Script And IE Security Part Two: Digging Deeper

re: Script And IE Security Part Two: Digging Deeper

Nick Houlin — Fri, 19 Feb 2010 01:05:03 GMT

I would appreciate any information on the C# version of IActiveScript, etc. resources.

re: Script And IE Security Part Two: Digging Deeper

Nick Houlin — Fri, 19 Feb 2010 01:04:58 GMT

I would appreciate any information on the C# version of IActiveScript, etc. resources.

.NET 2.0 ActiveX Control Gotchas (Safe for Scripting and Hooking into Events)

Rick Minerich's Development Wonderland — Wed, 03 Jun 2009 20:43:04 GMT

I’ve recently been building an ActiveX Control in .NET 2.0 and thought I would share some of the problems

re: Script And IE Security Part Two: Digging Deeper

Eric Lippert — Wed, 14 Jan 2004 19:13:00 GMT

Re: It's about time -- yeah, sorry about that. Had there been blogging technology six years ago, I would have been all over that. At that time though I was all over the newsgroup technology, which is much more question-and-answer oriented, and not very many people ask questions about the low level details.

Re: marshaling dispex -- in dispex.dll there's code that marshals an IDispatchEx object. We wrote it on the off chance that someone would need it someday, but no one has really asked about it much since.

Now that I know that there is some interest here, I may digress into a more detailed explanation of IActiveScript/Parse/Site/etc, IDispatchEx, and the other interfaces that we use.

re: Script And IE Security Part Two: Digging Deeper

James Hugard — Wed, 14 Jan 2004 18:57:00 GMT

<i>"[...], I recognize that there will always be people who want to talk to the classic COM engines at a low level, so this stuff is for you guys."</i>

Eric:

Just want to say thanks too.

Fourteen months ago I went out on a limb and proposed moving our product from a proprietary script engine to an IActiveScript core with supporting scriptable COM objects. After much hard work, I developed a high-performance multi-threaded and cached scripting engine and supporting objects. It has worked extremely well so far, giving us tremendous performance improvements (my predecessor's script engine was not very efficient), a huge number of new language features, source level debugging, and improved programmer productivity (especially mine ;-).

Anyway, it is unlikely that we will ever invest in a move to .NET so any and all classic COM engine information will be very much appreciated.

re: Script And IE Security Part Two: Digging Deeper

Dan Shappir — Wed, 14 Jan 2004 10:09:00 GMT

Eric, thanks for the info. It's way overtime that it was made available. Put another way, this would have been *very* helpful to me about six years ago.

A few additional points (which I assume you are well aware off):

You can mark a control as safe for scripting or safe of initialization by simply putting some flags in the registry as a part of that control's registration (categories). The advantage of using the IObjectSafety interface is that it allows you to dynamically modify your behavior. That is, if an untrusted script is asking for permission to use the control, the control can allow it but limit the functionality it exposes.

The control can even check if it is hosted by IE. If so, the control can determine the current security zone, for example, and modify its behavior based on that.

One more comment: the IDispatchEx interface is one of the most useful secrets kept by Microsoft during the COM heyday. I found it so useful that I went as far as implementing an ATL-like class for it (style IDispatchImpl). Shame that it's not supported by the Universal Marshaler (I learned that the hard way).