ActiveX controls implement secure initialization and scripts

After the ActiveX control is packaged into a cab and called in a script, you must ensure the security of the control to run securely on your webpage. There are two ways to ensure this: implement an interface named iobjectsafe to your control. If IE finds that your control supports IObjectSafety, it calls the IObjectSafety: setinterfacesafetyoptions method before loading your control. Another method is to modify the registry.

ActiveX Control Security Initialization: implements the isafeobject Interface

After the ActiveX control is packaged into a cab and called in a script, you must ensure the security of the control to run securely on your webpage. There are two ways to ensure this: implement an interface named iobjectsafe to your control. If IE finds that your control supports IObjectSafety, it calls the IObjectSafety: setinterfacesafetyoptions method before loading your control.

1. Creates an MFC ActiveX Control called "tryisafeobject. ocx.

2. Define the isafeobject interface in tryisafeobjectctrl. h:

# Include <objsafe. h> // For IObjectSafety; in ActiveX SDK

Class ctryisafeobjectctrl: Public colecontrol
{

Declare_dyncreate (ctryisafeobjectctrl)
//...................................... ..................................
// Isafeobject
Declare_interface_map ()

Begin_interface_part (objsafe, IObjectSafety)
Stdmethod _ (hresult, getinterfacesafetyoptions )(
/* [In] */refiid riid,
/* [Out] */DWORD _ rpc_far * pdwsupportedoptions,
/* [Out] */DWORD _ rpc_far * pdwenabledoptions
);

Stdmethod _ (hresult, setinterfacesafetyoptions )(
/* [In] */refiid riid,
/* [In] */DWORD dwoptionsetmask,
/* [In] */DWORD dwenabledoptions
);
End_interface_part (objsafe );

// Isafeobject
//...................................... ..................................

.....

};

The objsafe. h header file contains the isafeobject interface definition.

3. Implementation of the isafeobject interface in tryisafeobjectctrl. cpp:

//...................................... .......................................
// Interface map for IObjectSafety

Begin_interface_map (ctryisafeobjectctrl, colecontrol)
Interface_part (ctryisafeobjectctrl, iid_iobjectsafety, objsafe)
End_interface_map ()

//...................................... .......................................
// IObjectSafety member functions

// Delegate addref, release, QueryInterface

Ulong far export ctryisafeobjectctrl: xobjsafe: addref ()
{
Method_prologue (ctryisafeobjectctrl, objsafe)
Return pthis-> externaladdref ();
}

Ulong far export ctryisafeobjectctrl: xobjsafe: release ()
{
Method_prologue (ctryisafeobjectctrl, objsafe)
Return pthis-> externalrelease ();
}

Hresult far export ctryisafeobjectctrl: xobjsafe: QueryInterface (
Refiid IID, void far * ppvobj)
{
Method_prologue (ctryisafeobjectctrl, objsafe)
Return (hresult) pthis-> externalqueryinterface (& IID, ppvobj );
}

Const DWORD dwsupportedbits =
Interfacesafe_for_untrusted_caller |
Interfacesafe_for_untrusted_data;
Const DWORD dwnotsupportedbits = ~ Dwsupportedbits;

//...................................... .......................................
// Cstoplitectrl: xobjsafe: getinterfacesafetyoptions
// Allows container to query what interfaces are safe for what. We're
// Optimizing significantly by ignoring which interface the caller is
// Asking.
Hresult stdmethodcalltype
Ctryisafeobjectctrl: xobjsafe: getinterfacesafetyoptions (
/* [In] */refiid riid,
/* [Out] */DWORD _ rpc_far * pdwsupportedoptions,
/* [Out] */DWORD _ rpc_far * pdwenabledoptions)
{
Method_prologue (ctryisafeobjectctrl, objsafe)

Hresult retval = resultfromscode (s_ OK );

// Does interface exist?
Iunknown far * punkinterface;
Retval = pthis-> externalqueryinterface (& riid,
(Void **) & punkinterface );
If (retval! = E_nointerface) {// interface exists
Punkinterface-> release (); // release it -- just checking!
}
 
// We support both kinds of safety and have always both set,
// Regardless of Interface
* Pdwsupportedoptions = * pdwenabledoptions = dwsupportedbits;

Return retval; // e_nointerface if Qi failed
}

//////////////////////////////////////// /////////////////////////////////////
// Cstoplitectrl: xobjsafe: setinterfacesafetyoptions
// Since we're always safe, this is a no-brainer -- but we do check to make
// Sure the interface requested exists and that the options we're re asked
// Set exist and are set on (we don't support unsafe mode ).
Hresult stdmethodcalltype
Ctryisafeobjectctrl: xobjsafe: setinterfacesafetyoptions (
/* [In] */refiid riid,
/* [In] */DWORD dwoptionsetmask,
/* [In] */DWORD dwenabledoptions)
{
Method_prologue (ctryisafeobjectctrl, objsafe)
 
// Does interface exist?
Iunknown far * punkinterface;
Pthis-> externalqueryinterface (& riid, (void **) & punkinterface );
If (punkinterface) {// interface exists
Punkinterface-> release (); // release it -- just checking!
}
Else {// interface doesn' t exist
Return resultfromscode (e_nointerface );
}

// Can't set bits we don't support
If (dwoptionsetmask & dwnotsupportedbits ){
Return resultfromscode (e_fail );
}
 
// Can't set bits we do support to zero
Dwenabledoptions & = dwsupportedbits;
// (We already know there are no extra bits in mask)
If (dwoptionsetmask & dwenabledoptions )! =
Dwoptionsetmask ){
Return resultfromscode (e_fail );
}
 
// Don't need to change anything since we're re always safe
Return resultfromscode (s_ OK );
}

Http://www.cnblogs.com/carekee/articles/1772201.html

ActiveX Control Security Initialization 2: manually modify the Registry

Here, the so-called method to modify the registry is to use the component grouping Manager (Component categories manager) to create a correct entry to the system registry. Ie3 checks whether a control in the registry can be safely initialized and operated by scripts. Ie3 calls the icatinformation: isclassofcategories method to determine whether the control supports the Security Group.

