When I use an MSScriptControl in VB6, and set UseSafeSubset = True, what kind of things can't I do? I mean, what Controls can't I use? Or maybe some core Objects can't be instantiated or used? Maybe I can't CRUD files? I need a definitive list, please.
This thread tells of a special flag in the registry that sets which controls are blocked when UseSafeSubset = True, but it doesn't elaborate on it. It says it should be easy to search, but two days of Googling found nothing.
VBScript had all unsafe commands from VBA removed. So no file or registry access. Only CreateObject/GetObject can affect the system.
From Help (MsScript.hlp in C:\Windows\System32)
Remarks
The scripting engine in use determines if, and when, the UseSafeSubset property is set. If no language is specified (Language property), the UseSafeSubset can be set at any time.
The objects and procedures that can't be used when UseSafeSubset is True are identical to those restricted by the browser's highest security setting.
The Browser uses this (and IOleSafety). From MSDN Oct 2001
As mentioned previously, Internet Explorer examines the system registry to determine whether a control is safe for initialization and/or scripting. Internet Explorer examines the registry by calling the ICatInformation::IsClassOfCategories method to determine if the control supports the given category (safe for initializing or safe for scripting).
If a control uses the Component Categories Manager to register itself as being safe, the registry entry for that control contains an Implemented Categories key, which contains one or two subkeys. One subkey is set if the control supports safe initialization, and the other subkey is set if the control supports safe scripting. The safe initialization subkey corresponds to CATID_SafeForInitializing; the safe scripting subkey corresponds to CATID_SafeForScripting. (Unlike the other subkeys for the component categories that are defined in the Comcat.h file, the subkeys for safe initialization and scripting are defined in Objsafe.h.)
See URL Security Zones for what is restricted This is the High Template (aka Restricted Zone)
URL action URL policy
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY URLPOLICY_DISALLOW
URLACTION_ACTIVEX_RUN URLPOLICY_DISALLOW
URLACTION_CHANNEL_SOFTDIST_PERMISSIONS URLPOLICY_CHANNEL_SOFTDIST_PROHIBIT
URLACTION_COOKIES URLPOLICY_DISALLOW
URLACTION_COOKIES_SESSION URLPOLICY_DISALLOW
URLACTION_CREDENTIALS_USE URLPOLICY_CREDENTIALS_MUST_PROMPT_USER
URLACTION_CROSS_DOMAIN_DATA URLPOLICY_DISALLOW
URLACTION_DOWNLOAD_SIGNED_ACTIVEX URLPOLICY_DISALLOW
URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX URLPOLICY_DISALLOW
URLACTION_HTML_FONT_DOWNLOAD URLPOLICY_QUERY
URLACTION_HTML_SUBFRAME_NAVIGATE URLPOLICY_DISALLOW
URLACTION_HTML_SUBMIT_FORMS URLPOLICY_QUERY
URLACTION_HTML_USERDATA_SAVE URLPOLICY_DISALLOW
URLACTION_JAVA_PERMISSIONS URLPOLICY_JAVA_HIGH
URLACTION_SCRIPT_JAVA_USE URLPOLICY_DISALLOW
URLACTION_SCRIPT_PASTE URLPOLICY_DISALLOW
URLACTION_SCRIPT_RUN URLPOLICY_ALLOW
URLACTION_SCRIPT_SAFE_ACTIVEX URLPOLICY_DISALLOW
URLACTION_SHELL_FILE_DOWNLOAD URLPOLICY_DISALLOW
URLACTION_SHELL_INSTALL_DTITEMS URLPOLICY_DISALLOW
URLACTION_SHELL_MOVE_OR_COPY URLPOLICY_QUERY
URLACTION_SHELL_VERB URLPOLICY_DISALLOW
Related
Can firefox be configured in the preferences or through the flags not to use the Transient User Activation feature?
I need to call getDisplayMedia() API in the window.load() event from some machines that are owned by me. However, due to the above feature, all similar apis are getting blocked.
