WebBrowser: How to automatically allow activeX content

Question

I have a problem where I am opening a set of html files found on the local computer which use ActiveX controls.

The constant notification popup is frustrating as every page it appears.

I cannot change the file as it is generated by an external application and I do not want enable ActiveX controls for IE in general.

What I would like to do is allow my webbrowser control, embedded in a WPF window, to allow blocked content automatically if it is from the local computer (or at the very least any blocked content as I can control what my webbrowser control can and cannot open)

I cannot see any obvious way of doing this, there are no options to allow blocked content and no event for identifying when blocked contetn has been foud.

Is there any way to achieve this?

Thanks

EDIT - There have been plenty of views for this question but not a single comment. I will welcome any suggestions, perhaps even an alternative control, I realise the default WebBrowser is not ideal. Are there any other browsers that do offer this feature?

To add a little detail to the problem I think I should explain the requirements some more:

The resource being displayed is a set of html files that are generated as a report by a legacy tool that cannot be changed. The tool I have built will allow the user to define the destination for the report and then allow them to browse it using an embedded browser. I really just need a control that will render html and ActiveX controls as a browser would but without any interference from internet security settings.

---

UPDATE - Unfortunately I am no longer working on this project, however I am interested in the problem/fix so I shal try and replicate it in my spare time.

I have also renamed the question as I realise the problem I am dealing with specifically is ActiveX content, which may have a solution (see answer from Rajesh) which is specific to this type of content.

Answer 1

You need to add the file location to your trusted sites. This is possible either with a webserver running on your local machine or if the folder where they are located is a shared folder.

In IE, go to Internet Options > Security, select "Trusted Sites" and click the "Sites" button. Enter the location (i.e. file:\server-Hostname\Sharedfolder* for a shared folder) and click "add" (make sure that the "Require server verification (https:)..." option is unchecked).

There is a lot more information available if you search "Add local file to trusted sites" on the web. I do seem to recall adding a local file location without having to share the folder, but at the moment I don't remember how I did it.

Answer 2

When attempting to open HTML files from a local computer, which use ActiveX controls, using a WebBrowser (MSHTML) object (in a C# program in this case), one or more security messages will interrupt program execution.

1. The following message appears when the page is opened:

2. If the first message has been suppressed, we will still get the following message when the page's JScript or VBScript code attempts to use an ActiveX control:

To suppress the first message, add the following Mark of the Web line to the top of your local HTML pages:

<!-- saved from url=(0016)https://localhost -->

To suppress the second message, and allow the controls to actually run, we need to temporarily allow ActiveX controls to load in the local security zone (Zone 1). This is most easily accomplished by setting a registry value in HKCU to allow the controls, load the page, and then restore the original registry value.

There are little, if any, real concerns over how this opens up a security hole for IE (which uses the same settings) because it's only for the local zone. Also, as of 2023, IE is disabled as a general purpose browser anyhow.

In the example C# code below, the original value is restored immediately and that's fine in this example. In some situations, you may need to check for the DocumentCompleted event.

Note: The WebBrowser control does NOT use IE. It uses MSHTML, which is the same engine used by IE. If IE is uninstalled, the WebBowser object will continue to work just fine. If your program explicitly uses IE via COM, then, in that case, it will need IE, but contrary to popular belief, IE is still installed in Windows 10 and 11 and is only disabled as a general purpose browser.

Other solutions:

Renaming the local HTML files with a HTA extension runs the pages without prompts, but then they run via MSHTA.exe, making the WebBrowser object pointless.

Opening the local file using the local host IP address will suppress some of the prompts, but the initial security warning will remain and Active X objects will still need to be allowed. Example:

file://127.0.0.1/c$/Test/ActiveXTest.htm

MainWindow.xaml.cs

{
    public partial class MainWindow : Window
    {
        public MainWindow()
        {
            InitializeComponent();

            string keyName = @"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1";
            string valueName = "1201";
            int AllowActiveX = 3;
            object value = Registry.GetValue(keyName, valueName, null);
            if (value != null) { AllowActiveX = (int)value; }

            Registry.SetValue(keyName, valueName, 0, RegistryValueKind.DWord);

            wbSample.Navigate("C:\\Test\\ActiveXTest.htm");

            Registry.SetValue(keyName, valueName, AllowActiveX, RegistryValueKind.DWord);
        }
    }
}

MainWindow.xaml

<Window x:Class="WebBrowserControlTest.MainWindow"
        xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
        xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
        xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
        mc:Ignorable="d"
        Title="MainWindow" Height="450" Width="800">
        <WebBrowser Name="wbSample"></WebBrowser>
</Window>

ActiveXTest.htm

<!-- saved from url=(0016)https://localhost -->
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=11">
</head>
<body>
<h1 id=bn></h1>
<script language="JScript">
  var oWSH = new ActiveXObject("Wscript.Shell");
  bn.innerText = oWSH.RegRead("HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuild");
</script>
</body>
</html>

Answer 3

Simply add this line to your html page at the start before the html tag.

< saved from url=(0023)http://www.contoso.com/

and then select and comment it.