In my a web application, I have a part to invoke an activex control .The Activex control is available in all the client PCs who are accessing my web application from web server. But When trying to run this ActiveX control from the browser in client machine (using Wshell), It was not getting invoked since "Run Activex Controls and Pluggins" are disabled in my browser. So I changed the browser settings to enable mode and Then the Activex control gave me the expected output. I afraid that this change in browser settings would allow any other website to harm my system. How could I get rid of this problem? Any thoughts? Thanks in advance
There had been a lotta secutiry changes introduced from Vista + IE7 onwards. Where in the IE starts in the procted mode, which helps protect users from attack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantly reduces the ability of an attack to write, alter or destroy data on the user's machine or to install malicious code.
More details : http://msdn.microsoft.com/en-us/library/bb250462.aspx#wpm_aarwm
So developers have to modify the applications to confirm to the new standards like starting the process from the plugin - sending widows messages from LI(Low Intergirty) to HI process etc.
You can digitally sign your ActiveX so that users do not have to compromise the security of their browser too much in order to allow it to run. But, essentially, ActiveX isn't very secure and these problems always pop up when you choose ActiveX...
Related
I have created an application in which the vi has some controls and these controls are useful only during the development and on special instance can be unlocked in the application. i basically use app.kind property node to determine what environment the vi is running in and suitably hide/unhide the controls.
I have the application published on the web using the NI Web publishing tool. The computer which hosts the app works fine(and these controls remain invisible) but these controls can be sen on the web page. The vi is in "Embedd" mode. As a workaround i have pushed these controls some distance away and hence avoided the user from knowing about it. but this introduces the problem that i cannot view these controls when i unlock them.
Any help would be greatly appreciated.
You have built a stand-alone application and enabled web server, correct?
Are you sure the web panel is connecting to the stand-alone application (app.kind=2)
and it is not reaching the development LabView (app.kind=1) still listening on that web server port?
I would add an indicator to display the value of app.kind at all times.
What happens if you toggle the hidden fields on and off? I would add a button to do this on the vi.
Do they disappear/reappear reliably in the window where you have control?
Also, you said this was in Embedded mode - but are you also transferring control to the web page?
Those are some approaches I'd try to help pin this down.
We need to force a particular web application to launch in the Notes browser regardless of the browser option the user has chosen. This also ideally needs to be launched from some LotusScript code.
I haven't been able to find a way of doing it so any suggestions would be appreciated.
There's unfortunately no way to force the Notes browser via LotusScript. However, you could look into using policies to restrict the user's default browser: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/03062008102616AMWEBL4Y.htm
If it is possible, I suggest taking a different approach. This likely can't be solved via a technical solution (i.e. the user could always find a way to open the URL in a non-Notes browser if they are motivated to do so). Therefore I would make the recommendation to the user that the application only works via the Notes browser, and leave it up to them to do the right thing. Do that either by training, or putting a message on the web application, etc.
Another idea, if you have control over the web application, is that you could check the browser's User Agent for the keyword "Lotus Notes", and disallow anyone non-Notes browsers from using the application.
Oddly enough I have the issue you want to emulate happening on a Mac. I am not sure at this time if this is expected behavior though (still investigating).
I have a database rendering an XPage on the client. The link is in a rich text field. When the link is clicked it opens in the same tab in the Notes client, instead of the system browser (which is set in the Notes client).
Using Call notesUIWorkspace.URLOpen( Url$, reload%, urlList%, charset$, webusername$, webpassword$, proxywebusername$, proxywebpassword$, notesRetriever )
specifying true for notesRetriever, will open the browser page IN notes (whatever user config).
Don't expect too much of this since this will require the retriever process to run on the Domino server.
I bet your application won't work using a reriever.
Need to have ASP.NET page running on intranet launch a local windows application (VB6 exe). Originally planning to use an ActiveX control, however general security concerns with ActiveX controls (real and perceptual) have led us to consider a ClickOnce approach to the problem. The user would click on a link that would launch the ClickOnce application (the ClickOnce application would just be a .NET windows app to launch the VB6 app). Is this a better solution from a security perspective?
Is there a reason why you couldn't simply publish the application that you want to launch as a ClickOnce application?
When a ClickOnce application is published, it always checks the server for any updates and, if there are none, it launches the cached installation of the application. This is the same effect as the "launch" link on the default ClickOnce installation page that is generated when you publish the application. You could publish the application and then copy the URL from the launch link to your website for the same effect.
I wouldn't recommend your method above. I don't know your specific scenario but, obviously, your ClickOnce application that you mention above would not work if the VB6 application did not exist on the users computer or if it was located in a different installation location.
In response to your security concerns, I'm not an Active X expert but I wouldn't think launching an ActiveX component would be a problem if it's being used from within your intranet. In fact, I think the problem with ActiveX is when it's enabled, malicious websites can inject harmful ActiveX viruses. I'm not a security expert, so I could be wrong. I'd be surprised, however, that hosting an ActiveX service would be a security problem (assuming your code is legit ;)
We have a .Net application that is used for editing/rendering customized HTML documents. It is hosted in IE using the AxSHDocVw.AxWebBrowser controls. We proceed with navigating to "about:blank" page initially then we change the Document by writing our custom values into it. The problem we are facing is the call to IHTMLTxtRange.execCommand("Copy",false,null) is failing if we don't enable the IE Security Settings in the Internet Security zone (Scripting->Allow Programmatic Access to Clipboard ).
In order to bypass the security setting ,I tried to point to a local html file initially while navigating. But this fails as soon as I modify the Document.
I want to use the IHTMLTxtRange.execCommand("Copy",false,null) command so that I can customize our Copy/Paste operations.
Is there any other way I can do this.
