Condividi tramite


Developing Safer ActiveX Controls Using the Sitelock Template

Last Friday, Microsoft released a new version of the SiteLock Template for ActiveX Controls. The SiteLock template helps ensure that controls you’ve developed for use on your websites cannot be repurposed and used by other (potentially malicious) websites.

Why use the SiteLock template?
Under the default security model for ActiveX controls, a control is either marked "safe" or "unsafe" for use on any website running inside Internet Explorer. A control that is marked “safe" can be used by any Web page, while a control marked “unsafe” will not run in IE.

The SiteLock Active Template Library (ATL) template enables ActiveX control developers to restrict the use of an ActiveX control to a predetermined list of domain names or security zones. This limits the ability of other Web pages to reuse the control. For example, you can use the SiteLock template to ensure that an ActiveX control developed for use within your Local Intranet cannot be used by pages in the Internet zone. This helps to reduce the attack surface presented by your control-- even if it contains a security flaw, that flaw cannot be exploited by pages on the Internet because your control will refuse to run outside of your Local Intranet.

How it works
The SiteLock Template determines where the control is being hosted and decides if the domain and security zone of the hosting Web page are permitted to run the control. If the hosting domain is not in a pre-selected list of “safe” domain names or security zones, the control declares itself unsafe and Internet Explorer unloads it.

The SiteLock Template replaces the standard ATL template with its own implementation of IObjectSafety, called IObjectSafetySiteLockImpl. It automatically queries the host for the URL of the Web page that is hosting the ActiveX control, extracts the protocol scheme and fully qualified domain name from that URL, and compares it to a list created by the developer at build time to see if the hosting site should be trusted.

In some cases, a control may also have a limited expected lifespan. Once the control’s useful lifespan has elapsed, it will be of no value—except to malicious sites if a security problem is found. Therefore, SiteLock also includes an optional mechanism to automatically “expire” the control after a certain date.

Other Resources
Last month, we blogged about best practices for developing ActiveX updates to help ensure that users of your ActiveX controls are always running the latest version.  

The MSDN article Designing Secure ActiveX Controls provides an overview of the ActiveX security model, what it means for a control to be safe, and other best practices for developing ActiveX controls. You can learn more about IE7 changes to ActiveX support in the MSDN article ActiveX Security: Improvements and Best Practices.

Call to Action
Please help Internet Explorer protect users of your ActiveX controls by incorporating the updated SiteLock Template when developing or updating your ActiveX controls.

Thanks!

EricLaw
Program Manager

Comments

  • Anonymous
    September 18, 2007
    PingBack from http://msdnrss.thecoderblogs.com/2007/09/18/developing-safer-activex-controls-using-the-sitelock-template/

  • Anonymous
    September 18, 2007
    Will there be an updated example of this (http://support.microsoft.com/kb/182598) that uses IObjectSafetySiteLockImpl?

  • Anonymous
    September 18, 2007
    don't care about a stupid template to be honest. support CSS2.0/CSS2.1 and CSS3.0 beta correctly and support the javascript DOM correctly i don't need a stupid activeX template thingy.

  • Anonymous
    September 18, 2007
    Interesting. The security & licensing of the 'advanced' functionality available from our controls Zeepe & ScriptX has been domain- and Security Zone-bound since its introduction in 1998.  http://www.meadroid.com/sm_intro.asp Of course, you guys knew that (because we've been talking to you under mutual NDA for all of those nine years), so - before we test for ourselves - presumably someone can advise us off-blog of any likely conflicts? Thanks.

  • Anonymous
    September 18, 2007
    Call to Action: post something to do with CSS/DOM/JavaScript for IE8, or even for IE7. e.g. In IE7, garbage collection on closures is improved to handle (scenario a,b, & c) with notes to explain how they are broken in IE6, but can be worked around with example code.