I believe it is not possible to turn this feature off. Note that the Firefox behavior is following what the current web specification says:
If the relevant global object of this does not have transient activation, return a promise rejected with a DOMException object whose name attribute has the value InvalidStateError.
You can expect other browsers to follow this "recent" spec behavior change.
I am calling a VBS function from an intranet page, using IE 11 (yes, it has to be that browser).
The function processes an Outlook mailbox, and is partly working: I can run down the list of mails and find the Subject and Body, but I need the sender's email address.
I can get this in various ways when I run similar code as an Outlook macro, but none of them work in VBS - the script just hangs (no error message) when I try to get anything of interest - see the function, with various things I've tried commented.
Any pointers as to where I'm going wrong gratefully received....
Function readEmails(mailbox)
Dim iCt
Set objOutlook = CreateObject("Outlook.Application")
Set NS = objOutlook.GetNamespace("MAPI")
Set olFolder = NS.Folders(mailbox)
Set olFolInbox = olFolder.Folders("Inbox")
iCt = 0
For iCt =1 to olFolInbox.Items.Count
set olMessage=olFolInbox.Items(iCt)
msgbox(ict & "-" & olMessage.Subject )
msgbox("SenderEmailType=" & olMessage.SenderEmailType)
msgbox("SenderEmailAddress=" & olMessage.SenderEmailAddress) 'hangs
'set sn=olMessage.SenderName 'hangs
set sUser=olMessage.Sender
'set sn=sUser.Name 'hangs
'msgbox(sUser) 'hangs
'set sExUser=sUser.GetExchangeUser ' hangs
End If
Next
readEmails=sReturn
End Function
It seems that a security issue takes its place when you automate Outlook from an external macro - it can be a security prompt or an exception in the code. How it is seen really depends on the Outlook version (its internal implementation). To avoid security issues when dealing with OOM you can use the following approaches:
Use a low-level API which doesn't trigger security issues in OOM. Outlook is built on top of Extended MAPI which doesn't trigger security issues unlike OOM. Also you may consider using any wrappers around this low-level API such as Redemption.
Use third-party components designed for turning off and on security checks in OOM, see Outlook Security Manager for more information.
You can create a group policy to prevent security prompts from displaying if any up-to-date antivirus software is installed on the system or just turn these warning off (which is not really recommended).
Users get the security prompts/exceptions because Outlook is configured on the client computer in one of the following ways:
Uses the default Outlook security settings (that is, no Group Policy set up)
Uses security settings defined by Group Policy but does not have programmatic access policy applied
Uses security settings defined by Group Policy which is set to warn when the antivirus software is inactive or out of date
Read more about that in the Security Behavior of the Outlook Object Model article.
I am unable to read clipboard data in Microsoft Edge browser. i am using the below javascript.
if (window.clipboardData && window.clipboardData.getData) { // IE
pastedText = window.clipboardData.getData('Text');
} else if (e.clipboardData && e.clipboardData.getData) { //non-IE
pastedText = e.clipboardData.getData('text/plain');
}
Non of the if/elseif block is executed in Edge. I tried using
e.originalEvent.clipboardData.getData('text/plain');
But I am getting 'Access is denied.' error.
Let me know, if anybody know how to fix this issue.
Edge does not currently support the clipboard api, but it is under consideration and likely to be added in near future.
I do not have edge, but it seems that you are not authorized to access the clipboard data. Is this on a website or are you calling this from within a JavaScript script executed locally?
Make sure the website is in the trusted sites.
See https://w3c.github.io/clipboard-apis/#clipboard-event-interfaces, or more precisely:
12.1 Privacy concerns
Untrusted scripts should not get uncontrolled access to a user's clipboard data. This specification assumes that granting access to the current clipboard data when a user explicitly initiates a paste operation from the user agent's trusted chrome is acceptable. However, implementors must proceed carefully, and as a minimum implement the precautions below:
Objects implementing the DataTransfer interface to return clipboard data must not be available outside the ClipboardEvent event handler.
If a script stores a reference to an object implementing the DataTransfer interface to use from outside the ClipboardEvent event handler, all methods must be no-ops when called outside the expected context.
