 | ||
|
| ||
| ||
|
| ||
Jeff Brown
Rafael M. Muņoz
Microsoft Corporation
May 4, 1998
Updated: November 4, 1998
The following article was originally published in the Site Builder Magazine (now known as MSDN Online Voices) "Web Men Talking" column.
Contents
ActiveX: To use or not to use ... - ActiveX security issues
Connection this, Command that? - Creating Recordset objects in Visual Basic
Mark me safe, baby - Creating safe ActiveX controls
In with the new and out with the old - Using TreeView for a site map
SAVE IT, for crying out loud! - Automatically saving a file
Here in the northwest corner of the United States, the sun is out, the peonies are ready to pop, and the guys are feeling all warm and fuzzy. They want you to feel warm and fuzzy, too -- so they are expounding the virtues of trust on the Web, particularly the regarding that scion of the Web: the ActiveX control. To help bring their message home, they've invited Guest Answer Man Jason Strayer, from Microsoft Support, to lend his expertise (and to fill in for the vacationing Jeff Brown).
Life, however, is not all about control issues, and the Web Men also delve into the realms of site maps, Recordset objects, IFRAMES, and saving files automatically.
Spring is good. So are the Web Men. Again, a warm, fuzzy welcome to Jason.
Dear Web Men:
I'm developing a Web site and trying to decide whether to use ActiveX controls or not. However, I've heard a lot of rumors lately about how ActiveX controls are dangerous and very confusing for the end user. Could you guys shed some light on the aspects of ActiveX security?
Bob
The Web Men reply:
Security is our middle name, Bob.
As you probably understand, ActiveX controls can live and play outside the "sandbox." ActiveX controls have the full creative power of the Win32 API, and aren't limited to just a simple object model. With this power, however, comes the ability to do some pretty evil things, such as format your hard drive (why is this the first thing computer users think of when they think of evil?), or cause your sound card to pump out really loud music and wake your neighbors (a far worse thing if the control uses old Bon Jovi songs to do it!).
You need to be able to explain the basics of ActiveX controls to your end users -- which is far easier if first you understand them. With that goal in mind, here are a few tips for you -- as a user encountering ActiveX controls:
First and foremost, don't ever download an unsigned ActiveX control. ActiveX security is all about trust. When control authors sign their ActiveX controls, they are stamping those controls with their own personal information to signify that they stand behind them. If you trust the author behind a control, then you can trust the control.
Second, don't ever listen to any Web page that asks you to adjust your security settings so you can view it. No matter how much you trust the page, you can't always trust the control creator, who might be a different fellow entirely from the page author.
Third, don't change your zone security settings -- even if you get sick of seeing warning dialogs from sites that you trust. Instead, add sites you feel comfortable with to your "trusted sites" zone. Sites that you specifically designate as "trusted" can operate at the lowest security settings.
Last, but not for everyone, users can prevent rogue ActiveX controls from lowering your defenses by locking down the registry keys used by the Internet Explorer Zone Security Manager. On Windows NTŪ, use REGEDT32 to restrict security or audit the registry keys under
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\
Internet Settings\Zones and ...\ZoneMap
For more details, the
Microsoft Security Management Architecture White Paper 
is a good read. There are also quite a few good Microsoft Knowledge Base articles on security.
A good one to start with is
How to Use Security Zones in Internet Explorer 4.0 .
You might also want to read
Internet Explorer 4.0 Help ,
also found on the
Microsoft Support site.
Without a doubt, one of the best resources for security information on all Microsoft products is the
Microsoft Security Advisor .
There is no reason to live in fear of ActiveX controls. Bad music, maybe. ActiveX controls, nope.
Dear Web Men:
I am a Data Access Objects developer with Visual Basic, but am confused on one point in ADO -- What's the difference between creating a Recordset with the Connection and Command objects?
Ian Wehrman
The Web Men reply:
There are a few differences between the
Connection object
and the Command object.
