Call to Action


If there’s only one thing you take away from this chapter, it’s this: if you build an extensibility feature for a Web browser, such as an ActiveX control, a toolbar, or a browser helper object, you need to realize that your code is as “at risk” as the browser itself. With that in mind you should perform all the action items in Chapter 3, including these:

  • Compile with /GS

  • Link with /NXCOMPAT, /SAFESEH, and /DYNAMICBASE.

If your code generates code on the fly, or attempts to execute code from data, then you should still link with /NXCOMPAT but call VirtualProtect(. . .,PAGE_EXECUTE_READ, . . .) on the memory region you want to execute. You may also need to call the new Internet Explorer 7 Protected Mode file and registry function calls if you want to save data to the operating system without virtualization.

Do not expect users–and do not force users–to disable Protected Mode to run code from your Web site. If your code does not run in Protected Mode, even after making updates to the code, then suggest that users add your site to the Trusted Sites zone. This will turn off Protected Mode for your site.

Consider migrating URI canonicalization or parsing code to use cURL. Microsoft does not expect developers to migrate code to use cURL overnight, however. But you should plan to do so over time.

If your Web server still uses SSL2 or PCT, you should upgrade to use SSL3; otherwise your Web applications will not work correctly with Internet Explorer 7 or FireFox 2.0.

As discussed in Chapter 2, you should code sign your ActiveX controls before they are released to customers.

If your control is intended to be used only from your site, consider sitelocking the implementation so that it cannot be used from other Web sites. The best tool for the job is SiteLock.

Some functionality is removed or changed in Internet Explorer 7 in the name of security, such as clipboard access and script URLs, so you should perform a complete application compatibility test of your Web application.



Writing Secure Code for Windows Vista
Writing Secure Code for Windows Vista (Best Practices (Microsoft))
ISBN: 0735623937
EAN: 2147483647
Year: 2004
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net