tags:

views:

577

answers:

3
Q: 

ActiveX not working properly with default security settings

I have written an ActiveX control in C# and have made it working using regasm command, and it works fine as long as the security level is set to low.. Then as a next step I have made a .cab installer (ICD - Internet component downloader), and have signed my .cab file and ActiveX .dll file with a test certificate. when I hit the html page from my browser the installation parts works fine with default security settings of IE, but at the end it seems that nothing is installed and a red cross is shown on place of ActiveX. Moreover I have explored the Download Program Files folder under Windows directory, in status column it is showing word "unknown". while it is "installed" for all other activeX. what may be the problem. Moreover if i use the regasm command to register the assembly it works fine, and I have signed the ActiveX but still I have to move the security bar to low in my browser setting? why it is so? then what is the purpose of signing? I have used RegisterServer=yes in my .inf file

Please let me know, if some one has gone through this problem already?

+2  A: 

In order to run in IE, you also need to implement IObjectSafety so that IE knows that it is safe to be called by an untrusted caller and/or with untrusted data. (If it is actually safe, that is)

Personally, I have only done this in C++ & ATL, not C#, but here is a blog post that looks like it should help you achieve this in C#.

http://blog.devstone.com/aaron/2007/06/12/ImplementingIObjectSafetyInNETMarkingClassesSafeForScripting.aspx

The reason for this is that scripts by nefarious individuals may use your object to bypass the normal security offered by IE, so your ActiveX Object must defend against untrusted pages itself.

When you sign a cab, you are telling the user that the cab they are downloading, is the one they think they are downloading - i.e. that some malicious individual hasn't replaced your cab with a dangerous one. If they trust you as a publisher, then they can trust that the ActiveXObject will not do anything evil on its own, or in combination with other code that they trust.

When you implement IObjectSafety, to return INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA, you are telling IE that the object cannot be used maliciously by anyone else, and is therefore safe to run in conjunction with code that the user doesn't explicitly trust.

Paul Butcher  2009-10-29 16:38:27
then what is purpose of signing my ActiveX?? I have signed it with x509 certificate, and it is showing me digital signatures when I right click on my activeX dll file and then properties
Ummar  2009-10-29 17:04:30
You can sign your ActiveX, which shows that it's yours, but you can't trust the web pages or scripts that call your ActiveX once it is installed. On an intranet, you may have a "dangerous" object that reads and writes to the disk, or sends potentially confidential information to a server. This should be signed, but should only work when the object is invoked by a page in a trusted zone, like yours currently does.On the big wild internet, you might use an ActiveX object for a widget that only does what the user tells it to. This is safe, and must be marked as such with IObjectSafety.
Paul Butcher  2009-10-29 17:22:30
so you mean that along with digital signature, I need to implement the Interface also? Am i right? and the i would be able to use it in my webpage with out changing the security settings? so I need both things 1) Implementing IObjectSafety2) Digital SignatureCorrect me if I am wrong?
Ummar  2009-10-29 17:34:38
yes, that is the case.
Paul Butcher  2009-10-29 20:09:21
paul thanks for your help.. it solves the problem.. but one problem I am still facing that my INF file is not working properly.. I have to register the ActiveX control manually using regasm command... how can I check my installation log?
Ummar  2009-10-30 11:22:10
You can switch on installer logging in the Windows registry (see http://support.microsoft.com/kb/223300). Also, if this answer solves your problem, you should probably make it the accepted answer.
Phil Booth  2009-10-30 16:05:10
A: 

I have done same thing which Ummar has done but still getting error: Automation server can't create object

Sandip Patil  2010-03-26 15:12:21
Have you registered the assembly with regasm command?
Ummar  2010-03-29 04:50:32
A: 

My autoinstaller register assembly to Registry with ClassId at the time of installation. I checked manually in Registry.

Sandip Patil  2010-03-30 14:09:48

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?