TWebBrowser: Disable all security restrictions

Question

I am using a TWebBrowser component in Delphi 10.2 which is imported from the SHDocVW_TLB type library.

I want to use this web browser to browse local files and files in a trusted environment. But I noticed that an AJAX call from a local file (more precisely: Custom HTML content I have loaded into the browser component using this code) to LAN or WAN is not possible due to the security restrictons.

My goal is to disable all security restrictions (I am aware of the risks) for this web browser control.

Not sure if there are other ways, but I think I have to create a custom IInternetSecurityManager. During my research I found this document by Microsoft , and it explains how to write such a SecurityManager. But nowhere I can find how to "insert/overwrite" this custom IInternetSecurityManager into my TWebBrowser control.

What do I need to do to completely disable all security restrictions? Thank you for any hint!

Answer 1

The answer is in the same MSHTML documentation that you linked to in your question:

Applications Hosting the WebBrowser Control or MSHTML

The WebBrowser Control or MSHTML hosts could create a security manager (by implementing the IInternetSecurityManager interface) that handles the URL actions and policies that are important to the host. Other URL actions and policies would be passed to the default security manager so it could handle them appropriately. The IInternetSecurityMgrSite interface would be used to handle Windows-related information from the component so that the customized security manager could handle any user interface it required.

To create a customized security manager, the component must implement the IInternetSecurityManager interface. Any methods or URL actions that the customized security manager needs the default security manager to act on should return INET_E_DEFAULT_ACTION.

Security Warning: Implementing IInternetSecurityManager methods incorrectly can compromise the security of your application. Any methods or URL actions that the customized security manager needs the default security manager to act on should return INET_E_DEFAULT_ACTION. If a method does not override default behavior and returns an HRESULT indicating success, the action is unhandled and can put users at risk for an elevation of privilege attack. You should review Security Considerations: URL Security Zones API before continuing.

The component must also implement an object that supports the IOleClientSite interface when embedding either the WebBrowser Control or MSHTML.

The following steps occur for a URL action.

1. MSHTML uses CoCreateInstance to create an instance of the Internet Security Manager.

2. The Internet Security Manager calls the QueryInterface method on MSHTML to get its IServiceProvider interface. MSHTML then calls the QueryInterface method on the IOleClientSite interface to get the IServiceProvider interface.

3. IServiceProvider::QueryService is called to get an IInternetSecurityManager interface. The component then passes a pointer to its implementation of IInternetSecurityManager to the Internet Security Manager.

4. Calls from MSHTML to the IInternetSecurityManager methods are passed to the custom security manager from the default Internet Security Manager.

5. If the method called returns INET_E_DEFAULT_ACTION, the default implementation of IInternetSecurityManager is used to resolve the call. Otherwise, the result from the custom security manager is returned.

6. The Internet Security Manager returns the result back to MSHTML.

So, first you need to write a class that implements the IInternetSecurityManager interface.

Second, fortunately TOleControl (which TWebBrowser derives from) has implemented the IOleClientSite and IServiceProvider interfaces since at least Delphi 2006, so all you need to do is assign a handler to its public ServiceQuery event, and when MSHTML calls IServiceProvider.QueryService() looking for IInternetSecurityManager, you can return an instance of your custom security manager class.

For older Delphi versions, you can manually provide an IOleClientSite object to TWebBrowser by query its DefaultInterface property for the IOleObject interface, and then call the IOleObject.SetClientSite() method. An example of this is demonstrated in the following article:

How to customise the TWebBrowser user interface (part 3 of 6)

Providing TWebBrowser with a custom IOleClientSite is how you can also provide your own custom IDocHostUIHandler, IDocHostUIHandler2, IDocHostShowUI, and ICustomDoc objects to MSHTML (MSHTML does not query for them using IServiceProvider, so they will not trigger the TWebBrowser.ServiceQuery event). These interfaces are at the root of most WebBrowser Customization options, as described on MSDN:

The mechanism for WebBrowser Control customization is designed to be automated when a container provides support for ActiveX controls. Whenever the WebBrowser Control is instantiated, it attempts to find IDocHostUIHandler, IDocHostUIHandler2 and IDocHostShowUI implementations from the host, if they are available. The WebBrowser Control does this by a QueryInterface call on the host's IOleClientSite interface.

This architecture works automatically for an application that implements an IOleClientSite interface and that passes an IOleClientSite pointer to the WebBrowser Control through the browser's IOleObject::SetClientSite method.