ActiveX not working properly with default security settings

随声附和 提交于 2019-12-10 11:48:20

问题


I have written an ActiveX control in C# and have made it working using regasm command, and it works fine as long as the security level is set to low.. Then as a next step I have made a .cab installer (ICD - Internet component downloader), and have signed my .cab file and ActiveX .dll file with a test certificate. when I hit the html page from my browser the installation parts works fine with default security settings of IE, but at the end it seems that nothing is installed and a red cross is shown on place of ActiveX. Moreover I have explored the Download Program Files folder under Windows directory, in status column it is showing word "unknown". while it is "installed" for all other activeX. what may be the problem. Moreover if i use the regasm command to register the assembly it works fine, and I have signed the ActiveX but still I have to move the security bar to low in my browser setting? why it is so? then what is the purpose of signing? I have used RegisterServer=yes in my .inf file

Please let me know, if some one has gone through this problem already?


回答1:


In order to run in IE, you also need to implement IObjectSafety so that IE knows that it is safe to be called by an untrusted caller and/or with untrusted data. (If it is actually safe, that is)

Personally, I have only done this in C++ & ATL, not C#, but here is a blog post that looks like it should help you achieve this in C#.

http://blog.devstone.com/aaron/2007/06/12/ImplementingIObjectSafetyInNETMarkingClassesSafeForScripting.aspx

The reason for this is that scripts by nefarious individuals may use your object to bypass the normal security offered by IE, so your ActiveX Object must defend against untrusted pages itself.

When you sign a cab, you are telling the user that the cab they are downloading is the one they think they are downloading - i.e. that some malicious individual hasn't replaced your cab with a dangerous one. If they trust you as a publisher, then they can trust that the ActiveXObject will not do anything evil on its own, or in combination with other code that they trust.

When you implement IObjectSafety, to return INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA, you are telling IE that the object cannot be used maliciously by anyone else, and is therefore safe to run in conjunction with code that the user doesn't explicitly trust.




回答2:


For me the solution above doesn't work. I needed to register also the tlb

with : regasm MyDll.DLL /tlb



来源:https://stackoverflow.com/questions/1644828/activex-not-working-properly-with-default-security-settings

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!