#Basic Skills:
Create Safe Initialization&Scripting ActiveX Control
当创建嵌入到Web浏览器中使用的ActiveX控件时,需要将控件声明为脚本安全,否则浏览器会在控件加载和发生脚本交互时进行安全提示,影响使用:
 screen.width-300)this.width=screen.width-300" align=center border=0>
 screen.width-300)this.width=screen.width-300" align=center border=0>
创建初始化/脚本安全的ActiveX控件通常有两种方法:实现控件的 IObjectSafety 接口和修改客户端注册表:
#实现控件的IObjectSafety接口
下面是 IObjectSafety 的原型,该接口主要定义两个纯虚函数——
GetInterfaceSafetyOptions 和 SetInterfaceSafetyOptions:
//Objsafe.h
// Option bit definitions for IObjectSafety:
#define??INTERFACESAFE_FOR_UNTRUSTED_CALLER??0x00000001
????// Caller of interface may be untrusted.
#define??INTERFACESAFE_FOR_UNTRUSTED_DATA??0x00000002
????// Data passed into interface may be untrusted.
// {CB5BDC81-93C1-11cf-8F20-00805F2CD064}
DEFINE_GUID(IID_IObjectSafety, 0xcb5bdc81, 0x93c1, 0x11cf, 0x8f, 0x20,?
??0x0, 0x80, 0x5f, 0x2c, 0xd0, 0x64);
interface IObjectSafety : public IUnknown
{
??public:
????virtual HRESULT __stdcall GetInterfaceSafetyOptions(?
??????/* [in]?*/ REFIID riid,
??????/* [out] */ DWORD __RPC_FAR *pdwSupportedOptions,
??????/* [out] */ DWORD __RPC_FAR *pdwEnabledOptions) = 0;
????virtual HRESULT __stdcall SetInterfaceSafetyOptions(?
??????/* [in] */ REFIID riid,
??????/* [in] */ DWORD dwOptionSetMask,
??????/* [in] */ DWORD dwEnabledOptions) = 0;
};
GetInterfaceSafetyOptions 返回控件的安全性标识:
INTERFACESAFE_FOR_UNTRUSTED_CALLER? 声明接口为脚本安全
INTERFACESAFE_FOR_UNTRUSTED_DATA??? 声明接口为初始化安全
SetInterfaceSafetyOptions 允许容器请求控件将自身配置为初始化和脚本安全。
浏览器在加载ActiveX控件时会首先检测控件是否支持 IObjectSafety 接口,如果支持,浏览器首先调用 IObjectSafety::SetInterfaceSafetyOptions 完成控件初始化,如果控件支持脚本交互,则继续调用 IObjectSafety::GetInterfaceSafetyOptions 。
● 如果使用 ATL ,可以这样实现 IObjectSafety:
// MyCtrlClass.h
class ATL_NO_VTABLE CMyCtrlClass :?
? ...
?public IObjectSafetyImpl<CMyCtrlClass,?INTERFACESAFE_FOR_UNTRUSTED_CALLER>,
? ... // 其他接口基类
{
public:
...
BEGIN_COM_MAP(CMyCtrlClass)
? ...
? COM_INTERFACE_ENTRY(IObjectSafety)
? ...
END_COM_MAP()
...
BEGIN_PROP_MAP(CMyCtrlClass)
?...
?// Example entries
?// PROP_ENTRY("Property Description", dispid, clsid)
?// PROP_PAGE(CLSID_StockColorPage)
END_PROP_MAP()
...
STDMETHOD(GetInterfaceSafetyOptions)(REFIID riid, DWORD *pdwSupportedOptions,?
?????????????????????????DWORD *pdwEnabledOptions);?
STDMETHOD(SetInterfaceSafetyOptions)(REFIID riid, DWORD dwOptionSetMask,?
