I have built an executable which launches a dialog box in which is embedded the IE web browser active-x control (C++).
I want this control to allow cross site scripting. One frame on the web page loads local html, the other loads from a server. I then want the server page to call a javascript function that lives in the local html file.
I am trying to achieve this by having the control implement it's own "IInternetSecurityManager" interface in which I am providing my own ProcessUrlAction and GetSecurityId methods.
From what I've read, what I need to do is make GetSecurityId return the same domain for all urls. My custom implementations are getting called, but no matter what I do, I get the "Permission denied" error when the server html tries to access script on the local html file. Below are my implementations. Does anyone see anything wrong?
#define SECURITY_DOMAIN "http:www.mysite.com"
STDMETHOD (GetSecurityId)(
LPCWSTR pwszUrl,
BYTE *pbSecurityId,
DWORD *pcbSecurityId,
DWORD_PTR dwReserved)
if (*pcbSecurityId >=512)
pbSecurityId[strlen(SECURITY_DOMAIN)] = 3;
pbSecurityId[strlen(SECURITY_DOMAIN)+1] = 0;
pbSecurityId[strlen(SECURITY_DOMAIN)+2] = 0;
pbSecurityId[strlen(SECURITY_DOMAIN)+3] = 0;
*pcbSecurityId = (DWORD)strlen(SECURITY_DOMAIN)+4;
return S_OK;
/* [in] */ LPCWSTR pwszUrl,
/* [in] */ DWORD dwAction,
/* [size_is][out] */ BYTE __RPC_FAR *pPolicy,
/* [in] */ DWORD cbPolicy,
/* [in] */ BYTE __RPC_FAR *pContext,
/* [in] */ DWORD cbContext,
/* [in] */ DWORD dwFlags,
/* [in] */ DWORD dwReserved)
if ( cbPolicy >= sizeof (DWORD))
*(DWORD*) pPolicy = dwPolicy;
return S_OK;
By delegating these functions to the normal security manager and having a look at the structures the normal security manager fills in, I was able to determine that my issue was in GetSecurityId. For my purposes, I wanted to set the security domain to be a local file for all comers.