Marking a Python COM server safe for Internet Explorer

Neil Hodgson nhodgson at bigpond.net.au
Fri Jul 6 20:01:03 EDT 2001


Steve Holden:
> "Bill Bell" <bill-bell at bill-bell.hamilton.on.ca> wrote in ...
> >
> > As a kind of default, Internet Explorer will ask the user's permission
> > before instantiating an ActiveX control. However, one can
> > implement IObjectSafety to inform IE that one's control is safe,
> > thus sparing the user the need to respond to the dialog box.
> >
> I must have misunderstood. Are you telling me that IE has a security
system
> to detect potentially unsafe downloaded content, but that it won't use
this
> system if the downloaded content tells it there's no need?

   There are code 2 components here, an ActiveX control and a web page.
IObjectSafety is to allow an already trusted (because it was installed)
ActiveX to say whether it will always be safe when (a) initialised with
potentially malicious parameters and (b) manipulated by potentially
malicious script. For example, an ActiveX with a PostToCLPython method would
refuse to allow unsafe scripts such as those on web pages to script it in
case they called PostToCLPython("ActiveX is good ;)").

    Equivalently the installer can add the control to the categories
CATID_SafeForScripting or CATID_SafeForInitializing. This is probably an
easier solution to the original problem. See
http://support.microsoft.com/support/kb/articles/Q161/8/73.ASP

   Neil






More information about the Python-list mailing list