?????????????????????????DWORD dwEnabledOptions);
● 如果使用 MFC ,可以这样实现 IObjectSafety:
// ProjectNameCtrl.h
#ifdef L_IMPL_OBJECTSAFETY
#include <objsafe.h>
#endif // L_IMPL_OBJECTSAFETY
...
public:
#ifdef L_IMPL_OBJECTSAFETY
??BEGIN_INTERFACE_PART(ObjectSafety, IObjectSafety)
????STDMETHOD(GetInterfaceSafetyOptions)(REFIID riid, DWORD __RPC_FAR *pdwSupportedOptions, DWORD __RPC_FAR *pdwEnabledOptions);
????STDMETHOD(SetInterfaceSafetyOptions)(REFIID riid, DWORD dwOptionSetMask, DWORD dwEnabledOptions);
??END_INTERFACE_PART(ObjectSafety)
??DECLARE_INTERFACE_MAP();
#endif // L_IMPL_OBJECTSAFET
// ProjectNameCtrl.cpp
#ifdef L_IMPL_OBJECTSAFETY
BEGIN_INTERFACE_MAP(CProjectNameCtrl, COleControl)
?INTERFACE_PART(CProjectNameCtrl, IID_IObjectSafety, ObjectSafety)
END_INTERFACE_MAP()
#endif // L_IMPL_OBJECTSAFETY
#ifdef L_IMPL_OBJECTSAFETY
// Implementation of IObjectSafety
STDMETHODIMP CProjectNameCtrl::XObjectSafety::GetInterfaceSafetyOptions(
??????REFIID riid,?
??????DWORD __RPC_FAR *pdwSupportedOptions,?
??????DWORD __RPC_FAR *pdwEnabledOptions)
{
??METHOD_PROLOGUE_EX(CProjectNameCtrl, ObjectSafety)
??if (!pdwSupportedOptions || !pdwEnabledOptions)
??{
????return E_POINTER;
??}
??*pdwSupportedOptions = INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA;
??*pdwEnabledOptions = 0;
??if (NULL == pThis->GetInterface(&riid))
??{
????TRACE("Requested interface is not supported./n");
????return E_NOINTERFACE;
??}
??// What interface is being checked out anyhow?
??OLECHAR szGUID[39];
??int i = StringFromGUID2(riid, szGUID, 39);
??if (riid == IID_IDispatch)
??{
????// Client wants to know if object is safe for scripting
????*pdwEnabledOptions = INTERFACESAFE_FOR_UNTRUSTED_CALLER;
????return S_OK;
??}
??else if (riid == IID_IPersistPropertyBag?
?????|| riid == IID_IPersistStreamInit
?????|| riid == IID_IPersistStorage
?????|| riid == IID_IPersistMemory)
??{
????// Those are the persistence interfaces COleControl derived controls support
????// as indicated in AFXCTL.H
????// Client wants to know if object is safe for initializing from persistent data
????*pdwEnabledOptions = INTERFACESAFE_FOR_UNTRUSTED_DATA;
????return S_OK;
??}
??else
??{
????// Find out what interface this is, and decide what options to enable
????TRACE("We didn’t account for the safety of this interface, and it’s one we support.../n");
????return E_NOINTERFACE;
??}??
}
STDMETHODIMP CProjectNameCtrl::XObjectSafety::SetInterfaceSafetyOptions(
????REFIID riid,?
????DWORD dwOptionSetMask,?
????DWORD dwEnabledOptions)
{
??METHOD_PROLOGUE_EX(CProjectNameCtrl, ObjectSafety)
??OLECHAR szGUID[39];
??// What is this interface anyway?
??// We can do a quick lookup in the registry under HKEY_CLASSES_ROOT/Interface
??int i = StringFromGUID2(riid, szGUID, 39);
??if (0 == dwOptionSetMask && 0 == dwEnabledOptions)
??{
????// the control certainly supports NO requests through the specified interface
????// so it’s safe to return S_OK even if the interface isn’t supported.
????return S_OK;
??}
??// Do we support the specified interface?
??if (NULL == pThis->GetInterface(&riid))
??{
????TRACE1("%s is not support./n", szGUID);
????return E_FAIL;
??}
??if (riid == IID_IDispatch)
??{
????TRACE("Client asking if it’s safe to call through IDispatch./n");
????TRACE("In other words, is the control safe for scripting?/n");
????if (INTERFACESAFE_FOR_UNTRUSTED_CALLER == dwOptionSetMask && INTERFACESAFE_FOR_UNTRUSTED_CALLER == dwEnabledOptions)
????{
??????return S_OK;
????}
????else
????{
??????return E_FAIL;
????}
??}
??else if (riid == IID_IPersistPropertyBag?
