nsAxSecurityPolicy.js needs a cleanup and to read its default hosting flag settings from prefs. During testing, hosting flags in nsAxSecurityPolicy.js should be set to allow all test pages to function properly. This may involve some investigation, since the settings already there should allow this, but clearly don't. Possible npmozax.dll is not testing them properly.
I think I realise the issue with safe for scripting. When a control uses IObjectSafety - we're supposed to call IObjectSafety::SetInterfaceSafetyOptions to enable safe for scripting after creation. Without this, the WMP returns the defaults which disallow scripting. It seems a bit dumb to me, but there you go. I also discovered a piece of IE specific blurb about IObjectSafety. http://msdn.microsoft.com/workshop/components/com/IObjectSafetyExtensions.asp I'll try and absorb this information tomorrow to see if I can figure what its talking about, especially concerning IInternetHostSecurityManager. I'll also mock up a simple test control and see what IE tries to call on it when I put it in a page to verify that this is the issue.
Created attachment 113506 [details] [diff] [review] Patch Patch changes nsDispatchSupport::IsObjectSafeForScripting so that if the object says it is not enabled for untrusted callers but does support it, to call IObjectSafety::SetInterfaceSafetyOptions to enable it before asking again. This allows WMP, YGP and presumably other controls to function happily on the 'medium' security setting. I've also updated to nsAxSecurityPolicy.js, cleaning it up, defined some constants representing various security levels and making the object read and subscribe to the "security.xpconnect.activex.global.hosting_flags" pref for its hosting flags. This value can be changed in the user prefs.js, or at runtime with about:config. If the pref is not defined, the default security level used in nsAxSecurityPolicy.js is currently medium. Dave can you review this please?
Comment on attachment 113506 [details] [diff] [review] Patch David & Alec, can I have an r/sr for this please? To summarise changes: 1. Fix IObjectSafety behaviour 2. Cleanup nsAxSecurityPolicy.js 3. Make a general hosting flags pref and make nsAxSecurityPolicy.js read and subscribe to changes to it. Thanks
Comment on attachment 113506 [details] [diff] [review] Patch r=dbradley The first change in nsAxSecurityPolicy.js just adds spaces. nsIScriptSecurityManager doesn't appear to be used anywhere. Leave it to Microsoft to create such a horrid mechanism like IObjectSafety
Attachment #113506 - Flags: review?(dbradley) → review+
Comment on attachment 113506 [details] [diff] [review] Patch sorry for the delay.. this looks fine... sr=alecf
Attachment #113506 - Flags: superreview?(alecf) → superreview+
Comment on attachment 113506 [details] [diff] [review] Patch Seeking 1.3 approval. Patch is confined to COM connect and fixes broken handling of control safe for scripting sessions so is very visible.
Attachment #113506 - Flags: approval1.3?
Comment on attachment 113506 [details] [diff] [review] Patch a=asa (on behalf of drivers) for checkin to 1.3
Attachment #113506 - Flags: approval1.3? → approval1.3+
Fix is checked in
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
Adding Ashish to cc list - ActiveX defect
QA Contact: carosendahl → ashishbhatt
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.