I am trying to migrate an .hta application to a C# executable. Of course, since it's an .hta the code is all HTML and Jscript, with calls to local ActiveX objects.
I created a C# executable project and am just using the WebBrowser control to display the HTML content. Simply renamed the .hta to an .html and took out the HTA declarations.
Everything works great, except that when I make calls to the ActiveX objects, I get a security popup warning of running an ActiveX control on the page.
I understand why this is happening since the WebBrowser control is essentially IE and uses the Internet Options security settings, but is there any way to get the WebBrowser control to bypass security popups, or a way to register the executable or DLLs as being trusted without having to change settings in Internet Options? Even a way to do on a deployment package would work as well.
WebBrowser is an instance of Internet Explorer, and inherits security settings from IE.
One way could be to change the security settings defined in IE.
The other way could be to add a Custom Security Manager by implementing IInternetSecurityManager interface.
The WebBrowser Control or MSHTML hosts could create a security manager (by implementing the IInternetSecurityManager interface) that handles the URL actions and policies that are important to the host. Other URL actions and policies would be passed to the default security manager so it could handle them appropriately. The IInternetSecurityMgrSite interface would be used to handle Windows-related information from the component so that the customized security manager could handle any user interface it required. -
Related
I was trying to make a pc application that helps people more conveniently when they are using a browser(e.g Chrome, Firefox, Edge ...)
For example, the application shows the default browser and let user can choose another browser as default if they want to, and the app shows all windows that are currently opened; Overmore, when the user clicks a specific window then app will focus the window.
user can select default browser
user can see all windows categorized by browser type
So, my initial planning was using Election js; however, I've found that there is no way to control a browser from the Electron application since Node js cannot access the users' system(this thinking could be wrong since I have poor English😥)
After some research, I'm guessing C# can do that by using windows api. I've saw this post that saying by using DDE, we can get tabs urls.
But I'm wondering if C# can fully control a browser; for instance, create a new window, notice if music or video is playing in the tab, request to browser for getting favorites list.
If it cannot, how about requesting api to the browser from pc application?
You cannot fully control a browser. Internet Explorer was the only browser that had a documented and supported API to control, inspect and automate. Internet Explorer is dead so this is a dead end. The basic DDE control interface is also outdated.
Accessing favorites and the content of open tabs is limited because evil people would use such APIs to inject and spy. If you want to access the favorites you will have to write custom code for each browser.
Using the accessibility and UI automation APIs is the only reliable and supported way of interacting with modern browsers. SetWinEventHook can be used to detect window creation and primitive state changes. MSAA/UI Automation needs to be used to get more information from each browser window.
The thumbnail API and/or magnifier API can be used to get the preview image.
To open a new tab, execute a new process with the URL on the command line. Some per-browser customization might be required (-new-tab parameter etc).
Use IApplicationAssociationRegistration::QueryCurrentDefault to detect the default browser.
We are trying to display HTML content, which requires an X509 Certificate, within a WPF Application that uses the System.Windows.Controls.WebBrowser.
Here is a simple example of the XAML.
<WebBrowser Source="https://server.com/Welcome.html" />
In the situation where there are two or more X509 certificates with KeyUsages == X509KeyUsageFlags.DigitalSignature the Browser Control prompts the user to select which certificate should be used. We would like to prevent this dialog from being displayed.
Through code we can tell which certificate should be used but we do not see way to send this information to the browser control. At first we were expecting that the WebBrowser would have a ClientCertificate or ClientCertificates property, like HttpWebRequest does, that we could use to set the Certificate but there does not seem to be any such property.
We realize that the WebBrowser control is really a Win32 control with a WPF wrapper so maybe there is an older Win32 API call that can be used to set the Certificate?
Other suggestions were to use a 3rd party library with a different web browser control. Before we try that approach we wanted to make sure there was no way to use the c# web browser control.
The webbrowser control calls the host's IHttpSecurity::OnSecurityProblem implementation to notify about ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED errors, however you have two obstacles here:
WPF does not really expose any extension point to let you add any webbrowser host interface to the ActiveX host. This can be circumvented by switching to the Windows Forms webbrowser control, or host the ActiveX directly and add your own IHttpSecurity implementation.
To select a certificate the WinInet way, you need to call InternetErrorDlg with the right HINTERNET handle. However the webbrowser control does not really expose any API to give you that WinInet handle.
I suggest you to find or write a programmable proxy to do this authentication at the proxy side, then use UrlMkSetSessionOption to use the proxy in your process. I am not sure FiddlerCore fits the bill, but you can give it a try.
I would like to create my own internet explorer with C#.
But what about cookies? Does my own internet explorer uses system integrated IE's cookies that I don't want to or it is clearly apart from system integrated IE's cookies?
The managed webbrowser control is just a managed wrapper around the native COM webbrowser control. Thus your browser will still use wininet and it will store cookies in the same place as IE.
How can i set the Windows Forms webbrowser control to block or allow cookies for the site it will navigate?
You can implement a Custom Security Manager and return URLPOLICY_DISALLOW in pPolicy for each kind of action between URLACTION_NETWORK_MIN and URLACTION_NETWORK_MAX. There are several actions for cookies. For a list of cookie related actions, check your zone security settings in IE options.
There are multiple webbrowser controls in .Net. The WPF one isn't customizable for this task. The Windows Forms one is kinda customizable however its IDocHostUIhandler implementation is stuck in internal code due to security guidelines of .Net BCL. You would be much better off if you use the raw ActiveX or its wrappers that support this kind of customization, e.g. csexwb. If you have to use the winform webbrowser control, you need to create your own webbrowser site.
The webbrowser control IS internet explorer. If you want to do this you may have to open an instance of the browser and block cookies through internet options. The webbrowser control itself doesn't provide a nice handy way to do that. Also doing this will block cookies from any site and not for a particular site
Is it possible give full trust, programmatically to an ActiveX control embedded in a web page?
We are trying to build an activeX dll which creates and open a word document and refreshes its data based on some data from another site. It works fine, if I give the assembly full trust from Administrator Tools -> .net 2.0 configuration tool.
Can this be done through code ?
I don't think so. Code permissions can only be set through the configuration of an application, and even if it can be done through code, then the code that sets them would need to have permission to do this as well. Even then the settings from the web.config or machine.config would take precedence.
The point of these code permissions is that admins are able to control what an application can do. If the AppDommain for your application doesn't have rights to do certain things, why would and ActiveX you create have them?