX control, I wondered?
To get more information, I clicked “run”. I am not foolhardy, I just know that clicking “run” doesn’t really mean “run” – it means, “give me some more info”. Here is the dialog I got:
Sure enough, the name of the ActiveX control is “Name ActiveX Control”, signed by Microsoft. When you click on the name, it sends you to office.microsoft.com, suggesting that it’s something important. This time, I clicked “don’t run”, though, since if it has to ask, the answer is “no”.
Update: clicking the red ‘x’ in the dialog box allows you to cancel out without approving or disapproving. That’s handy, and prevents breaking the Intranet.
Now, when browsing some other public SharePoint blogs, I get a warning:
This is good, it’s what I expected. Clicking the dialog (or going to ToolsManage Add-Ons) tells me that the control being requested is name.dll, or NameCtrl. The ProgID is Name.NameCtrl.1, and documentation seems sparse. Basically, this appears to be the control that allows a web page to get presence information about you (the little green bubble that shows next to a person’s name in Outlook or SharePoint). I am glad I didn’t enable that on the public Internet, since there is no way I want nastyevil.com to get my presence information!
However, there seems to be a catch. When I browse to any internal blog sites now, I get the same warning. And presence information no longer shows on internal sites! If I go into IE and enable the control, it will expose me across the web.
This is a bug caused by the way ActiveX opt-in is designed.
Update: I investigated some more, and have confirmed my theory. I went into the registry editor (regedt32) and cleared the IE7 “ActiveX Opt-In” information. I just deleted both keys in the registry:
(The full path is in the status bar of the screen clip) and
To make sure IE reloaded the settings, I had to close IE, and also go to task manager and kill ieuser.exe. Now when I fire up IE7 and browse to a page that looks for presence information, I get the nice green bubbles.
This teaches me two lessons:
- Sites which exist on the public Internet should not use this control, because it puts users in the uncomfortable position of choosing between A) being less secure on the Internet, and B) breaking functionality that currently works on their Intranet
- If I browse to a site that tries to use the control, I should just ignore the gold bar. Getting more info then breaks the Intranet, if I decline to turn the control on