Wednesday, January 15, 2025

CodeSOD: Actively Xing Out

Programming LanguageCodeSOD: Actively Xing Out


Today, I'm honestly not sure that the WTF is in the code we're looking at. Jeff needed to support an older PHP application which used client side JavaScript heavily. This block was copy-pasted many times throughout the code base:

var ajaxRequest;  // The variable that makes Ajax possible!
       
try{
    // Opera 8.0+, Firefox, Safari
    ajaxRequest = new XMLHttpRequest();
} catch (e){
    // Internet Explorer Browsers
    try{
        ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP");
    } catch (e) {
        try{           
            ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP");
        } catch (e){
            try{
                ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP.4.0");
            }
            catch(e){
                // Something went wrong
                echo("Something Wrong. Please try again later!");
                return false;
            }
        }
    }
}

This code was written in the early 2010s. Which does mean that the general pattern was necessary. Internet Explorer was still widely used, and it didn't support XMLHttpRequest until 2012- and a depressing number of corporate environments were lagging behind in adopting newer browsers, even as they went out of support. Of course, they were lagging behind because they were using IE and code written to support IE's idiosyncrasies.

Now, this code is bad, more because it's copy/pasted instead of being turned into a reusable function. And because it outputs a terrible error message. "Something Wrong." Thanks, error message, that's useless. It's also worth noting that the error is output via an echo. That's a PHP function. Did the developer write code that doesn't work? Or did they create a JavaScript echo function so their JavaScript could look more like PHP? At this point, it's impossible to know, but I hate it.

But the real problem here is Internet Explorer, and specifically ActiveX. Now, ActiveX wasn't an entirely bad thing. It was Windows' method of handling reusable, shared libraries, especially of GUI components, that could be dropped into any arbitrary application. Writing VB6? You're definitely using ActiveX. You want to write an Access application, or a dangerously complicated Excel macro with a UI attached to it? That's ActiveX. In C++ land, you might be using Microsoft Foundation Classes, if you hate yourself, but you could also use ActiveX, which was easier to use.

And all of that is fine. For its time, ActiveX was actually pretty cool. But there was one problem, and that problem was Internet Explorer 3.0. In 1996, Microsoft added the ability to access ActiveX controls from JavaScript. This meant that, instead of using HTML widgets on your page, you could instead drop native Windows components onto your page. Microsoft convinced the W3C to add an <OBJECT> tag to the HTML spec to facilitate this embedding.

From Microsoft's perspective, this was great. IE allowed people to deliver richer, more polished looking web applications that behaved like desktop applications, in an era where the peak of interactivity was the <marquee> tag and animated gif backgrounds.

The reality was that this was part of their "embrace, extend, extinguish" philosophy, where they were attempting to destroy the web (who was going to keep buying Windows upgrades if you could get rich applications delivered as web pages?). But the monopolist aspects aren't really even the worst part.

You could dynamically load DLLs from inside of a web page! Often, the code you're loading from that ActiveX binary could do all sorts of things on the local computer, up to and including directly accessing the file system. Oh, there were warning messages that were meant to require user consent before this could happen, but it was trivial to socially engineer things to trick users into granting you consent. I myself, in college, made a proof of concept text editor that could steal files from the user's computers while pretending to be a web-based Notepad replacement.

ActiveX inside the browser was one of the most bonkers things that has happened in the history of the web. But the thing is, for corporate intranets, the scam worked. There were hordes of web applications pushed out by vendors which depended upon ActiveX, some of which are still in use today. While Microsoft Edge officially doesn't support ActiveX, it still has an "Internet Explorer Mode" which does.

And yes, going back to the code, because you were loading specific binaries from the host OS, you needed to know which binary to load, the name of which might change between OS versions. Hence the attempts to load the XMLHTTP component all those different ways- depending on the specific version of Windows, and the specific libraries installed on that Windows machine, how you accessed the XMLHTTP component changed.

As always, TRWTF is Internet Explorer.


.comment { border: none; }

[Advertisement]
ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

Check out our other content

Check out other tags:

Most Popular Articles