  • Anonymous
    September 18, 2007
    @DMassy "Work on IE8 continues as they have repeatedly said, but they are not going to discuss it before they are ready." But he said unto them, Except I shall see in his hands the print of the nails, and put my finger into the print of the nails, and thrust my hand into his side, I will not believe. (John 20:25)

  • Anonymous
    September 18, 2007
    The IE team have blogged about the release of a new version of the SiteLock Template for ActiveX Controls

  • Anonymous
    September 18, 2007
    >they are not going to discuss it before they are ready. Ready? You mean like when they shipped IE7 with 1807 open bugs on Connect? (The whole Vista only had 1400 open bugs at that time. And Vista shipped a month later)

  • Anonymous
    September 18, 2007
    The IE team have blogged about the release of a new version of the SiteLock Template for ActiveX Controls ~~

  • Anonymous
    September 18, 2007
    The comment has been removed

  • Anonymous
    September 18, 2007
    @midio and others: If you don't use ActiveX it doesn't mean that other don't. I personally very happy with this addition (and a post). This is IE blog and developers can post everything they want related to IE. Why on earth everytime someone posts to this blog army of web devs start to complain about IE8 and standards. If you're such fan of open standards and open source you've should known by now a very good phrase: "It will be ready when it's done!"

  • Anonymous
    September 19, 2007
    @Vilius: Bravo. I concur. @Complainers: Nobody likes a whiner.

  • Anonymous
    September 20, 2007
    The silence on the future development of IE on this blog is deafening !!! It is getting ridiculous.

  • Anonymous
    September 20, 2007
    @Vilius: "It will be ready when it's done!" Your statement implies that you actually believe it will be done. As hAl pointed out, the silence on IE development on this blog is deafening! There has been no statement about: DOM Methods will be fixed (and/or a flag/setting/trigger will be identified so that developers can count on the proper, W3C spec implementation. Form element fixes: disabled select options, radio buttons that fire onchange before onblur, DOM create/copies of radio/checkboxes that preserve their checked state. CSS Fixes: Full attribute selectors. GUI Fixes: re-write the prompt dialog so that it doesn't look like a borland control from 1992 and make it work (correct position, correct button position, no message truncating, etc) Printing: don't even get me started here Zooming: fixing the controls and chrome so that the interface doesn't look like its exploding on itself Until we hear that these things are at least being worked on, we have little faith. btw, stating that "MS is actively working on IE8" tells us nothing. jac

  • Anonymous
    September 20, 2007
    They won't even name the next version of IE until they've decided whether or not to release it.

  • Anonymous
    September 20, 2007
    And not just improvements on current features but also other features like downloadmanager, spellingchecking, different inpage search and add-on model...

  • Anonymous
    September 21, 2007
    The comment has been removed

  • Anonymous
    September 21, 2007
    I have try to use the developer toolbar but find a button works different. When click [find by click] why does it keep try to find every click? he should stop when I click first object

  • Anonymous
    September 21, 2007
    I think we need to start a petition to have Al Billings and Dave Massey come back to the IE team ! That way we might finally get some posts about IE8 and where things are headed, like back in the good old pre-IE7 release days.

  • Anonymous
    September 21, 2007
    The comment has been removed

  • Anonymous
    September 21, 2007
    @Faux Pas In Windows Vista, the new Windows Update doesn't use activex. Buy Vista

  • Anonymous
    September 22, 2007
    @ Mike! As per your Petition: "Bring Al Billings & Dave Massey back into the IE team!"

  • Signed! Walter Braithwaite
  • Anonymous
    September 23, 2007
    Walter, That's a nice thought but I'm a QA guy on Firefox over at Mozilla these days. I did a year in a startup, gathered some stock options, and then went back to doing what I love: browsers. Only, this time I'm working in the open source world and loving it (actually). Since I live and own a house in Oakland, California these days, I really doubt if I'll be returning to Redmond anytime soon. After nearly nine years at Microsoft, I'd had enough and needed a change. I'm well into that change now. I appreciate the sentiment though. I actually think my talents, such as they are, have been better used in a much smaller company like Mozilla and our much smaller QA group (all of Mozilla is smaller than the number of QA people who work on IE). I have an impact within Mozilla that I would never have attained at Microsoft, even with all of my years there. I was never in a position to REALLY affect where IE was going, being just a mid-level guy in QA. The future of IE is less determined by the rank and file that work on it than by Microsoft's corporate goals and strategy. Anything that conflicts with that winds up being stillborn or cut. Al