Implementations must not let scripts create synthetic clipboard events to get access to real clipboard data except if configured to do so.
Implementations should not let scripts call document.execCommand('paste') unless the user has explicitly allowed it.
Implementations may choose to further limit the functionality provided by the DataTransfer interface. For example, an implementation may allow the user to disable this API, or configure which web sites should be granted access to it.
I've been given a task to create a protocol similar to callto:, that - upon clicking on a link with it - would automatically launch an installed aplication.
I followed the microsoft guide on how a scheme should look like.
My scheme looks like this:
HKEY_CLASSES_ROOT
slican
URL Protocol = ""
DefaultIcon (Default) = "C:\Users\Okabe\Desktop\slican\SlicanP.exe,1"
shell
open
command (Default) = "C:\Users\Okabe\Desktop\slican\SlicanP.exe" "%1""
I thought that was all and tested it with
test link
test telephone link
There was no reaction whatsoever. Internet Explorer asked me if I want to search for a program that can open the content and Chrome responded with nothing, as if I clicked javascript:void(0).
How to get that worked?
Thank you for your help!
The registration you show works perfectly fine for me when I try it on Windows 7. The local app I registered in place of SlicanP.exe ran fine when I invoked a slican: URL from the Start | Run menu, and from within the address bar of Windows Explorer. So the registration works.
Do be aware that Internet Explorer runs in a lower integrity security context, so it may not have rights to run local programs. When I tried to click on an HTML link to a slican: URL, or type a slican: URL in the address bar, IE had trouble executing the local app (even after prompting for permission). I had to run IE as an administrator, then the local app ran just fine.
Also, you really should not be creating a HKEY_CLASSES_ROOT\slican key directly. Create a HKEY_CURRENT_USER\Software\Classes\slican (current user only) or HKEY_LOCAL_MACHINE\Software\Classes\slican (all users) instead. Refer to MSDN for more details:
HKEY_CLASSES_ROOT Key
Merged View of HKEY_CLASSES_ROOT
Update: Since it works in Windows 7, Microsoft probably changed how URL schemes are registered in Windows 8. For instance, phone/store apps use URI activation:
URI activation (XAML).
URI activation (HTML)
The documentation says there are two ways to register a custom URI scheme:
Internet Explorer uses two mechanisms for registering new pluggable protocol handlers. The first method is to register a URI scheme name and its associated application so that all attempts to navigate to a URI using that scheme launch the application (for example, registering applications to handle mailto: or news: URIs). The second method uses the Asynchronous Pluggable Protocols API, which allows you to define new protocols by mapping the URI scheme to a class.
You are doing the first. Try using the second instead.
However, I just noticed that "Asynchronous Pluggable Protocols" is listed on MSDN in the "Legacy APIs" section, and it has the following note:
Third-party protocol implementations won't load in Windows Store apps using JavaScript, or in the Internet Explorer in the new Windows UI.
So it may or may not work in Windows 8.
Update: I just found this:
Guidelines for file types and URIs
In Windows 8, the relationship between apps and the file types they support differs from previous versions of Windows.
Walkthrough: using Windows 8 Custom Protocol Activation
The file type and protocol association model has changed in Windows 8. Apps are no longer able to programmatically set themselves as the default handler for a file type or protocol. Instead, now the user always controls what the default handler is for a file type or protocol.
Your app can use existing protocols for communication, such as mailto, or create a custom protocol. The protocol activation extension enables you to define a custom protocol or register to handle an existing protocol.
Also have a look at this:
Setting mailto: protocol handler programmatically in Windows 8
And this:
Default Programs
if you go to C:\Users\\AppData\Local\Google\Chrome\User Data
You can edit the Local State file
Search for protocol_handler
The syntax here is a key value pair. I usually copy two mailto: and make sure that you set your protocols to false. This will mean that chrome will treat your new protocols as URI_Handler events
If you have troubles with configuring custom URI scheme, you can compare your own configuration with existing one. For example, "HKEY_CLASSES_ROOT/mailto" - most likely you have it already in your system.