1. Creates an MFC ActiveX Control called axcschart. ocx.

2. In axcschart. cpp

Add header file

//.........................
# Include "comcat. H"
# Include "objsafe. H"
//.........................

Const guid cdecl clsid_safeitem =
{0x7ae7497b, 0xcad8, 0x4e66, {0xa5, 0x8b, 0xdd, 0xe9, 0xbc, 0xaf, 0x6b, 0x61 }};

// Create Component Types
Hresult createcomponentcategory (catid, wchar * catdescription)
{
Icatregister * PCR = NULL;
Hresult hR = s_ OK;

HR = cocreateinstance (clsid_stdcomponentcategoriesmgr,
Null, clsctx_inproc_server, iid_icatregister, (void **) & PCR );
If (failed (HR ))
Return hr;

// Make sure the hkcr \ component categories \ {... catid ...}
// Key is registered.
Categoryinfo catinfo;
Catinfo. catid = catid;
Catinfo. lcid = 0x0409; // english

// Make sure the provided description is not too long.
// Only copy the first 127 characters if it is.
Int Len = (INT) wcslen (catdescription );
If (LEN> 127)
Len = 127;
Wcsncpy (catinfo. szdescription, catdescription, Len );
// Make sure the description is NULL terminated.
Catinfo. szdescription [Len] = '\ 0 ';

HR = PCR-> registercategories (1, & catinfo );
PCR-> release ();

Return hr;
}

// Register the component type
Hresult registerclsidincategory (refclsid CLSID, catid)
{
// Register your component categories information.
Icatregister * PCR = NULL;
Hresult hR = s_ OK;
HR = cocreateinstance (clsid_stdcomponentcategoriesmgr,
Null, clsctx_inproc_server, iid_icatregister, (void **) & PCR );
If (succeeded (HR ))
{
// Register this category as being "implemented" by the class.
Catid rgcatid [1];
Rgcatid [0] = catid;
HR = PCR-> registerclassimplcategories (CLSID, 1, rgcatid );
}
If (PCR! = NULL)
PCR-> release ();
Return hr;
}
// Uninstall Component Types
Hresult unregisterclsidincategory (refclsid CLSID, catid)
{
Icatregister * PCR = NULL;
Hresult hR = s_ OK;

HR = cocreateinstance (clsid_stdcomponentcategoriesmgr,
Null, clsctx_inproc_server, iid_icatregister, (void **) & PCR );
If (succeeded (HR ))
{
// Unregister this category as being "implemented" by the class.
Catid rgcatid [1];
Rgcatid [0] = catid;
HR = PCR-> unregisterclassimplcategories (CLSID, 1, rgcatid );
}

If (PCR! = NULL)
PCR-> release ();

Return hr;
}

Then, call

// Dllregisterserver-add the entry to the system registry

Stdapi dllregisterserver (void)
{
Afx_manage_state (_ afxmoduleaddrthis );

If (! Afxoleregistertypelib (AfxGetInstanceHandle (), _ tlid ))
Return resultfromscode (selfreg_e_typelib );

If (! Coleobjectfactoryex: updateregistryall (true ))
Return resultfromscode (selfreg_e_class );
//...................................... .......................................
Hresult hr;
// Tag control initialization security.
// Create an initialized security component type
HR = createcomponentcategory (catid_safeforinitializing, l "controls safely initializable from persistent data! ");
If (failed (HR ))
Return hr;
// Register for initialization Security
HR = registerclsidincategory (clsid_safeitem, catid_safeforinitializing );
If (failed (HR ))
Return hr;

// Flag control Script Security
// Create a script security component type
HR = createcomponentcategory (catid_safeforscripting, l "controls safely Scriptable! ");
If (failed (HR ))
Return hr;
// Register the script security component type
HR = registerclsidincategory (clsid_safeitem, catid_safeforscripting );
If (failed (HR ))
Return hr;
//...................................... .......................................

Return noerror;
}

// Dllunregisterserver-remove the entry from the system registry

Stdapi dllunregisterserver (void)
{
Afx_manage_state (_ afxmoduleaddrthis );

If (! Afxoleunregistertypelib (_ tlid, _ wvermajor, _ wverminor ))
Return resultfromscode (selfreg_e_typelib );

If (! Coleobjectfactoryex: updateregistryall (false ))
Return resultfromscode (selfreg_e_class );
//...................................... .......................................
Hresult hr;
// Delete the control initialization security entry.
HR = unregisterclsidincategory (clsid_safeitem, catid_safeforinitializing );
If (failed (HR ))
Return hr;
// Security entry for deleting Control Scripts
HR = unregisterclsidincategory (clsid_safeitem, catid_safeforscripting );
If (failed (HR ))
Return hr;
//...................................... .......................................

Return noerror;
}

See msdn

MS-help: // Ms. msdnqtr.2003feb. 2052/DNA xctrl/html/msdn_signmark.htm