The Internet Explorer Discussion Toolbar will probe your web site to see if it is using SharePoint (or Front Page Server Extensions). If it finds that you are using SharePoint then it will enabled the toolbars discussion feature which will most likely result in an Access Denied or some other error message to the user.
While this is a very minor thing you may want to consider blocking access to the URLs Internet Explorer Discussion Toolbar uses to determine if a site is using SharePoint. This can easily be done by using an ISAPI Filter and blocking traffic to /_vti_bin/owssvr.dll and /MSOffice/cltreq.asp.
Recently my team launched some public facing SharePoint Publishing Sites and discovered a small issue with the Internet Explorer Discussion Toolbar. When we would browse our guest (anonymous) access URL we would be prompted for a login. We only were seeing it from certain test clients using Internet Explorer. By installing Fiddler on one of the test clients we could quickly see traffic going to the /_vti_bin/owssvr.dll which would return a HTTP 401 messaging indicating that the client was not authorized.
Below is some sample traffic I collected using Fiddler and http://sharepoint.microsoft.com/. As you can see the 11th request (3rd line below) is a call to /_vti_bin/owssvr.dll.
With a little trial and error we were able to quickly figure out that this toolbar was generating those requests to /_vti_bin/owssvr.dll. I’m not an Internet Explorer Discussion Toolbar expert, but it appears to send that request every time a request is made to the server.
If it receives a 200 then it enables discussions for the page. Below is a screenshot from http://sharepoint.microsoft.com/. The Discussion Toolbar is enabled and ready to go.
Just because the toolbar is enabled does not mean people will be able to attach comments to your web pages. I tried this and discovered that the toolbar will fail with an Access Denied error since it is trying to write to the SharePoint site collection.
During the testing I discovered that if the request to /_vti_bin/owssvr.dll fails then the toolbar will display a message stating that discussions are not allowed for this page. Below is a screenshot of the discussion toolbar disabled.
To stop this activity we used ISAPI_Rewrite to deny all requests going to /_vti_bin/owssvr.dll and /MSOffice/cltreq.asp through the IIS sites that support browsing (we have separate IIS site for content editing). We did NOT want to block traffic to /_vti_bin/owssvr.dll through our editing site because we were concerned it would break some of the Office Client integration features.
No comments:
Post a Comment