?????|| riid == IID_IPersistStreamInit
?????|| riid == IID_IPersistStorage
?????|| riid == IID_IPersistMemory)
??{
????TRACE("Client asking if it’s safe to call through IPersist*./n");
????TRACE("In other words, is the control safe for initializing from persistent data?/n");
????if (INTERFACESAFE_FOR_UNTRUSTED_DATA == dwOptionSetMask && INTERFACESAFE_FOR_UNTRUSTED_DATA == dwEnabledOptions)
????{
??????return NOERROR;
????}
????else
????{
??????return E_FAIL;
????}
??}
??else
??{
????TRACE1("We didn’t account for the safety of %s, and it’s one we support.../n", szGUID);
????return E_FAIL;
??}
}
STDMETHODIMP_(ULONG) CProjectNameCtrl::XObjectSafety::AddRef()
{
??METHOD_PROLOGUE_EX_(CProjectNameCtrl, ObjectSafety)
??return (ULONG)pThis->ExternalAddRef();
}
STDMETHODIMP_(ULONG) CProjectNameCtrl::XObjectSafety::Release()
{
??METHOD_PROLOGUE_EX_(CProjectNameCtrl, ObjectSafety)
??return (ULONG)pThis->ExternalRelease();
}
STDMETHODIMP CProjectNameCtrl::XObjectSafety::QueryInterface(
??REFIID iid, LPVOID* ppvObj)
{
??METHOD_PROLOGUE_EX_(CProjectNameCtrl, ObjectSafety)
??return (HRESULT)pThis->ExternalQueryInterface(&iid, ppvObj);
}
#endif // L_IMPL_OBJECTSAFETY
注意在 项目属性 / C/C++ / 预处理器 中添加预处理定义: L_IMPL_OBJECTSAFETY
#修改客户端注册表
如果控件为实现 IObjectSafety 接口,那么浏览器会进一步调用 ICatInformation::IsClassOfCategories 查询系统注册表HKEY_CLASSES_ROOT/Component Categories/{..catid...},检查控件是否支持给定的组件种类(Compnent Category)。
 screen.width-300)this.width=screen.width-300" align=center border=0>
如果控件已经使用“组建类管理器(Component Categories Manager )”将自身注册为安全则不再进行提示。
为了在注册表中创建正确的组件类型子键,通常要实现以下三个步骤:
创建“组建类管理器(Component Categories Manager )”的实例并获取 ICatRegister 接口指针;
实例化 CATEGORYINFO 结构并填充适当的成员;
以 CATEGORYINFO 地址为参数调用 ICatInformation::IsClassOfCategories 。
在 MFC ActiveX 控件项目的 stdafx.h中添加 #include <objsafe.h> (有可能需要comcat.h头文件)。
然后在 APP 类的实现文件中(ProjectName.cpp)添加如下函数:
//ProjectName.cpp
const GUID CDECL CLSID_SafeItem =
????{ 0x3B43D84B, 0x05BE, 0x4CB3, { 0xB6, 0x82, 0xE1, 0x60, 0xC3, 0x8B, 0xA0, 0x88 } };
// 注意这个GUID一定要与控件的CLSID相同!
// 不一定等于该文件中的 const GUID CDECL BASED_CODE _tlid
// 版本控制
const WORD _wVerMajor = 1;
// 次版本号
const WORD _wVerMinor = 0;
// ... InitInstance() 和 ExitInstance()
// 创建组件种类
HRESULT CreateComponentCategory(CATID catid, WCHAR* catDescription)
{
??ICatRegister* pcr = NULL ;
??HRESULT hr = S_OK ;
??hr = CoCreateInstance(CLSID_StdComponentCategoriesMgr,?
??????NULL, CLSCTX_INPROC_SERVER, IID_ICatRegister, (void**)&pcr);
??if (FAILED(hr))
????return hr;
??// Make sure the HKCR/Component Categories/{..catid...}
??// key is registered.
??CATEGORYINFO catinfo;
??catinfo.catid = catid;
??catinfo.lcid = 0x0409 ; // english
??// Make sure the provided description is not too long.
