1

I have written an ActiveX control in C# and have made it working using regasm command, and it works fine as long as the security level is set to low.. Then as a next step I have made a .cab installer (ICD - Internet component downloader), and have signed my .cab file and ActiveX .dll file with a test certificate. when I hit the html page from my browser the installation parts works fine with default security settings of IE, but at the end it seems that nothing is installed and a red cross is shown on place of ActiveX. Moreover I have explored the Download Program Files folder under Windows directory, in status column it is showing word "unknown". while it is "installed" for all other activeX. what may be the problem. Moreover if i use the regasm command to register the assembly it works fine, and I have signed the ActiveX but still I have to move the security bar to low in my browser setting? why it is so? then what is the purpose of signing? I have used RegisterServer=yes in my .inf file

Please let me know, if some one has gone through this problem already?

Dor Cohen
  • 16,769
  • 23
  • 93
  • 161
Muhammad Ummar
  • 3,541
  • 6
  • 40
  • 71
  • If you go to the Downloaded Program Files using a command prompt, do you see what you expect? If you've been testing, you may have multiple versions of your control in there in subdirectories. Try deleting all of them and doing a clean download/install. – i_am_jorf Oct 29 '09 at 16:17
  • yes there are components downloaded.. the name of component is CLSID of my activeX control and with status unknown, One thing more when I register the assembly manually using regasm command, it changes the name of my control in Download Program Files from CLSID to the Strong Name Key I have used for my ActiveX, but still it doesn't work? i have tried after cleaning the folder.. – Muhammad Ummar Oct 29 '09 at 16:21

2 Answers2

3

In order to run in IE, you also need to implement IObjectSafety so that IE knows that it is safe to be called by an untrusted caller and/or with untrusted data. (If it is actually safe, that is)

Personally, I have only done this in C++ & ATL, not C#, but here is a blog post that looks like it should help you achieve this in C#.

http://blog.devstone.com/aaron/2007/06/12/ImplementingIObjectSafetyInNETMarkingClassesSafeForScripting.aspx

The reason for this is that scripts by nefarious individuals may use your object to bypass the normal security offered by IE, so your ActiveX Object must defend against untrusted pages itself.

When you sign a cab, you are telling the user that the cab they are downloading is the one they think they are downloading - i.e. that some malicious individual hasn't replaced your cab with a dangerous one. If they trust you as a publisher, then they can trust that the ActiveXObject will not do anything evil on its own, or in combination with other code that they trust.

When you implement IObjectSafety, to return INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA, you are telling IE that the object cannot be used maliciously by anyone else, and is therefore safe to run in conjunction with code that the user doesn't explicitly trust.

Paul Butcher
  • 6,902
  • 28
  • 39
  • then what is purpose of signing my ActiveX?? I have signed it with x509 certificate, and it is showing me digital signatures when I right click on my activeX dll file and then properties – Muhammad Ummar Oct 29 '09 at 17:04
  • 1
    You can sign your ActiveX, which shows that it's yours, but you can't trust the web pages or scripts that call your ActiveX once it is installed. On an intranet, you may have a "dangerous" object that reads and writes to the disk, or sends potentially confidential information to a server. This should be signed, but should only work when the object is invoked by a page in a trusted zone, like yours currently does. On the big wild internet, you might use an ActiveX object for a widget that only does what the user tells it to. This is safe, and must be marked as such with IObjectSafety. – Paul Butcher Oct 29 '09 at 17:22
  • so you mean that along with digital signature, I need to implement the Interface also? Am i right? and the i would be able to use it in my webpage with out changing the security settings? so I need both things 1) Implementing IObjectSafety 2) Digital Signature Correct me if I am wrong? – Muhammad Ummar Oct 29 '09 at 17:34
  • paul thanks for your help.. it solves the problem.. but one problem I am still facing that my INF file is not working properly.. I have to register the ActiveX control manually using regasm command... how can I check my installation log? – Muhammad Ummar Oct 30 '09 at 11:22
  • 1
    You can switch on installer logging in the Windows registry (see http://support.microsoft.com/kb/223300). Also, if this answer solves your problem, you should probably make it the accepted answer. – Phil Booth Oct 30 '09 at 16:05
1

For me the solution above doesn't work. I needed to register also the tlb

with : regasm MyDll.DLL /tlb

Dor Cohen
  • 16,769
  • 23
  • 93
  • 161