The main difference is that a Connection object is the actual open connection to an existing data source,
and a Command object allows execution against that connection in ways beyond what the Connection.Execute method
provides. The most obvious feature that Command.Exeucte supports (and Connection.Execute does not) is the
Parameters collection, which allows a parameterized query, or to return output and return parameters from a given
query.
A Connection object is used every time a connection is made to a data source. Typically, this connection is
assigned a variable so that the Command object can use this object variable. You can create a
Recordset object
from a Connection object by passing a query string directly to the
Execute method ,
but you won't have the flexibility of the Command object.
A Command object is used to manipulate the structure of a database, execute bulk operations and return records in a Recordset object. The Command object is required when you want to persist the command text and re-execute it or use query parameters.
Another key point to remember is that you can't have an open connection without a Connection object. Using
the
ActiveConnection
property
of the Command object to establish connection to a data source will still create a Connection object; that
object is just not assigned an object variable. That is, there is a difference between these two lines of code:
// Implicitly creates a second connection // object which matches // Conn1's ConnectionString property. cmd1.ActiveConnection = conn1 // Explicitly forces command to use Conn1 set cmd1.activeConnection = conn1
This is because the default property of the Connection object is the ConnectionString, which is typed as a variant, which could be a string or a variant. To ensure you don't have a second implicit connecton object, use the set syntax.
Clear as mud now, huh?
Dear Web Men:
What does it mean for an ActiveX control to be "safe for scripting" or "safe for initialization?" The Visual Basic® Setup Wizard makes it very easy to mark my control as safe, even if I'm doing something considered "unsafe," such as erasing files in \winnt\system32 or deleting random registry keys. In fact, even if I don't mark my control as safe, I've discovered that I can put code in my Visual Basic User Control Initialize event that will run even before Internet Explorer warns me that the control isn't marked safe for anything. What gives?
Bill
The Web Men reply:
First of all, Bill, why would you do those things?
As we mentioned in our earlier answer, ActiveX: To user or not to use ..., ActiveX security is all about trust. Maybe you never thought you'd hear a certain software corporation tout the virtues of peace, love and understanding; think again. When a user downloads a signed ActiveX control (we'll repeat that: a signed control) marked as safe for scripting and initializing, that user has a reasonable expectation of safety -- not to mention information about the control author. If as an author you're going to do some damage, you probably won't leave your name and address -- get our drift? Otherwise, you may need to take this up with a different sort of professional.
That specified, let's get back to "safe for scripting" and "safe for initialization," which are discussed in the
Developer's Guide to Deploying ActiveX Executables on the Internet
and in Safe Initialization and Scripting for ActiveX Controls.
As your personal Web Men, we're here to scan, study, memorize, digest, and then summarize this sort
of complex information into a few pithy paragraphs for your reading pleasure.
"Safe for scripting" and "safe for initialization" are weak checks of security. They designate that, as a smart designer, you've thought long and hard about how your control can be used. Your control doesn't have bad side effects, either unintentional or intentional. In a sense, you've developed paper that can't give papercuts, or better yet, beer that doesn't cause hangovers.
Controls that are marked as such should in no way ever be considered automatically safe to use. The only true test of a control's safety is whether you trust the author of the control. And the only way to verify the true identity of the control author is to review the code-signing certificate.
Okay, Web Men: What's the point of having these markings, then? We're so glad you asked. One of the strongest uses of ActiveX controls is to step outside the bounds of allowed security -- to do forbidden things, such as write to the registry or (gasp!) save files to the hard drive. Used properly, all of this is perfectly safe. And on your Web site, you can guarantee that the control is used in the name of Good.
However, were such a control to fall into the wrong hands (which is eminently possible considering that ActiveX controls were designed to be reusable) someone could launch an easy Denial of Service attack, spamming your hard drive or registry with garbage files until you're out of space, or worse.