??// Only copy the first 127 characters if it is.
??int len = wcslen(catDescription);
??if (len>127)
????len = 127;
??wcsncpy(catinfo.szDescription, catDescription, len);
??// Make sure the description is null terminated.
??catinfo.szDescription[len] = ’/0’;
??hr = pcr->RegisterCategories(1, &catinfo);
????pcr->Release();
??return hr;
}
// 注册组件种类
HRESULT RegisterCLSIDInCategory(REFCLSID clsid, CATID catid)
{
??// Register your component categories information.
??ICatRegister* pcr = NULL ;
??HRESULT hr = S_OK ;
??hr = CoCreateInstance(CLSID_StdComponentCategoriesMgr,?
????????NULL, CLSCTX_INPROC_SERVER, IID_ICatRegister, (void**)&pcr);
??if (SUCCEEDED(hr))
??{
??? // Register this category as being "implemented" by the class.
??? CATID rgcatid[1] ;
??? rgcatid[0] = catid;
??? hr = pcr->RegisterClassImplCategories(clsid, 1, rgcatid);
??}
??if (pcr != NULL)
????pcr->Release();
??return hr;
}
// 卸载组件种类
HRESULT UnRegisterCLSIDInCategory(REFCLSID clsid, CATID catid)
{
??ICatRegister* pcr = NULL ;
??HRESULT hr = S_OK ;
??hr = CoCreateInstance(CLSID_StdComponentCategoriesMgr,?
??????NULL, CLSCTX_INPROC_SERVER, IID_ICatRegister, (void**)&pcr);
??if (SUCCEEDED(hr))
??{
??? // Unregister this category as being "implemented" by the class.
??? CATID rgcatid[1] ;
??? rgcatid[0] = catid;
??? hr = pcr->UnRegisterClassImplCategories(clsid, 1, rgcatid);
??}
??if (pcr != NULL)
????pcr->Release();
??return hr;
}
STDAPI DllRegisterServer(void)
{
??HRESULT hr;
??AFX_MANAGE_STATE(_afxModuleAddrThis);
??if (!AfxOleRegisterTypeLib(AfxGetInstanceHandle(), _tlid))
????return ResultFromScode(SELFREG_E_TYPELIB);
??if (!COleObjectFactoryEx::UpdateRegistryAll(TRUE))
????return ResultFromScode(SELFREG_E_CLASS);
??// 标记控件初始化安全.
??// 创建初始化安全组件种类
??hr = CreateComponentCategory(CATID_SafeForInitializing,
??????? L"Controls safely initializable from persistent data!");
??if (FAILED(hr))
????return hr;
??// 注册初始化安全
??hr = RegisterCLSIDInCategory(CLSID_SafeItem, CATID_SafeForInitializing);
??if (FAILED(hr))
????return hr;
??// 标记控件脚本安全
??// 创建脚本安全组件种类?
??hr = CreateComponentCategory(CATID_SafeForScripting, L"Controls safely scriptable!");
??if (FAILED(hr))
????return hr;
??// 注册脚本安全组件种类
??hr = RegisterCLSIDInCategory(CLSID_SafeItem, CATID_SafeForScripting);
??if (FAILED(hr))
????return hr;
??return NOERROR;
}
STDAPI DllUnregisterServer(void)
{
??HRESULT hr;
??AFX_MANAGE_STATE(_afxModuleAddrThis);
??if (!AfxOleUnregisterTypeLib(_tlid, _wVerMajor, _wVerMinor))
????return ResultFromScode(SELFREG_E_TYPELIB);
??if (!COleObjectFactoryEx::UpdateRegistryAll(FALSE))
????return ResultFromScode(SELFREG_E_CLASS);
??// 删除控件初始化安全入口.
??hr=UnRegisterCLSIDInCategory(CLSID_SafeItem, CATID_SafeForInitializing);
??if (FAILED(hr))
????return hr;
??// 删除控件脚本安全入口
??hr=UnRegisterCLSIDInCategory(CLSID_SafeItem, CATID_SafeForScripting);
??if (FAILED(hr))
????return hr;
??return NOERROR;
}?
MSDN示例: [ Safectl.rar ]
|