I'm having trouble with my own AppleScript applications and Accessibility in "Security & Privacy".
I've written an application called "open cubase" that I've granted accessibility rights. I used Apple's advice on how to prevent repeated re-authorization (http://support.apple.com/kb/HT5914). But now even when the application is listed and selected in the Accessibility list, it says that it doesn't have assistive access.
And when I'm using
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/Tcc.db 'SELECT * FROM access WHERE client LIKE "%%"'
to check what's going on, I can see this:
kTCCServiceAccessibility|com.atonus.open-cubase|0|1|0|??
Why is there ?? at the end of that? Is there anyone who would know how to resolve this?
I'm using OSX 10.9.2.
Update, based on feedback from the OP:
The OP's issue is not the use of property statements that normally cause an AppleScript-based application to self-modify the application bundle's embedded Contents/Resources/Scripts/main.scpt script file when property values change at runtime.
However, Apple's workaround at http://support.apple.com/kb/HT5914
IS specifically meant to address not requiring re-authorization as a result of this self-modification issue for a given version of an application.
is NOT meant to allow updating the app (changing its source code or resources) without re-authorization.
For security reasons there is NO way to grant one-time authorization to an app based on its bundle ID and then keep it authorized no matter how it changes (e.g., through updates).
You have two options:
Either: Re-authorize the application every time you update it.
After updating your app, go to System Preferences > Security & Privacy > Privacy > Accessibility and toggle the checkmark next to the list item representing your application (if you application isn't there, drag it there).
Note: With Apple's workaround in place - which for security reasons is NOT a good idea unless you truly need to use property statements that persist their values - it may be sufficient to re-sign the application - haven't verified that.
Or: Use a workaround - not recommended for security reasons:
Make your app an unchanging wrapper that loads the true script code at runtime from a location OUTSIDE the app bundle - that way, the app stays the same and doesn't require re-authorization even if the script file loaded at runtime changes.
Example: Say your true script code - involving code requiring assistive access - is stored as ~/Desktop.test.scpt; your wrapper application, once authorized, can then invoke that script with run script file ((path to home folder as text) & "Desktop:test.scpt")
I don't have a specific explanation, but a recommendation:
Do not use properties (e.g., property FNAME : "Input.txt") in your AppleScript-based applications: AppleScript persists these automatically (preserves their values between runs), but the feature is implemented awkwardly (the persisted values are written to the *.scpt file itself - this is what causes the repeated authorization problem) and flimsily (if you modify your application and save (the *.scpt file at the heart of the) application again, previously persistent values are lost).
If you stay away from properties, the problem with repeated authorization simply goes away (unless you update your application). You can roll your own persistence, e.g., via AppleScript's support for .plist (property-list) files (see the System Events dictionary).
You also won't need the workaround described in the linked support article (http://support.apple.com/kb/HT5914), which is also a plus, given that the workaround is based on opening up a security hole.
As for your specific question:
The ?? is the - unhelpful - representation of the csreq columnn value from the TCC.db database and is not a problem per se; OSX manages that column behind the scenes; it contains a fingerprint of sorts identifying the application in its specific current form (similar to an MD5 hash, though I have no idea what is actually being used), so as to be able to detect tampering later.
However, I suspect you may be looking at the wrong database entry:
I'm puzzled by your bundle ID being com.atonus.open-cubase: if your app is an AppleScript-based *.app bundle, its bundle ID would have the fixed prefix com.apple.ScriptEditor.id., e.g., com.apple.ScriptEditor.id.open-cubase. Did you manually modify the bundle ID via the bundle's Info.plist file, or am I missing something?
When the OS determines tampering/a change in an authorized application:
It resets the allowed column value to 0, i.e., revokes authorization
It resets the csreq column value to NULL.
Thus, after you've seen the ... is not allowed assistive access dialog, the database entry should be reported as kTCCServiceAccessibility|com.atonus.open-cubase|0|0|1| - note the changed Boolean flags and the absence of the ?? at the end.