  • Anonymous
    September 23, 2007
    Walter, I'm not sure I could be tempted back there either. I'm not sure I agree entirely with Al's assessment but after eleven years at Microsoft it was time for me to leave. -Dave

  • Anonymous
    September 24, 2007
    Are you guys still fixing bugs with your rendering engine? If so there are still alpha map errors, and min-width errors with css

  • Anonymous
    September 24, 2007
    Al: Hrm... a Firefox guy who left IE, posting his flamebait ruminations on the IEBlog.   I think you might have a bit of a credibility gap here.  Sour grapes, perhaps?

  • Anonymous
    September 24, 2007
    Jim, I'm posting here because my post on my own blog was mentioned here. You can think that I have a credibility gap all that you want. Yours is the first comment anywhere to even try to say that, so I don't think that's the prevailing wisdom. Besides, I worked on IE 4, IE5, IE6SP2, and IE7. I spent just a month shy of nine years at Microsoft, working mostly on browsers (I worked on MSN Explorer and the cancelled Netdocs as well). I think I have a pretty fair degree of credibility when it comes to discussing browsers, Internet Explorer, or Microsoft. Why do you think otherwise? As a Mozilla guy, I'm allowed to speak my mind with little fear of being chewed out for it. Why? Because Mozilla is an open company that embraces that openness by conducting most of its business in the public eye. I think that the IE team and Microsoft (in general) could learn a bit by that. In any case, as the only guy in the world, as far as I know, who has worked on both IE and Firefox, I expect that I'll continue to have things to say about both.

  • Anonymous
    September 25, 2007
    I wonder how long it'll take before the conspiracy theory's begin about how Microsoft have in fact planted Al into the Firefox community, to bring it down from within!

  • Anonymous
    September 25, 2007
    The comment has been removed

  • Anonymous
    September 25, 2007
    firefox is 70 percent c++ code and 25 percent html/css the rest is JavaScript

  • Anonymous
    September 26, 2007
    The whole concept of the connect bug submitting site was useless as it is was. I can understand that the IE team would consider it a burden rather then a usefull tool.

  • Anonymous
    September 27, 2007
    Well, when the IE team lets its rather large community of users and web developers submit issues and track their results, hAl, perhaps something useful will be had. IE7 has been out a year. What has the IE team been doing for a year now? Do any of you know? One assumes that a team with more than 200 people has been doing something for a year now but you'd never know it from the blog posts or any other public conversation. In contrast, if you want to know what Opera is doing, you can find out, and they are a closed source project. If you want to find out what Mozilla is doing, you can see the plans and even watch bugs get resolved and check-ins happen. IE needs to open up. As I recall, having been around at the time and involved in some of the conversations, that WAS the point of this blog a few years ago. Obviously, since I left and at least two other proponents of this blog also left the IE team, the efforts here have stalled out. Are you really happy with the level of real content in this blog? Really? Al in Japan

  • Anonymous
    September 27, 2007
    I've posted a little something at http://www.arcanology.com/2007/09/27/openness-and-ie-or-talk-to-us/. I'd like to see an actual member of the IE team respond there (and to this thread here) instead of just ignoring this. Hey, guys, remember why you started blogging in the first place? Start talking to the web community about the future and IE8...

  • Anonymous
    September 27, 2007
    Al, I don't entirely agree :) IE isn't and probably never will be open source. The IE team does need to open up at least to the level they had when IE7 was under development and show some vision or direction. Let's be real though. Releasing nightly builds and watching bugs get resolved and checkins happen is not going to happen with IE and quite frankly given the noise they'd receive I don't see the point. The IE team does need to start talking though. Currently only Eric Lawrence seems to post and respond to comments here. All online chats have stopped and it is as if the IE team has disappeared just as it did after the release of IE6. I know that isn't the case but you can't blame people for starting to think that when the team can't be bothered to talk to their customers and engage in any conversation. -Dave

  • Anonymous
    September 27, 2007
    @Dave and Al; I'm with Al on this.  Fine, IE is a closed source project, we get that.  But that doesn't stop the IE team from telling us what they hope to do, or have done in IE8. Even the small things! like "Hey, we noticed the bug when you de-focus the printer selection dialog in a print preview too (when everything blanks out)", "and yes, we've fixed that!" Things like this are good, because: a.) It means you listened to the community and the bugs we reported. b.) You care about shipping a good SW product c.) It might be a minor thing, but its fixed now, we can move on to other things. d.) It tells us seriously, that MS HAS BEEN DOING SOMETHING! Otherwise, this blog has died.  It no longer contains any useful information on THE DEVELOPMENT of IE.

