onlygo
asked on
what is "safe ActiveX" control?
I have written an ATL control to be embedded in the web page. The control will perform some file operation on the client's machine. Since IE's default security setting will not run a control that is not signed, I obtained a digital signiture from VeriSign and signed my control. Now when the user goes to the webpage, a message box will come up saying that the control is signed by my company and asks the user whether he wants to run the control. This is great. But when the user clicks "Yes" to run the control, another message box comes up and saying the current browser security setting does not allow a control that is unsafe to run. What does it mean? I thought by signing the control and user acceptance, any control should be able to run under the default security settings? Did I miss anything?
Hi,
If the issue continues to occur, try following these steps:
On the Tools menu in Internet Explorer, click Internet Options.
On the Security tab, click Internet, and then click Custom Level.
Under Run ActiveX Controls And Plug-ins, click Enable or Prompt.
Under Script ActiveX controls marked safe for scripting, click Enable or Prompt.
Under Java Permissions, click High Safety.
Click OK, and then click Yes.
Click OK.
T.
If the issue continues to occur, try following these steps:
On the Tools menu in Internet Explorer, click Internet Options.
On the Security tab, click Internet, and then click Custom Level.
Under Run ActiveX Controls And Plug-ins, click Enable or Prompt.
Under Script ActiveX controls marked safe for scripting, click Enable or Prompt.
Under Java Permissions, click High Safety.
Click OK, and then click Yes.
Click OK.
T.
Hi,
Final Possible Solution -
To resolve this issue, configure the ActiveX controls and plug-ins security settings in Internet Explorer to Enable:
Right-click the Internet Explorer icon on the desktop, and then click Properties.
On the Security tab, click Custom Level.
Under ActiveX controls and plug-ins, click Enable under the following security settings:
Initialize and script ActiveX controls not marked as safe
Run ActiveX controls and plug-ins
Click OK.
Click Yes when you are prompted to change the security settings for the zone.
T.
Final Possible Solution -
To resolve this issue, configure the ActiveX controls and plug-ins security settings in Internet Explorer to Enable:
Right-click the Internet Explorer icon on the desktop, and then click Properties.
On the Security tab, click Custom Level.
Under ActiveX controls and plug-ins, click Enable under the following security settings:
Initialize and script ActiveX controls not marked as safe
Run ActiveX controls and plug-ins
Click OK.
Click Yes when you are prompted to change the security settings for the zone.
T.
Running Applications Securely
End users are protected from malicious applications because Internet Explorer ensures that only safe applications run on end-user systems. ActiveX controls that are hosted on Web sites trusted by the user can be downloaded and run on the end-user's system using all the features of the operating system. Users accept such trusted ActiveX controls just as they trust shrink-wrapped applications today for the desktop. Because ActiveX will not run the trusted control if it is modified after leaving the trusted Web site, the user is protected against malicious modification of applications during download.
On the other hand, ActiveX controls and Java applets on Web sites that are not trusted by an end user are not permitted to use all the features of the operating system. Because these untrusted ActiveX controls and Java applets are downloaded from a Web site and are limited to using a safe set of operating system features on the end-user system, they cannot compromise the security of the end-user system. Internet Explorer ensures that Java applets and untrusted ActiveX controls do not use the underlying operating system.
Internet Explorer supports trusted ActiveX controls that are written in languages such as Java, Visual C++, and Visual Basic. ActiveX supports those untrusted ActiveX controls written in the Java programming language.
End users are protected from malicious applications because Internet Explorer ensures that only safe applications run on end-user systems. ActiveX controls that are hosted on Web sites trusted by the user can be downloaded and run on the end-user's system using all the features of the operating system. Users accept such trusted ActiveX controls just as they trust shrink-wrapped applications today for the desktop. Because ActiveX will not run the trusted control if it is modified after leaving the trusted Web site, the user is protected against malicious modification of applications during download.
On the other hand, ActiveX controls and Java applets on Web sites that are not trusted by an end user are not permitted to use all the features of the operating system. Because these untrusted ActiveX controls and Java applets are downloaded from a Web site and are limited to using a safe set of operating system features on the end-user system, they cannot compromise the security of the end-user system. Internet Explorer ensures that Java applets and untrusted ActiveX controls do not use the underlying operating system.
Internet Explorer supports trusted ActiveX controls that are written in languages such as Java, Visual C++, and Visual Basic. ActiveX supports those untrusted ActiveX controls written in the Java programming language.
ASKER
Thanks people, for your comments. However, two quick points:
1. I know how to change the security settings to let my control run. But I just can't do that because it brings lots of inconvenience to the users (lots of users may not even know how to do all those setting changes)
2. I also understand the basic security issues like Applets/ActiveX security constraints. My question is : why the *digital signed* control still can't run? If the signed control is still bound by the security restrictions, what's the point of signing?
1. I know how to change the security settings to let my control run. But I just can't do that because it brings lots of inconvenience to the users (lots of users may not even know how to do all those setting changes)
2. I also understand the basic security issues like Applets/ActiveX security constraints. My question is : why the *digital signed* control still can't run? If the signed control is still bound by the security restrictions, what's the point of signing?
Maybe this is completely of topic, but, franky, I wouldn't let a webpage mess around a bit on my system (so all ActiveX and jave is by default disabled). There is very good reason to disable active content.
Why do you need this? It is very uncontrollable, IE settings may differ, onlly available on Windows and how about other browsers?
Why do you need this? It is very uncontrollable, IE settings may differ, onlly available on Windows and how about other browsers?
You need to also write code to make it work in IE4 and higher. Look in the MSDN documentation for the IObjectSafety interface. There's code to show you how to implement it as well.
ASKER
Well, what I want to write is actually something like InstallShield's InstallFromTheWeb. I want to write and embed the control in a webpage, the control will communicate with my server and retrieve the setup files from the servers and store them in the local harddisk, once the retrieve is done, the control will launch the setup program. I want to do this to minimize the user's operations.
ASKER
Also, I am not worrying about other browsers. I only need to make it work under IE5 (because my program works only with IE5:)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Tell me, can anyone mark his activeX components as safe??
ASKER
Thank you sharonk! That's exactly the answer I have been looking for.
You could try the following to see if the problem goes away -
Internet Explorer 4
Click Start, point to Settings, click Control Panel, double-click Internet, click the Security tab, click Medium (More Secure), and then click OK.
Internet Explorer 5
Click Start, point to Settings, click Control Panel, double-click Internet, click the Security tab, move the slider to Medium (More Secure), and then click OK.
Hope this helps,
T.