This is where the "safe for" markings come in. In this scenario, you can sign your control, because you certify it safe for most uses, but leave it as unsafe for scripting. That way, users will be warned that the control is potentially dangerous, and they can make an informed decision before allowing it to be scripted or persisted. The end users of your control are now given the power once again to make a security decision: Do they trust the Web site that hosts the control?
Back to your original example: By adding harmful code to the UserControl_Initialize event, you as the control author are deliberately creating a control that will always do bad things. It has nothing to do with the use of the control on a Web page -- calling methods or setting properties or reading data into the little doodad. The control is flat out bad. If that's the case, you have no business signing the control in the first place. And as we pointed out in the previous ActiveX question, no one should ever download an unsigned ActiveX control. End of story.
If you do create a beer that doesn't cause hangovers, you'll tell your best friends the Web Men first, won't you?
Dear Web Men:
Hooray!
At long last, I find someone who might be able to answer my question. I am trying to use the MS TreeView control as a Web site map, and cannot for the life of me figure out how to get it to interact with the necessary image list control, it never even recognizes that it exists! I have searched far and wide for the answer to this, and have come up with absolutely nothing. Please, please ... help me!
Laurie
The Web Men reply:
Wow, Laurie -- sort of a loaded question! Without any sample code, it is going to be hard to really know what
the problem might be. You might want to check out the article
INFO: Display Icons in TreeView
Control with ImageList Control
found in the Microsoft Knowledge Base .
But wait, it's spring -- at least it is where we are (at least until the rain returns). Throw out the old and bring in the new! Why not use Dynamic HTML (DHTML) to create your site map? Swing by the Tools and Samples site, select "show samples list," and check out the DHTML Outline sample. Here, we show you exactly how to use DHTML to create that TreeView-like look.
You can see this sample in full use as a site map at the Internet Explorer site map .
Here it comes: "But, Web Men, what about cross-browser problems?" To see how this problem is resolved, click Show Contents at the top of this page.
Should you browse there with
any browser other than Internet Explorer 4.0 ,
the outline will appear expanded.
Just a quick closing note: You can also find some great Java applets that create wonderful tree
controls. Check out the one used on the MSDN
site. You might also check the site CodeBase 
,
which, we have been told, has a pretty nice TreeView control available for download.
Dear Web Men:
I've tried all sorts of tricks, but I can't seem to get Internet Explorer to automatically pop up the File Save As dialog when the user clicks on a link. My ultimate goal is to have the user click on a link and save a file instead of displaying it in the browser. I can get this to work in The Other Browser just fine. Is this just not possible in Internet Explorer, or am I missing something here?
Betty
The Web Men reply:
Perhaps you just haven't started the right dialog with
Internet Explorer
yet, or ...
Seriously, our good friends in Developer Support for Internet Explorer tell us this seems to be a fairly common question. Part of the difficulty has to do with the type of file you're trying to get saved, and the rest of the difficulty has to do with the clicking part.
It's likely the file you're trying to get saved is a text file. We're guessing that you've tried to describe that text file with a custom MIME type, such as "application/x-myformat," by sending the appropriate HTTP Content-Type response header, but that Internet Explorer seems to be ignoring it and displaying the text anyway. Whenever Internet Explorer sees a Content Type that is either ambiguous or unknown, it will read or "data-sniff" the contents to determine whether the content matches a known data format, such as text.
Internet Explorer does this mainly because some Web servers mess up and send the wrong content type for certain files. Also, in many cases, either the file extension or content type alone is not sufficient for Internet Explorer to decide what to do with the particular resource. Specifically, the two most ambiguous MIME types, of which Internet Explorer is highly suspicious, are "application/octet-stream" and "text/plain."
The real trouble, though, is that for "known" content types -- types that have a registered viewer or application -- Internet Explorer gives the user the ability to tell it, "Hey, don't ask me again; just open this file all the time" on the Open-Save dialog box. Once that happens, there is no easy way for the server to force its way on the user.
