| If you drop the IESecurityManager component on a form with
EmbeddedWB you can easily attach your own InternetSecurityManager to the
webbrowser. Use EmbeddedWB's OnQueryService event and add:
//Uses urlmon, ActiveX
function TForm1.EmbeddedWB1QueryService(const rsid, iid: TGUID;
out Obj: IUnknown): HRESULT;
begin
if IsEqualGuid(IInternetSecurityManager, rsid) and
IsEqualGuid(rsid, iid) then
Result :=
Securitymanager1.Queryinterface(IInternetSecurityManager, Obj)
else
Result := E_NOINTERFACE;
end;
|
When the webbrowser is about to load a new page the SecurityManager is
called several times:
First GetSecurityID is called to get the SecurityZone the requested
URL belongs to. (All my attempts to override this function have been
without success. Please mail me
if you know how to do it.)
Next ProcessUrlAction is called when loading of the page might pose
a security risk to the local computer. These include actions such as
running a Java applet or an ActiveX control. ProcessUrlAction receives a
URLACTION and you should return a corresponding URLPOLICY. See link below
for a complete list of URLACTIONS and URLPOLICIES. Your OnProcessUrlAction
can look like this, if you want to disable download of ActiveX controls:
function
TForm1.SecurityManager1ProcessUrlAction(pwszUrl:
PWideChar;dwAction: Cardinal; pPolicy: Pointer; cbPolicy: Cardinal;
pContext: Pointer; cbContext, dwFlags, dwReserved: Cardinal):
HRESULT;
var
dwPolicy: DWORD;
begin
Result:=S_FALSE;
if (dwAction <= URLACTION_ACTIVEX_MAX) and (dwAction
>= URLACTION_ACTIVEX_MIN)
then dwPolicy := URLPOLICY_DISALLOW else
Result:=INET_E_DEFAULT_ACTION;
if (Result = S_FALSE) and (cbPolicy >=
SizeOf(DWORD)) then
begin
Dword(ppolicy^) := dwpolicy;
Result := S_OK;
end;
end;
|
If ProcessUrlAction returns a Custom Policy (e.g. URLPOLICY_JAVA_CUSTOM) QueryCustomPolicy
will get called to retrieve further information.
There seems to be a couple of limitations in the use of
IInternetSecurityManager:
ProcessUrlAction is not called for all URLACTIONS. Microsoft has confirmed
this to be a bug (Q239095)
In must cases it is not possible to lower the security level but only to
add new restrictions.
IESecurityManager has implemented four easy-to-use UrlPolicy-properties: (ActiveX,
CrossDomainData, JavaPermissions, Scripts, HTMLFormSubmit). You can easily
add more.
It is recommended to read the introduction to Url Security Zones on MS'
site before using the component.
LINKS:
URL
Security Zones Overview
URL
Security Zones Reference
Q246227
- SAMPLE- SECUMGR Overrides Security Manager for WebBrowser Host
BUG:
URLACTION not Passed to Custom Security Manager
Zones and
Security Demo
Small demo showing how to retrieve information about
security-settings using the SecurityManager and ZoneMananger.
You can use CoInternetSecurityManager and coInternetZoneManager (urlmon.pas)
to create an instance of the Security- and ZoneManager:
var
SecManager : IInternetSecurityManager;
ZoneManager : IInternetZoneManager;
begin
CoInternetCreateSecuritymanager(nil, SecManager, 0);
CoInternetCreateZoneManager(nil, ZoneManager, 0);
.. |
The InternetZoneManager contains all functions needed to enumerate
the security zones:
var
Zone, ZoneCounter, TotalZones, ZoneEnum: Dword;
begin
ZoneManager.CreateZoneEnumerator(ZoneEnum, TotalZones, 0);
for ZoneCounter := 0 to TotalZones - 1 do
begin
ZoneManager.GetZoneAt(ZoneEnum, ZoneCounter, Zone);
...
end; |
To retrieve information about the securityzone you
can use GetZoneAttributes:
var
ZoneAttrib: TZoneAttributes;
begin
...
ZoneManager.GetZoneAttributes(Zone, ZoneAttrib);
...
|
ZoneAttributes contains following information:
DisplayName:e.g. Local Intranet
Description:e.g. This zone contains all Web sites that
are on your organization's intranet.
Icon information:e.g. shell32.dll#0018
The demo shows how to extract and show the icon and
information in a listview.
The SecurityManager can be used to retrive information of sites or
url-patterns added to the selcted zone. GetZoneMappings returns
a list of type IEnumString. The following code demonstrates how to
add the urlpatterns to a memo-field:
var
Enum: IEnumString;
Fetched: UInt;
Zone: DWord;
Pattern: POleStr;
begin
...
SecManager.GetZoneMappings(Zone, enum, 0);
while Succeeded(Enum.Next(1, Pattern, @fetched)) and (fetched
= 1) do
memo1.lines.Add(Pattern);
...
|
The demo shows also how to retrieve the policies for
all URLACTIONS using ZoneManagers GetZoneActionPolicies.
In EmbeddedWB you can easily connect to the Securitymanager or
ZoneManager using:
EmbeddedWB1.SecurityManager
or
EmbeddedWB1.ZoneManager
LINKS:
URL
Security Zones Overview
URL
Security Zones Reference
|
TIESecurityManager