|
|
|
date: Wed, 24 Oct 2007 07:47:15 -0700,
group: microsoft.public.inetsdk.programming.urlmonikers
back
Re: Implement IInternetSecurityManager.GetSecurityID
M.Bammann wrote:
> I'm trying to implement GetSecurityID to prevent the ACCESS DENIED
> message when accessing an IFRAME.
> But it does not work. Every string I return seems to be wrong and
> makes the browser control report ACCESS DENIED messages even when I
> try to read the ReadyState.
>
> I tried many different combinations, for example:
> Dim id As String = "prot:root+" & Chr(0) & Chr(0) & Chr(0)
> & Chr(0)
> Dim id As String = "file:+" & Chr(0) & Chr(0) & Chr(0) &
> Chr(0)
> Dim id As String = "file//:+" & Chr(0)
> Dim id As String = "http://localhost+" & Chr(0)
> Dim id As String = "http://localhost+0"
There should be no plus '+' sign and no slashes. It's the string like
"http:domain.name" immediately followed by four bytes representing zone
as a DWORD. For example, the security ID for http://www.google.com , as
returned by built-in security manager, is 23 bytes long and looks like
"http:www.google.com" & CHR(3) & CHR(0) & CHR(0) & CHR(0)
I'm also not sure how well your VB declaration matches the signature
expected by COM, but I don't know VB enough to help you with it.
--
With best wishes,
Igor Tandetnik
With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going to
land, and it could be dangerous sitting under them as they fly
overhead. -- RFC 1925
date: Wed, 24 Oct 2007 11:15:47 -0400
author: Igor Tandetnik
Re: Implement IInternetSecurityManager.GetSecurityID
Thank you for your fast reply,
I've tried this format, but is does also not work...
I tried the following:
"mod:root" & Chr(0) & Chr(0) & Chr(0) & Chr(0)
"http:localhost" & Chr(0) & Chr(0) & Chr(0) & Chr(0)
pwszUrl is "mod://root/ModClientMainPage.aspx"
Has MY protocol name to be included or should it be one of the default
protocols (http,file,res..) ?
Maybe anyone could tell me if it's simply a problem with the
marshalling of the parameters?
Here is the interface definition:
[ComImport, GuidAttribute("79eac9ee-baf9-11ce-8c82-00aa004ba90b"),
InterfaceTypeAttribute(ComInterfaceType.InterfaceIsIUnknown),
ComVisible(false)]
public interface IInternetSecurityManager
{
[return: MarshalAs(UnmanagedType.I4)]
[PreserveSig]
int GetSecurityId([MarshalAs(UnmanagedType.LPWStr)] string
pwszUrl, [MarshalAs(UnmanagedType.LPArray)] byte[] pbSecurityId, ref
uint pcbSecurityId, uint dwReserved);
...
}
Thanks for your help
date: Wed, 24 Oct 2007 09:07:13 -0700
author: M.Bammann
Re: Implement IInternetSecurityManager.GetSecurityID
M.Bammann wrote:
> I've tried this format, but is does also not work...
>
> I tried the following:
> "mod:root" & Chr(0) & Chr(0) & Chr(0) & Chr(0)
> "http:localhost" & Chr(0) & Chr(0) & Chr(0) & Chr(0)
>
> pwszUrl is "mod://root/ModClientMainPage.aspx"
That's the URL of the iframe, right? What's the URL of the containing
document? Essentially, to prevent those Access Denied errors, you want
to lie about the source of the iframe content, and pretend that iframe
comes from the same protocol, domain and zone as the main document. To
do that, you make sure GetSecurityId returns the same value both for the
main document's URL and for iframe's URL.
> Has MY protocol name to be included or should it be one of the default
> protocols (http,file,res..) ?
It doesn't matter, as long as it's the same both for the top-level page
and for the iframe.
By the way, if all you need is to read readyState, why don't you just
handle DocumentComplete event from the top-level browser?
See also KB article KB196340 "How to get the WebBrowser object model of
an HTML frame". This technique completely bypasses cross-domain
security.
