JavaScript Security - ActiveX Controls
(Page 6 of 9 )
The primary policy items affecting ActiveX controls in Internet Explorer are found in Table 22-3. An entry of “Query” indicates that the user is prompted whether to permit the action in question.
Note Some early versions of Internet Explorer do not have the Medium-Low security template. In these browsers, the Low template is applied to sites in the Local Intranet zone. Careful inspection of Table 22-3 reveals what you must do to install and access ActiveX controls from JavaScript. First, note that only with the Low setting can unsigned ActiveX controls be installed, and only then after prompting the user for confirmation. A signed ActiveX control is similar to a signed JavaScript in the Mozilla browsers, except that the code being signed is executable, not script. This means that you need to configure your users’ browser to have your site in the Trusted Sites zone if your control is unsigned. A better approach is to sign your controls. For details on signing controls with Microsoft Authenticode technology, see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/secapps/Authcode.asp. Similarly, if you wish to install a control without annoying the user with a confirmation dialog box, your site must be in the user’s Trusted Sites zone.
The column of Table 22-3 indicating whether “safe” ActiveX controls may be controlled with JavaScript deserves additional discussion. Developers of ActiveX controls indicate whether or not a particular ActiveX object is safe, that is, whether controlling it from JavaScript could result in malicious behavior. For example, the FileSystemObject has the ability to read and write to the local filesystem. Malicious script that could instantiate this control could use it to wreak havoc on a user’s system. For this reason, the control is not marked safe. It therefore cannot be controlled by script downloaded from the Web. On the other hand, the ActiveX control that plays Flash animations has only benign capabilities: start playback, stop, rewind, and so forth. It is therefore marked as “safe” and can be controlled by script.
| Template | Default For | Run ActiveX | Install Signed ActiveX | Install Unsigned ActiveX | Java Applets Scriptable? | Safe ActiveX Controls Scriptable? |
|---|
| Low | Trusted Sites | Yes | Yes | Query | Yes | Yes |
| Medium-Low | Local Intranet | Yes | Query | No | Yes | Yes |
| Medium | Internet | Yes | Query | No | Yes | Yes |
| High | Restricted Sites | No | No | No | No | No |
TABLE 22-3 Relevant Security Properties of Internet Explorer’s Security Zones If you’re having trouble controlling an ActiveX object from JavaScript, double-check that it is marked “safe.” For details on how to do this, and more information on the security implications of ActiveX controls, see the following sites:
 This chapter is from JavaScript: The Complete Reference, second edition, by Thomas Powell and Fritz Schneider, McGraw-Hill/Osborne, ISBN: 0072253576). Check it out at your favorite bookstore today.
Buy this book now. |
Next: Browser Security Problems with JavaScript >>
More JavaScript Articles
More By McGraw-Hill/Osborne
/ 58 
