Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

86 lines
3.6 KiB

  1. /*****************************************************************************\
  2. FILE: autosecurity.h
  3. DESCRIPTION:
  4. Helpers functions to check if an Automation interface or ActiveX Control
  5. is hosted or used by a safe caller.
  6. BryanSt 8/20/1999
  7. Copyright (C) Microsoft Corp 1999-1999. All rights reserved.
  8. \*****************************************************************************/
  9. #ifndef _AUTOMATION_SECURITY_H_
  10. #define _AUTOMATION_SECURITY_H_
  11. #include <ocidl.h> // IObjectWithSite
  12. #include <shlwapip.h> // IUnknown_AtomicRelease
  13. #include <ccstock.h> // ATOMICRELEASE
  14. #include <mshtml.h>
  15. #include <cowsite.h> // CObjectWithSite
  16. #include <objsafe.h> // IObjectSafety
  17. #include <cobjsafe.h> // CObjectSafety
  18. /***************************************************************\
  19. DESCRIPTION:
  20. This class will provide standard security functions that
  21. most ActiveX Controls or scriptable COM objects need.
  22. HOW TO USE THIS CLASS:
  23. 1. If you don't want any security, don't implement this
  24. interface and don't implement IObjectSafety. This should
  25. prevent your class from being used from any unsafe hosts.
  26. 2. Create a list of any of your automation methods and actions
  27. invoked from your ActiveX Control's UI that can harm the user.
  28. 3. For each of those methods/actions, decide if:
  29. A) It's only safe from hosts that are always safe (like HTA)
  30. B) It's only safe from hosts if their content is from
  31. a safe zone (Local Zone/Local Machine).
  32. C) If an UrlAction needs to be checked before the operation
  33. can be carried out.
  34. 4. Based on #3, use IsSafeHost(), IsHostLocalZone(),
  35. or IsUrlActionAllowed() respectively.
  36. 5. Call MakeObjectSafe on any object you create unless you
  37. can GUARANTEE that it will be IMPOSSIBLE for an unsafe
  38. caller to use it directly or indirectly to do something
  39. unsafe.
  40. An example of a direct case is a collection object
  41. creating an item object and then returning it to the unsafe
  42. host. Since the host didn't create the object, it didn't
  43. get a chance to correctly use IObjectSafety, so
  44. MakeObjectSafe() is needed.
  45. An example of an indirect case is where unsafe code calls
  46. one of your automation methods and you decide to carry out
  47. the action. If you create a helper object to perform a task
  48. and you can't guarantee that it will be safe, you need to
  49. call MakeObjectSafe on that object so it can decide
  50. internally if it's safe.
  51. WARNING: If MakeObjectSafe returns a FAILED(hr),
  52. then ppunk will be FREED because it isn't safe to use.
  53. \***************************************************************/
  54. #define CAS_NONE 0x00000000 // None
  55. #define CAS_REG_VALIDATION 0x00000001 // Verify the host HTML is registered
  56. #define CAS_PROMPT_USER 0x00000002 // If the HTML isn't registered, prompt the user if they want to use it anyway.
  57. class CAutomationSecurity : public CObjectWithSite
  58. , public CObjectSafety
  59. {
  60. public:
  61. //////////////////////////////////////////////////////
  62. // Public Methods
  63. //////////////////////////////////////////////////////
  64. BOOL IsSafeHost(OUT OPTIONAL HRESULT * phr);
  65. BOOL IsHostLocalZone(IN DWORD dwFlags, OUT OPTIONAL HRESULT * phr);
  66. BOOL IsUrlActionAllowed(IN IInternetHostSecurityManager * pihsm, IN DWORD dwUrlAction, IN DWORD dwFlags, OUT OPTIONAL HRESULT * phr);
  67. HRESULT MakeObjectSafe(IN OUT IUnknown ** ppunk);
  68. };
  69. #endif // _AUTOMATION_SECURITY_H_