How to bypass Internet Explorer Enhanced Security when using embedded WebBrowser control?

[亡魂溺海] 提交于 2021-02-18 11:47:06

问题


i have a native Windows application that embeds the WebBrowser, i.e.

  • CLSID_WebBrowser
  • 8856F961-340A-11D0-A96B-00C04FD705A2
  • Shell.Explorer.2

Unfortunately, when running on Windows Servers, the Internet Explorer Enhanced Security mode interferes with the WebBrowser control, causing it to not render at all:

In this case, the UI of the software is driven as a WebBrowser control - making the software unusable.

i could disable Internet Explorer Enhanced Security mode, but that is not practical.

How can i instruct Internet Explorer browser to allow an embedded browser to render without the security dialog?

Note: i would have suggested adding about:security_Application.exe to the Trusted Zones list"

Sadly, that will require DRP/FRP validation, an ISO security assessment, and the security group will have to be called in to make the change. In addition, an RFC will need to be created so KPMG won't have hissy-fit next audit. i was hoping for the "good" solution.

See also

  • Customizing (disabling) security settings for IE control
  • Custom IInternetSecurityManager not being called with dialogs

回答1:


You can specify a different URL. For example you can extract the content to a temp file and navigate to it. This will not put your content in the trusted zone, but it is better than the internet zone you get for the about protocol.

If you do not want to save the content, you can first navigate to about:blank, then in DocumentComplete, QI the document for IPersistMoniker, and call Load with a TInterfacedObject that basically simulates a url moniker.

  1. The IMoniker.GetDisplayName implementation needs to return the URL. The url needs to be in a trusted zone.
  2. IMoniker.BindToStorage implementation needs to send back a reference to a TMemoryStream when IStream is asked.

There's a third way, write a process-wide security manager that puts your url in a trusted zone.


The solution is to implement your own Internet Security Manager service creating an object that implements IInternetSecurityManager (see MSDN: Implementing a Custom Security Manager). There are five security zones:

  • Local: URLZONE_LOCAL_MACHINE (0)
  • Intranet: URLZONE_INTRANET (1)
  • Trusted: URLZONE_TRUSTED (2)
  • Internet: URLZONE_INTERNET (3)
  • Restricted: URLZONE_UNTRUSTED (4)

The only method you really need to worry about is MapUrlToZone:

TEmbeddedSecurityManager = class(TInterfacedObject, IInternetSecurityManager)
public
   //...
   function MapUrlToZone(pwszUrl: LPCWSTR; out dwZone: DWORD; dwFlags: DWORD): HResult; virtual; stdcall;
   //...
end;

This method checks if the Url starts with about:security

about:security_Contoso.exe

and if so, returns that the zone should be Local:

function TEmbeddedSecurityManager.MapUrlToZone(pwszUrl: LPCWSTR; out dwZone: DWORD; dwFlags: DWORD): HResult;
var
    url: UnicodeString;
begin
    Result := INET_E_DEFAULT_ACTION;

    {
        https://msdn.microsoft.com/en-us/library/ms537133(v=vs.85).aspx
    }
    url := pwszUrl;
    {
        When IE Enchanced Security is enabled, the url goes from 
            about:blank_xxxx
        to 
            about:security_xxxx

        In that case we will put the page in the "Local" zone
    }
    if url.StartsWith('about:security') then
    begin
        dwZone := URLZONE_LOCAL_MACHINE; //Local
        Result := S_OK;
    end;
end;

Every other method must return INET_E_DEFAULT_ACTION (i.e. not S_OK nor E_NOTIMPL), e.g.:

function TEmbeddedSecurityManager.SetSecuritySite(Site: IInternetSecurityMgrSite): HResult;
begin
    Result := INET_E_DEFAULT_ACTION;
end;

You give the embedded WebBrowser this service when it calls IServiceProvider.QueryService. In the case of Delphi's TEmbeddedWB control, it is exposed in the OnQueryService event:

function TForm1.EmbeddedWBQueryService(const rsid, iid: TGUID; out Obj: IInterface): HRESULT;
var
    sam: IInternetSecurityManager;
begin
    Result := E_NOINTERFACE;

    //rsid ==> Service Identifier
    //iid ==> Interface identifier
    if IsEqualGUID(rsid, IInternetSecurityManager) and IsEqualGUID(iid, IInternetSecurityManager) then
    begin
        sam := TEmbeddedSecurityManager.Create;
        Obj := sam;
        Result := S_OK;
    end;
end;



回答2:


Maybe you could consider to load a different embedded browser. There is:

  • WebKit: http://www.webkit.org/
  • SWT (eclipse)


来源:https://stackoverflow.com/questions/13997720/how-to-bypass-internet-explorer-enhanced-security-when-using-embedded-webbrowser

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!