There is a simple resolution, however. The guaranteed way to "download this URL and save it as this filename" is to right-click on the hyperlink and select "Save Target As" on the context menu. Left-clicking on a hyperlink should always be associated with "navigate and display this linked document." It is potentially jarring for a Web viewer to click on a link and suddenly see a Windows dialog box asking her to save some strange file to disk.
We recommend instructing your users to right-click the link, and using "Save Target As," whenever you need to guarantee that your Web site visitors save a file instead of viewing it. To prevent the user from navigating to the file at all, a simple bit of code, such as:
Back to top<A HREF="c:\stuff\stuff.txt" ID=link1>stuff</a>
<SCRIPT LANGUAGE="JScript" FOR="link1"
EVENT="onclick">
alert("This file needs to be saved to disk.
Please right-click and select
'Save Target As'.");
return false;
</SCRIPT>
should do the trick. Combine this with a browser-sniffing script,
Determining Browser Version from a Script
, and you've got an answer.
Last, but not least, there will be one alternative in the future. According to RFC 2183, servers should be
able to force a Save-As type dialog box by sending a "Content-Disposition: attachment" server response header
to the client when sending the requested file back to the browser. Because of a bug (or "feature") in Internet Explorer's
data-sniffing architecture, this header is mostly ignored in Internet Explorer 4.01. See Knowledge Base article
BUG: Content-Disposition: Does not Force File Download Dialog
for more information.
Jeff Brown, when not forcing family and friends to listen to Zydeco and country blues music, helps develop Microsoft Mastering Series titles -- with a smile.
Rafael M. Munoz is a part-time Adonis, and full-time support engineer for Microsoft Technical Support. He takes it very, very personally every time you flame Microsoft.
Jason Strayer is currently addicted to Quake2, Starcraft, and Age of Empires. He has been informed that the star called "Sun" does indeed exist, but he still believes it is just a myth propagated by Californians.
Read Mary Haggard's new book, Survival Guide to Web Site Development, and stock up on Web Men souvenirs!
To demonstrate all the cool e-commerce examples in Survival Guide, Mary has built -- and we're not kidding -- the Web Men Shopping site. Like we said, read the book. Then go to the site, look at the code, and check out the Web Men stuff.
Added May 18, 1998
Q: Gary Coker asks how to use Active Server Pages (ASP) technology to detect whether a browser supports JavaScript.
A: Use the Browser Capabilities server component, and check that the javascript property is true.
Q: Jolyon Spencer is building a Web-based questionnaire for users to fill out offline and upload when complete.
A: Check out our You have your orders soldier! and Making a <B>Statement<B> answers.
Q: Dean Hargrave wants to output the current date in a specific location on a page using client script.
A: Include a read-only HTML text input control where you want the date. In the Window_OnLoad procedure, call the Visual Basic Scripting Edition (VBScript) Date function; use its return value to set the control's value property. Or, if you are targeting Internet Explorer 4.x, you can position a DIV on the page, and set its innerText property.
Q: Joe Wild asks how to use ASP technology to send an e-mail message.
A: See our Gonna Write You a Letter answer.
Posted May 4, 1998
Q: Norman Strydom is looking for an ASP technology programming reference on the Web.
A: See MSDN Online's
Active Server Pages site,
ActiveServerPages ,
ASP Alliance ,
ASP Hole , and
15 Seconds .
Q: Olly wants to dynamically change background colors in tables.
A: Check out the sample code in our Name that tune answer.
Q: Dustin Updyke asks how to return a custom "Not Found" error page to those who access his IIS 4.0-based Web site using an invalid URL.
A: Use the Microsoft Management Console application. Select the default Web site, a virtual directory, or Web application. Click Properties, and specify your error pages on the Custom Errors tab of the Properties dialog box.
Q: Simon wants some sample code for positioning text on top of a fixed background image.
A: Check out the Positioning sample.
Did you find this article useful? Gripes? Compliments? Suggestions for other articles? Write us!
© 1999 Microsoft Corporation. All rights reserved. Terms of use.