使用嵌入式 WebBrowser 控件时如何绕过 Internet Explorer 增强安全性? [英] How to bypass Internet Explorer Enhanced Security when using embedded WebBrowser control?
问题描述
我有一个嵌入 WebBrowser
的本机 Windows 应用程序,即
CLSID_WebBrowser
8856F961-340A-11D0-A96B-00C04FD705A2
Shell.Explorer.2
不幸的是,在 Windows 服务器上运行时,
在这种情况下,软件的 UI 被驱动为 WebBrowser 控件 - 使软件无法使用.
我可以
遗憾的是,这将需要 DRP/FRP 验证、ISO 安全评估,并且必须召集安全小组进行更改.此外,还需要创建一个 RFC,这样 KPMG 就不会在下次审计时遇到麻烦.我希望有好的" 解决方案.
另见
您可以指定不同的 URL.例如,您可以将内容提取到临时文件并导航到该文件.这不会将您的内容置于受信任区域,但它比您为 about 协议获得的 Internet 区域要好.
如果不想保存内容,可以先导航到about:blank,然后在DocumentComplete, 问IPersistMoniker
,并使用基本上模拟 url 名字对象的 TInterfacedObject 调用 Load.
IMoniker.GetDisplayName
实现需要返回 URL.该网址需要位于受信任区域.IMoniker.BindToStorage
实现需要在请求 IStream 时发回对 TMemoryStream 的引用.
还有第三种方法,编写一个进程范围的安全管理器,将您的网址置于受信任区域.
<小时>解决方案是实现您自己的 Internet Security Manager 服务,创建一个实现 IInternetSecurityManager
(参见 MSDN:实现自定义安全管理器).有五个安全区域:
- 本地:
URLZONE_LOCAL_MACHINE
(0) - 内联网:
URLZONE_INTRANET
(1) - 可信:
URLZONE_TRUSTED
(2) - 互联网:
URLZONE_INTERNET
(3) - 受限:
URLZONE_UNTRUSTED
(4)
您真正需要担心的唯一方法是MapUrlToZone
:
TEmbeddedSecurityManager = class(TInterfacedObject, IInternetSecurityManager)民众//...function MapUrlToZone(pwszUrl: LPCWSTR; out dwZone: DWORD; dwFlags: DWORD): HResult;虚拟的;标准调用;//...结尾;
此方法检查 URL 是否以 about:security
开头<块引用>about:security_Contoso.exe
如果是,则返回区域应该是本地:
function TEmbeddedSecurityManager.MapUrlToZone(pwszUrl: LPCWSTR; out dwZone: DWORD; dwFlags: DWORD): HResult;无功网址:UnicodeString;开始结果:= INET_E_DEFAULT_ACTION;{https://msdn.microsoft.com/en-us/library/ms537133(v=vs.85).aspx}网址:= pwszUrl;{当启用 IE 增强安全性时,网址来自关于:blank_xxxx到关于:security_xxxx在这种情况下,我们会将页面放在本地"区域}如果 url.StartsWith('about:security') 那么开始dwZone := URLZONE_LOCAL_MACHINE;//当地的结果:= S_OK;结尾;结尾;
所有其他方法必须返回INET_E_DEFAULT_ACTION
(即不是 S_OK 或 E_NOTIMPL),例如:
function TEmbeddedSecurityManager.SetSecuritySite(Site: IInternetSecurityMgrSite): HResult;开始结果:= INET_E_DEFAULT_ACTION;结尾;
当嵌入式 WebBrowser 调用 IServiceProvider.QueryService 时,您可以为其提供此服务.在 Delphi 的 TEmbeddedWB 控件的情况下,它在 OnQueryService
事件中暴露:
function TForm1.EmbeddedWBQueryService(const rsid, iid: TGUID; out Obj: IInterface): HRESULT;无功山姆:IInternetSecurityManager;开始结果:= E_NOINTERFACE;//rsid ==>服务标识符//iid ==>接口标识符如果 IsEqualGUID(rsid, IInternetSecurityManager) 和 IsEqualGUID(iid, IInternetSecurityManager) 那么开始山姆:= TEmbeddedSecurityManager.Create;对象:=山姆;结果:= S_OK;结尾;结尾;
i have a native Windows application that embeds the WebBrowser
, i.e.
