的ActiveX不能正常工作使用默认安全设置 [英] ActiveX not working properly with default security settings
问题描述
我已经写了一个ActiveX控件在C#中,并取得了它的工作使用regasm命令,它工作正常,只要将安全级别设置为低。那么作为下一步我做了一个.cab安装程序(ICD - Internet组件下载),并签署了我的.cab文件和ActiveX .dll文件与测试证书文件。当我从我的浏览器中点击HTML页面中的安装零部件正常工作与IE浏览器的默认安全设置,但最后似乎没有什么是安装和红色十字显示在就地ActiveX的。而且我已经探索了Windows目录下的下载Program Files文件夹,在状态栏则显示单词未知。而这是装的所有其它ActiveX。可能是什么问题。
此外,如果我使用regasm命令注册它工作正常组装,我已经签署的ActiveX,但我仍然要搬到安全栏低,我的浏览器设置?为什么是这样呢?那么什么是签约的目的是什么?我已经使用 RegisterServer = YES 在我的.inf文件
I have written an ActiveX control in C# and have made it working using regasm command, and it works fine as long as the security level is set to low.. Then as a next step I have made a .cab installer (ICD - Internet component downloader), and have signed my .cab file and ActiveX .dll file with a test certificate. when I hit the html page from my browser the installation parts works fine with default security settings of IE, but at the end it seems that nothing is installed and a red cross is shown on place of ActiveX. Moreover I have explored the Download Program Files folder under Windows directory, in status column it is showing word "unknown". while it is "installed" for all other activeX. what may be the problem.
Moreover if i use the regasm command to register the assembly it works fine, and I have signed the ActiveX but still I have to move the security bar to low in my browser setting? why it is so? then what is the purpose of signing? I have used RegisterServer=yes in my .inf file
请让我知道,如果有一个人已经通过这个问题去了?
Please let me know, if some one has gone through this problem already?
推荐答案
为了在IE中运行,您还需要实现IObjectSafety的让IE浏览器知道它是安全的,由一个不受信任的来电和/或不可信被称为数据。 (如果它实际上是安全的,这是)
In order to run in IE, you also need to implement IObjectSafety so that IE knows that it is safe to be called by an untrusted caller and/or with untrusted data. (If it is actually safe, that is)
个人而言,我只在C ++放大器做到了这一点; ATL,而不是C#,但这里是一个博客文章,看起来像它应该帮助你在C#中实现这一点。
Personally, I have only done this in C++ & ATL, not C#, but here is a blog post that looks like it should help you achieve this in C#.
<一个href="http://blog.devstone.com/aaron/2007/06/12/ImplementingIObjectSafetyInNETMarkingClassesSafeForScripting.aspx" rel="nofollow">http://blog.devstone.com/aaron/2007/06/12/ImplementingIObjectSafetyInNETMarkingClassesSafeForScripting.aspx
这样做的原因是,通过恶意脚本个人可以使用你的对象绕过IE浏览器所提供的正常的安全,让您的ActiveX对象必须对自己不信任的网页防守。
The reason for this is that scripts by nefarious individuals may use your object to bypass the normal security offered by IE, so your ActiveX Object must defend against untrusted pages itself.
当你签署了一辆出租车,你是在告诉用户,他们正在下载的出租车,是一个他们认为他们正在下载 - 即一些恶意的人已没有了危险的更换你的出租车。如果他们信任你作为一个发布者,那么他们可以相信的ActiveXObject不会对自己做什么坏事,或者与其他code,他们信任的组合。
When you sign a cab, you are telling the user that the cab they are downloading, is the one they think they are downloading - i.e. that some malicious individual hasn't replaced your cab with a dangerous one. If they trust you as a publisher, then they can trust that the ActiveXObject will not do anything evil on its own, or in combination with other code that they trust.
在实施IObjectSafety的,返回INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA,你告诉IE浏览器的对象不能被恶意使用其他任何人,因此是安全的,在code相结合,用户不明确信任运行。
When you implement IObjectSafety, to return INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA, you are telling IE that the object cannot be used maliciously by anyone else, and is therefore safe to run in conjunction with code that the user doesn't explicitly trust.
这篇关于的ActiveX不能正常工作使用默认安全设置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