Please share your ideas inorder to overcome this situation.
Thanks.
Sriram
Try implement IInternetSecurityManager on your webbrowser control host, handle URLACTION_SCRIPT_PASTE in ProcessUrlAction.
Note there is a bug in earlier versions of IE that causes the webbrowser to ignore host's URLACTION_SCRIPT_PASTE handling.
As far as I know, there is no way to do that without user permission. Its a security/privacy loophole to allow access to clipboard, and its natural that browsers are protective about it.
You have already tried out ActiveX, and it doesn't work
With Flash, you can interact with system clipboard - but only if its a part of an event handler. See Flash Player 10 Security.
Javascript doesn't expose a way to access the clipboard.
Not sure about silverlight, but I am guessing it would also restrict access to clipboard.
In short, the user has to explicitly give your application/website permission to access clipboard.
I know this might be a no-brainer, but please read on.
I also know it's generally not considered a good idea, maybe the worst, to let a browser run and interact with local apps, even in an intranet context.
We use Citrix for home-office, and people really like it. Now, they would like the same kind of environment at work, a nice page where every important application/document/folder is nicely arranged and classified in an orderly fashion. These folks are not particularly tech savvy; I don't even consider thinking that they could understand the difference between remote delivered applications and local ones.
So, I've been asked if it's possible. Of course, it is, with IE's good ol' ActiveX controls. And I even made a working prototype (that's where it hurts).
But now, I doubt. Isn't it madness to allow such 'dangerous' ActiveX controls, even in the 'local intranet' zone? People will use the same browser to surf the web, can I fully trust IE? Isn't there a risk that Microsoft would just disable those controls in future updates/versions? What if a website, or any kind of malware, just put another site on the trust list? With that extent of control, you could as well uninstall every protection and just run amok 'till you got hanged by the IT dept.
I'm about to confront my superiors with the fact that, even if they saw it is doable, it would be a very bad thing. So I'm desperately in need of good and strong arguments, because "let's don't" won't do it.
Of course, if there is nothing to be scared of, that'll be nice too. But I strongly doubt that.
We use Citrix for home-office, and people really like it. Now, they would like the same kind of environment at work, a nice page where every important application/document/folder is nicely arranged and classified in an orderly fashion
I haven't used Citrix very many times, but what's it got to do with executing local applications? I don't see how "People like Citrix" and "browser executing local applications" relate at all?
If the people are accessing your Citrix server from home, and want the same experience in the office, then buy a cheap PC, and run the exact same Citrix software they run on their home computers. Put this computer in the corner and tell them to go use it. They'll be overjoyed.
Isn't it madness to allow such 'dangerous' ActiveX controls, even in the 'local intranet' zone ? People will use the same browser to surf the web, can I fully trust IE ?
Put it this way. IE has built-in support for AX controls. It uses it's security mechanisms to prevent them from running unless in a trusted site. By default, no sites are trusted at all.
If you use IE at all then you're putting yourself at the mercy of these security mechanisms. Whether or not you tell it to trust the local intranet is beside the point, and isn't going to affect the operation of any other zones.
The good old security holes that require you to reboot your computer every few weeks when MS issues a patch will continue to exist and cause problems, regardless of whether you allow ActiveX in your local intranet.
Isn't there a risk that Microsoft would just disable those controls in future updates / versions ?
Since XP-SP2, Microsoft has been making it increasingly difficult to use ActiveX controls. I don't know how many scary looking warning messages and "This might destroy your computer" dialogs you have to click through these days to get them to run, but it's quite a few. This will only get worse over time.
Microsoft is walking a fine line. On one hand, they regularly send ActiveX killbits with Windows Update to remove/disable applications that have been misbehaving. On the other hand, the latest version of Sharepoint 2007 (can't speak for earlier versions) allows for Office documents to be opened by clicking a link in the browser, and edited in the local application. When the edit is finished, the changes are transmitted back to the server and the webpage (generally) is refreshed. This is only an IE thing, as Firefox will throw up an error message.
I can see the logic behind it, though. Until Microsoft gets all of their apps 'in the cloud', there are cases that need to bridge the gap between the old client-side apps and a more web-centric business environment. While there is likely a non-web workaround, more and more information workers have come to expect that a large portion of their work will be done in a browser. Anything that makes the integration with the desktop easier is not going to be opposed by anyone except the sysadmins.
The standard citrix homepage (or how we use it) is a simple web page with program icons. Click on it, and the application get's delivered to you. People want the same thing, at work, with their applications/folders/documents. And because I'm a web developer, and they asked me, I do it with a web page... Perhaps I should pass the whole thing over to the VB guy..
Ahh... I know of 2 ways to accomplish this:
You can embed internet explorer into an application, and hook into it and intercept certain kinds of URL's and so on
I saw this done a few years ago - a telephony application embedded internet explorer in itself, and loaded some specially formatted webpages.
In the webpage there was this:
Call John Smith
Normally this would be a broken URL, but when the user clicked on this link, the application containing the embedded IE got notified, and proceeded to execute it's own custom code to dial the number from the URL.
You could get your VB guy to write an application which basically just wraps IE, and has handlers for executing applications. You could then code normal webpages with links to just open applications, and the VB app would launch them. This allows you to write your own security stuff (like, only launch applications in a preset list, or so on) into the VB app, and because VB is launching them, not IE, none of the IE security issues will be involved.
The second way is with browser plug-ins.
For example, skype comes with a Firefox plug-in, which looks for phone-numbers in web-pages, and attaches special links to them. When you click on these links it invokes skype - you could conceivably do something similar for launching your citrix apps.
You'd then be tied to firefox though. Writing plugins for IE is much harder than for FF, I wouldn't go down that path unless forced to.