  • Anonymous
    September 27, 2007
    Luthar, I agree entirely. The IE team can talk about progress without issueing nightly builds or opening up their checkin process. This is abotu the IE team showing they care about their customers. Silence does not help. I know the individuals on the IE team do care about customers but it certainly isn't being shown. -Dave

  • Anonymous
    September 27, 2007
    A very undesirable CSS1 bug, simple/minimal test case for IE7, resize IE7 with the code in my reply post... http://forums.devnetwork.net/viewtopic.php?p=420119 I think it's important to put emphasis on the all but confirmed fact that IE8 will probably be the last version of Internet Explorer for Windows XP. With the resistance to adopting Vista this version of IE will have a much more dramatic impact on the corporate strategy and general PR for Microsoft in the long term. It's therefor probably in their best (corporate) interests (from my perspective) to keep a lid on things at the moment. I'm going to presume IE9 will be the DirectX 10 of sorts for Windows 7 and web designers. This is my take on the silence here and I won't complain. I'd also like to point out a couple things. First off if you're leaving a link to your homepage when you post on this blog you have (in my mind) a bit more credibility to what you say then just anonymously posting on the blog. Secondly Internet Explorer isn't really that bad of a browser. IE4 handles a liquid layout I've been working on just fine. In fact it's also keyboard-only accessible. It was released in September 1997, TEN years ago! Webkit nightly builds STILL can't tab to anything other then form input elements rendering keyboard-only navigation (on either Windows or OS X) pretty much completely useless. In my not so humble opinion there is currently no "best" browser. Gecko has great CSS2 compliance, IE has great printer support (in comparison to other browsers especially Gecko, if you test this then ensure you're using a printer specific stylesheet), Webkit has the best CSS3 property support, and Opera eh...it's moderately good in all those categories. But no single browser/rendering engine truly shines above all others. Also I've started a new cartoon series on the lighter aspects of computer/internet software. Please enjoy my MS Paint skills in full glorious mono and default font! This one was partially inspired by the IE blog... http://img249.imageshack.us/img249/1136/softwaresagasissue0002byz4.gif

  • Anonymous
    September 27, 2007
    John A. Bilicki III: Your "All but confirmed fact" is pure speculation.   The reason no one would "confirm" such a statement is that Microsoft isn't remotely close to making any kind of decision on the supported platforms for IE9.  As you point out, uptake of Vista is probably a major factor here.

  • Anonymous
    September 27, 2007
    Dave, I know that the IE team isn't going to release nightly builds but, seriously, there are months that go by on this blog with only one post, maybe two, and they aren't anything forward looking. Do you see a response from the IE team to comments here? No. Eric has responded in my blog but then he was always the most active on the blog and in talking to the public from the development team. Kudos to him. You and I will have to disagree about the value of having a bug database and communication of some sort (I see a lot of value in giving people a means to post issues and see comments on them, as well as validate other issues) but the sheer lack of communication for a year is appalling. IE7 has been done for a long time. Personally, I expect that there might be little to say and that the IE team has spent six months chasing Vista SP1 issues instead of working on IE8. I could be wrong though (as always).

  • Anonymous
    September 27, 2007
    The comment has been removed

  • Anonymous
    September 27, 2007
    The comment has been removed

  • Anonymous
    September 27, 2007
    Since when has "Repurposed" been a word?

