delphi - TWebBrowser:禁用所有安全限制

Question

我在 Delphi 10.2 中使用 TWebBrowser 组件，该组件是从 SHDocVW_TLB 类型库导入的。

我想使用此网络浏览器浏览本地文件和受信任环境中的文件。但我注意到，由于安全限制，从本地文件(更准确地说:我使用 this code 加载到浏览器组件中的自定义 HTML 内容)到 LAN 或 WAN 的 AJAX 调用是不可能的。

我的目标是禁用此 Web 浏览器控件的所有安全限制(我了解风险)。

不确定是否还有其他方法，但我想我必须创建一个自定义的 IInternetSecurityManager。在我的研究过程中我发现this document by Microsoft ，并解释了如何编写这样的 SecurityManager。但我找不到如何将此自定义 IInternetSecurityManager“插入/覆盖”到我的 TWebBrowser 控件中。

我需要做什么才能完全禁用所有安全限制？谢谢您的任何提示!

Answer 1

答案同MSHTML documentation您在问题中链接到的:

Applications Hosting the WebBrowser Control or MSHTML

The WebBrowser Control or MSHTML hosts could create a security manager (by implementing the IInternetSecurityManager interface) that handles the URL actions and policies that are important to the host. Other URL actions and policies would be passed to the default security manager so it could handle them appropriately. The IInternetSecurityMgrSite interface would be used to handle Windows-related information from the component so that the customized security manager could handle any user interface it required.

To create a customized security manager, the component must implement the IInternetSecurityManager interface. Any methods or URL actions that the customized security manager needs the default security manager to act on should return INET_E_DEFAULT_ACTION.

Security Warning: Implementing IInternetSecurityManager methods incorrectly can compromise the security of your application. Any methods or URL actions that the customized security manager needs the default security manager to act on should return INET_E_DEFAULT_ACTION. If a method does not override default behavior and returns an HRESULT indicating success, the action is unhandled and can put users at risk for an elevation of privilege attack. You should review Security Considerations: URL Security Zones API before continuing.

The component must also implement an object that supports the IOleClientSite interface when embedding either the WebBrowser Control or MSHTML.

The following steps occur for a URL action.

1. MSHTML uses CoCreateInstance to create an instance of the Internet Security Manager.

2. The Internet Security Manager calls the QueryInterface method on MSHTML to get its IServiceProvider interface. MSHTML then calls the QueryInterface method on the IOleClientSite interface to get the IServiceProvider interface.

3. IServiceProvider::QueryService is called to get an IInternetSecurityManager interface. The component then passes a pointer to its implementation of IInternetSecurityManager to the Internet Security Manager.

4. Calls from MSHTML to the IInternetSecurityManager methods are passed to the custom security manager from the default Internet Security Manager.

5. If the method called returns INET_E_DEFAULT_ACTION, the default implementation of IInternetSecurityManager is used to resolve the call. Otherwise, the result from the custom security manager is returned.

6. The Internet Security Manager returns the result back to MSHTML.

因此，首先您需要编写一个实现 IInternetSecurityManager 接口(interface)的类。

其次，幸运的是 TOleControl(TWebBrowser 派生自)已经实现了 IOleClientSite 和 IServiceProvider 接口(interface)至少是 Delphi 2006，所以您需要做的就是为其 public ServiceQuery 分配一个处理程序。事件，当 MSHTML 调用 IServiceProvider.QueryService() 查找 IInternetSecurityManager 时，您可以返回自定义安全管理器类的实例。

对于较旧的 Delphi 版本，您可以通过查询 IOleObject 的 DefaultInterface 属性来手动向 TWebBrowser 提供 IOleClientSite 对象。界面，然后调用IOleObject.SetClientSite()方法。以下文章演示了这样的示例:

How to customise the TWebBrowser user interface (part 3 of 6)

通过自定义 IOleClientSite 提供 TWebBrowser，您也可以提供自己的自定义 IDocHostUIHandler , IDocHostUIHandler2 , IDocHostShowUI ，和ICustomDoc对象到 MSHTML(MSHTML 不会使用 IServiceProvider 查询它们，因此它们不会触发 TWebBrowser.ServiceQuery 事件)。这些接口(interface)是大多数WebBrowser Customization的根源。选项，如 MSDN 上所述:

The mechanism for WebBrowser Control customization is designed to be automated when a container provides support for ActiveX controls. Whenever the WebBrowser Control is instantiated, it attempts to find IDocHostUIHandler, IDocHostUIHandler2 and IDocHostShowUI implementations from the host, if they are available. The WebBrowser Control does this by a QueryInterface call on the host's IOleClientSite interface.

This architecture works automatically for an application that implements an IOleClientSite interface and that passes an IOleClientSite pointer to the WebBrowser Control through the browser's IOleObject::SetClientSite method.