tags:

views:

141

answers:

2
+1  Q: 

IHTMLTxtRange.execCommand("Copy",false,null) fails due to IE settings

We have a .Net application that is used for editing/rendering customized HTML documents. It is hosted in IE using the AxSHDocVw.AxWebBrowser controls. We proceed with navigating to "about:blank" page initially then we change the Document by writing our custom values into it. The problem we are facing is the call to IHTMLTxtRange.execCommand("Copy",false,null) is failing if we don't enable the IE Security Settings in the Internet Security zone (Scripting->Allow Programmatic Access to Clipboard ).

In order to bypass the security setting ,I tried to point to a local html file initially while navigating. But this fails as soon as I modify the Document.

I want to use the IHTMLTxtRange.execCommand("Copy",false,null) command so that I can customize our Copy/Paste operations. Is there any other way I can do this. Please share your ideas inorder to overcome this situation. Thanks. Sriram

A: 

As far as I know, there is no way to do that without user permission. Its a security/privacy loophole to allow access to clipboard, and its natural that browsers are protective about it.

  1. You have already tried out ActiveX, and it doesn't work
  2. With Flash, you can interact with system clipboard - but only if its a part of an event handler. See Flash Player 10 Security.
  3. Javascript doesn't expose a way to access the clipboard.
  4. Not sure about silverlight, but I am guessing it would also restrict access to clipboard.

In short, the user has to explicitly give your application/website permission to access clipboard.

sri  2010-04-12 17:37:36
A: 

Try implement IInternetSecurityManager on your webbrowser control host, handle URLACTION_SCRIPT_PASTE in ProcessUrlAction. Note there is a bug in earlier versions of IE that causes the webbrowser to ignore host's URLACTION_SCRIPT_PASTE handling.

Sheng Jiang 蒋晟  2010-04-12 19:53:00
Thanks for you suggestion. I tried this approach. Implemented IInternetSecurityManager,and IOleClientSite interfaces to my Test Form.But my ProcessUrlAction is not getting Hit when I run my test form. I am not sure whether I am missing some steps.I followed another approach.ie to change the Security Zone of the about:blank to Local Computer using the SetZoneMapping from IInternetSecurityManager...It worked.!!My plan is to set the zone to local when the application is running and reset it when the application exits..Do you see this is a right approach..ThanksSriram
 2010-04-14 15:55:37
From the article linked above: MSHTML calls the QueryInterface method on the IOleClientSite interface to get the IServiceProvider interface. IServiceProvider::QueryService is called to get an IInternetSecurityManager interface.
Sheng Jiang 蒋晟  2010-04-14 17:53:33

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security