  • Anonymous
    September 27, 2007
    I am all for input by the IE community. However the connect site was useless in that regard. More usefull I think might be a public moderated forum or something like that. you could have different area's for dicussing features, HTML and or CSS conformance, Rendering of pages, scripting and add-ons and make discussions more focussed. For straightforward bugtracking they might use an internet bugtracking tool but only for a limited (alpha)testing community and not for public use. It is worrying that the IE team does not give information on what they are doing. It seems uncertain whether they are actually producing something usefull and choose the solutions for issues that are what their customers want.

  • Anonymous
    September 28, 2007
    @hAl "It is worrying that the IE team does not give information on what they are doing." There is no "IE team" at this moment, and they do nothing. Maybe in two or three years we will hear something. Somebody may not believe me again, but this "somebody" cannot adduce any real facts that refute my statements.

  • Anonymous
    September 28, 2007
    @Dave & Al: It's always nice to see you guys here: I read your blogs with interest. @RC: I don't know why you persist in attempting to perpetuate the fantasy that I and my many colleagues don't exist.   Of course, once your theories are inevitably shown to be completely baseless, I suspect "RC" will disappear and we'll get a new anonymous poster named "CR" who will invent a new set of tales for our amusement.

  • Anonymous
    September 28, 2007
    @Chris Wedgwood: Interesting question.  According to the Oxford English dictionary, "repurposed" dates back to 1984, with the same meaning used here.

  • Anonymous
    September 28, 2007
    Sitelock is very useful.  It would have stopped this issue dead in its tracks: http://blogs.zdnet.com/security/?p=492

  • Anonymous
    September 28, 2007
    "I don't know why you persist in attempting to perpetuate the fantasy that I and my many colleagues don't exist." Don't distort my words. Maybe you do exist, if you want so, but no real work on future versions of IE exists. And I will repeat to contend this until somebody shows whatever REAL proof of the contrary. This is the common method of science: any thing is considered not existing until there is a scientifically grounded proof that it exist. Did you ever hear something about science?

  • Anonymous
    September 29, 2007
    The comment has been removed

  • Anonymous
    September 29, 2007
    The comment has been removed

  • Anonymous
    September 29, 2007
    @Jon You dont't understand the difference between "exists" and "is considered existing in the science".

  • Anonymous
    September 30, 2007
    ACTUAL IE INFO: http://www.sitepoint.com/blogs/2007/10/01/wds07-bonus-feature-chris-wilson-microsoft/

  • Anonymous
    October 01, 2007
    Direct Link to the MP3 Audio: http://media.sitepoint.com/presentations/2007-09-28_wds07chriswilson.mp3 Good talk, oddly enough, the ONLY talk about IE8 features and fixes... go figure! Executive / Developer Summary: IE8:

  • New Layout Engine
  • Standards Compliant (opt-in)*
  • Although not indicated, in IE8, if you want rendering to follow the spec for [some/all/certain] things, you (the developer) will need to "opt-in" somehow.  (The exact context of this is not indicated) Based on existing stuff in IE, the preliminary guess would be a CC (Conditional Comment), similar to the MOTW. to dictate/enforce desire to render in standards mode. In general summary... Chris Wilson cares about standards, and is doing whatever he can to ensure IE8 is on the right path! YEEE HAAAAAW!!!! I can't wait!

  • Anonymous
    October 01, 2007
    The comment has been removed

  • Anonymous
    October 16, 2007
    I was reading my buddy Alex Smolen's post the other day on Java Applet Security and figured I would see

  • Anonymous
    October 31, 2007
    在前面《再谈IObjectSafety》一文里,我们讲了声明一个ActiveX为脚本安全可能会被滥用而带来安全隐患。现在微软推出了一个新的ATL模板类IObjectSafetySiteLockImpl ,可以在编写ActiveX组件的时候设置只能在特定站点上加载,从而避免被恶意站点使用。

  • Anonymous
    May 07, 2008
    Hi, I’m Matt Crowley, Program Manager for Extensibility with Internet Explorer. The team was very excited

  • Anonymous
    March 16, 2009
        아래 글은 IEBlog에 올라온 IE 8 보안 관련 글 중 두번째 글을 번역한 것입니다. 현재 파트 5까지 나와있는데 시리즈로 번역할 예정입니다. 이 글 뿐