--
With best wishes,
Igor Tandetnik
With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going to
land, and it could be dangerous sitting under them as they fly
overhead. -- RFC 1925
date: Wed, 24 Oct 2007 12:23:20 -0400
author: Igor Tandetnik
Re: Implement IInternetSecurityManager.GetSecurityID
> > pwszUrl is "mod://root/ModClientMainPage.aspx"
>
> That's the URL of the iframe, right? What's the URL of the containing
> document? Essentially, to prevent those Access Denied errors, you want
> to lie about the source of the iframe content, and pretend that iframe
> comes from the same protocol, domain and zone as the main document. To
> do that, you make sure GetSecurityId returns the same value both for the
> main document's URL and for iframe's URL.
>
No, it's the URL of the main document...in fact the access denied
message now comes before even trying to access any iframe, already
while loading the main document.
>
> By the way, if all you need is to read readyState, why don't you just
> handle DocumentComplete event from the top-level browser?
>
No, I need to access the frames from JavaScript on the pages and also
from the hosting EXE. But when I return anything else than
INET_E_DEFAULT_ACTION
the following code does throw an ACCESSDENIED exception in
Display.ReadyState before I can do anything else.
Display.Navigate("mod://root/ModClientMainPage.aspx")
Do
Application.DoEvents()
Loop Until Display.ReadyState = WebBrowserReadyState.Complete
If I comment out the loop and try to access the frames in the onload
event I also get ACCESS DENIED.
But maybe I am looking at the wrong place anyway, because ALL pages I
want to load are coming from my own protocol handler, so I don't even
know why the browser control thinks they are coming from different
domains.
So I tried again the IInternetProtocolInfo:ParseUrl function:
public void ParseUrl(string pwzUrl, ParseAction parseAction, UInt32
dwParseFlags, out string pwzResult, UInt32 cchResult, out UInt32
pcchResult, UInt32 dwReserved) {
pcchResult = 0;
pwzResult = "";
string sResult = null;
switch (parseAction){
case ParseAction.PARSE_SECURITY_URL:
//both not working -> getting Navigation Canceled in Browser
sResult = "mod:root" + 0x0 + 0x0 + 0x0 + 0x0;
sResult = "mod:";
break;
default:
Marshal.ThrowExceptionForHR(INET_E_DEFAULT_ACTION);
break;
}
if (sResult != null){
pcchResult = (uint)sResult.Length;
if (pcchResult < cchResult)
pwzResult = sResult;
else
Marshal.ThrowExceptionForHR(S_FALSE);
}
Marshal.ThrowExceptionForHR(S_OK);
}
But then I get only the Navigation Canceled page.
I'm really stuck now...:-(
Do you have any idea???
date: Thu, 25 Oct 2007 07:13:24 -0700
author: M.Bammann
Re: Implement IInternetSecurityManager.GetSecurityID
M.Bammann wrote:
> No, I need to access the frames from JavaScript on the pages and also
> from the hosting EXE. But when I return anything else than
> INET_E_DEFAULT_ACTION
> the following code does throw an ACCESSDENIED exception in
> Display.ReadyState before I can do anything else.
>
> Display.Navigate("mod://root/ModClientMainPage.aspx")
> Do
> Application.DoEvents()
> Loop Until Display.ReadyState = WebBrowserReadyState.Complete
>
> If I comment out the loop and try to access the frames in the onload
> event I also get ACCESS DENIED.
This is very strange. IWebBrowser2 properties and methods, including
ReadyState property, aren't subject to cross-domain security in the
first place (since the script on a page can't gain access to
IWebBrowser2 pointer, and the whole point of cross-domain security is to
prevent the script from doing something bad). I suspect your marshalling
is wrong after all - something somewhere gets corrupted, and corruption
manifests in this bizarre way. But I don't know .NET well enough to help
you with marshaling.
Have you tried leaving the default security manager alone, and going
with KB196340 instead?
--
With best wishes,
Igor Tandetnik
With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going to
land, and it could be dangerous sitting under them as they fly
overhead. -- RFC 1925
date: Thu, 25 Oct 2007 11:21:16 -0400
author: Igor Tandetnik
|
|
