1

In my legacy web application I need to read user system registry from JS and do some other stuff. I cannot not use ActiveX for security reasons so I have written a plugin. My Plugin consists of a DLL file which is a COM component. This COM component exposes few functions which I call from Java Script code.

In IE I package my DLL in a CAB file and install it, say it's test.dll, in the following way:

<object classid="clsid:some class id here" codebase="test.cab" height="0" width="0" onError="testInstalled=false; return true;" id="testComp"></object>

The above HTML tag install the COM component as plugin in IE and Im able to access the exposed functions of the same from my JS code:

var testCompApp = document.testComp;
testCompApp.callSomeFunction();

It works fine in IE. I need the same functionality in other browsers(Chrome,Firefox, Safari)

Can you pls suggest how to develop plugins for other browsers using my DLL file?

Thanks,

Georg Fritzsche
  • 97,545
  • 26
  • 194
  • 236
A.R
  • 409
  • 8
  • 21
  • @Georg Fritzsche, yes the [link](http://stackoverflow.com/questions/2649056/how-to-write-a-browser-plugin) [How to write a browser plugin?](http://stackoverflow.com/questions/2649056/how-to-write-a-browser-plugin) is similar – A.R Jan 09 '14 at 03:31

1 Answers1

0

I don't get it: First you say "I can't use ActiveX for security reasons", and then you do the same bad things that ActiveX does in all its dangerous glory: a CAB-packaged COM object running unrestricted native Win32.

How does doing that solve your security concerns with ActiveX?

Leaving aside for a minute the question of "security": if you are not doing "ActiveX" already, you're pretty close. I don't remember off the top of my head all the details of what goes into [the-IE-plug-in-architecture-that-shares-with-other-stuff-the-marketing-moniker-of] "ActiveX", but I think all you are missing to be called "ActiveX" is a few interfaces you must implement. I also suspect that by being shy of "ActiveX" you don't even get to sign your CAB with Authenticode, which would provide your users with a modicum of confidence (assuming you maintain proper controls and key management, and that your users trust you enough to allow your native code to run on their computers).

In any case, that DLL you wrote will only ever run in IE. There is no other browser that supports Win32 native COM objects (whether you choose to follow the ActiveX specification to the letter or not). If you want to do the same thing in other browsers, you are going to have to rewrite it with something else.

I think you have (at most) two options for doing what you want to do:

  • COM/ActiveX: Native Win32 code in a COM object. What you are doing now. This only works on IE and it's extremely dangerous for users, unless it's done in a controlled environment (e.g. if this is a commercial product to be distributed by an enterprise customer's IT department, or if you have an established presence and a reputation, like some large companies do).

  • Java:. This would run on all browsers assuming your users have the proper runtime installed and enabled. But it will only work for you if Java allows access to the information you seek via a sandbox-authorized method, because you can't call registry API's from the Java sandbox. The same goes for "the other stuff" you need the plug-in to do.

Ok, so you have a third option:

  • Reimplement the whole thing in something that is not tied to the browser: a native Windows executable; maybe in a downloadable installer or maybe a .NET program deployed via ClickOnce.

You are in a pickle: You are saying "I have security concerns with running ActiveX but I need to do something dangerous". Any piece of code downloadable and runnable by a web browser that is able to access the registry directly is - necessarily - a dangerous piece of code. Any conceivable technology that allows you to run such code from a browser will immediately elicit the very same security concerns that ActiveX elicits.

Indiscriminate access to the registry is out of the question from a modern browser sandboxed environment, so you either have to find a different source for the specific information you want, or you have to use ActiveX/COM running under IE.

Euro Micelli
  • 33,285
  • 8
  • 51
  • 70
  • Thanks for reply. My Cab file is dully signed and authenticated. Your third point : "Reimplement the whole thing in something that is not tied to the browser: a native Windows executable; maybe in a downloadable installer or maybe a .NET program deployed via ClickOnce." Can you elaborate a little on this, if possible a link of example? This approach seems to be better and also can be implemented across the different browsers. – A.R Dec 31 '13 at 06:42
  • If I create an MSI installer which will install my DLL in different browsers? Can this approach work? – A.R Dec 31 '13 at 06:55
  • @AsadRaza There is no such thing as a "standard for browser Plugin/Extension". Then, what do you mean by "install my DLL in different browsers" ? – manuell Jan 04 '14 at 17:29
  • @manuell, I have COM dll which performs some tasks like reading registry etc.I need to install this DLL as plugin in browsers so that it could be available for use from Java script code. In IE I can simply package my DLL in CAB file and through tag install it. But how to achieve the installation in other browsers? If I create an MSI installer which would install my DLL as plugin , will that work in all browsers? – A.R Jan 06 '14 at 07:00
  • Before asking about installing/packaging, start with some tests about the tag in browsers, and how the JS can call your DLL. THEN, /if it works/, you may look at installation problems. Advice: consider using Java, instead. – manuell Jan 06 '14 at 07:29
  • I have done it for IE. It's working. I install my CAB with tag. And Im able to access COM exposed methods from javascript. Java cannot be helpful as there are many security related access restrictions from JRE 1.7 onwards. – A.R Jan 06 '14 at 08:01
  • My DLL is a NPAPI based COM component. – A.R Jan 07 '14 at 06:51