CLSID_WebBrowser
8856F961-340A-11D0-A96B-00C04FD705A2
Shell.Explorer.2
Unfortunately, when running on Windows Servers, the Internet Explorer Enhanced Security mode interferes with the WebBrowser control, causing it to not render at all:
In this case, the UI of the software is driven as a WebBrowser control - making the software unusable.
i could disable Internet Explorer Enhanced Security mode, but that is not practical.
How can i instruct Internet Explorer browser to allow an embedded browser to render without the security dialog?
Note: i would have suggested adding about:security_Application.exe
to the Trusted Zones list"
Sadly, that will require DRP/FRP validation, an ISO security assessment, and the security group will have to be called in to make the change. In addition, an RFC will need to be created so KPMG won't have hissy-fit next audit. i was hoping for the "good" solution.
See also
- Customizing (disabling) security settings for IE control
- Custom IInternetSecurityManager not being called with dialogs
You can specify a different URL. For example you can extract the content to a temp file and navigate to it. This will not put your content in the trusted zone, but it is better than the internet zone you get for the about protocol.
If you do not want to save the content, you can first navigate to about:blank, then in DocumentComplete, QI the document for IPersistMoniker
, and call Load with a TInterfacedObject that basically simulates a url moniker.
- The
IMoniker.GetDisplayName
implementation needs to return the URL. The url needs to be in a trusted zone. IMoniker.BindToStorage
implementation needs to send back a reference to a TMemoryStream when IStream is asked.
There's a third way, write a process-wide security manager that puts your url in a trusted zone.
The solution is to implement your own Internet Security Manager service creating an object that implements IInternetSecurityManager
(see MSDN: Implementing a Custom Security Manager). There are five security zones:
- Local:
URLZONE_LOCAL_MACHINE
(0) - Intranet:
URLZONE_INTRANET
(1) - Trusted:
URLZONE_TRUSTED
(2) - Internet:
URLZONE_INTERNET
(3) - Restricted:
URLZONE_UNTRUSTED
(4)
The only method you really need to worry about is MapUrlToZone
:
TEmbeddedSecurityManager = class(TInterfacedObject, IInternetSecurityManager)
public
//...
function MapUrlToZone(pwszUrl: LPCWSTR; out dwZone: DWORD; dwFlags: DWORD): HResult; virtual; stdcall;
//...
end;
This method checks if the Url starts with about:security
about:security_Contoso.exe
and if so, returns that the zone should be Local:
function TEmbeddedSecurityManager.MapUrlToZone(pwszUrl: LPCWSTR; out dwZone: DWORD; dwFlags: DWORD): HResult;
var
url: UnicodeString;
begin
Result := INET_E_DEFAULT_ACTION;
{
https://msdn.microsoft.com/en-us/library/ms537133(v=vs.85).aspx
}
url := pwszUrl;
{
When IE Enchanced Security is enabled, the url goes from
about:blank_xxxx
to
about:security_xxxx
In that case we will put the page in the "Local" zone
}
if url.StartsWith('about:security') then
begin
dwZone := URLZONE_LOCAL_MACHINE; //Local
Result := S_OK;
end;
end;
Every other method must return INET_E_DEFAULT_ACTION
(i.e. not S_OK nor E_NOTIMPL), e.g.:
function TEmbeddedSecurityManager.SetSecuritySite(Site: IInternetSecurityMgrSite): HResult;
begin
Result := INET_E_DEFAULT_ACTION;
end;
You give the embedded WebBrowser this service when it calls IServiceProvider.QueryService. In the case of Delphi's TEmbeddedWB control, it is exposed in the OnQueryService
event:
function TForm1.EmbeddedWBQueryService(const rsid, iid: TGUID; out Obj: IInterface): HRESULT;
var
sam: IInternetSecurityManager;
begin
Result := E_NOINTERFACE;
//rsid ==> Service Identifier
//iid ==> Interface identifier
if IsEqualGUID(rsid, IInternetSecurityManager) and IsEqualGUID(iid, IInternetSecurityManager) then
begin
sam := TEmbeddedSecurityManager.Create;
Obj := sam;
Result := S_OK;
end;
end;
这篇关于使用嵌入式 WebBrowser 控件时如何绕过 Internet Explorer 增强安全性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!