Creating a Custom Internet Security Manager for MSXML 6.0


To implement a custom Internet security manager to use with MSXML 6.0, you must write a class, commonly called the site object, which implements the following interfaces.

  • IInternetSecurityManager identifies the site object as a security manager. When you implement this interface, you must implement the following methods:

    Method Description
    MapUrlToZone Retrieves the zone index for the specified URL. Either URLMON or MSXML can trigger this method. The implementation should be caller agnostic. MSXML will use this method to determine both the zone of the URL and that of any referenced document. In this way, MSXML can then determine whether the referring document is attempting to load a document that is in a different zone.
    ProcessUrlAction Determines the policy for a specified security action. URLMON triggers a call to this method whenever it encounters a security action and must enlist a security manager to make a security-related decision for that action. In XML scenarios, such decisions are made when XSLT or XSD document include or import other documents; when a script block is encountered in an XSL file; during DTD processing; and at various other times.
    All others For all other methods in the interface, it is sufficient to return INET_E_DEFAULT_ACTION. This value specifies that the default security manager should set the policy for the current action under consideration.


Implementing IInternetSecurityManager methods incorrectly can compromise the security of your application. For example, for some actions might not want to set security policy in your security manager; instead, you might want to defer those security policy decisions to the default security manager used by Internet Explorer. In this case, if instead of returning INET_E_DEFAULT_ACTION, your implementation erroneously returns an HRESULT indicating success, the security policy decision is approved. This can put users at risk for an elevation of privilege attack. For more information, see Security Considerations: URL Security Zones API.

  • IServiceProvider implements the QueryService method. Callers call this method to query for a pointer to the IInternetSecurityManager interface. Your component then returns a pointer to itself (as an implementation of IInternetSecurityManager).

  • IOleClientSite is a COM interface that is queried by MSXML to set the secure base URL for a particular XML resource. It provides the simplest way to demonstrate the use of the secure base URL in MSXML security decisions. As implemented in the second example in this section, when you construct your site object, you pass the secure base URL as an argument. The constructor then saves the secure base URL in a private member. Your site object implements the GetMoniker method, which returns the secure base URL to MSXML.

  • IXMLDOMDocument can be used as an alternative to IOleClientSite. This interface contains the get_url() method, which retrieves the URL for the most recently loaded XML document.

MSXML will attempt to use either the IOleClientSite interface or the IXMLDOMDocument interface to discover the secure base URL. You can implement either of these two interfaces, but you should not implement both in your site object. Because it is generally simpler to implement IOleClientSite than IXMLDOMDocument, the former is recommended. The second example in this section, contained in the topic DOM Document with a Site Object (C++ Code Listing), implements IOleClientSite.

See Also

Security Manager Core Terminology and Concepts
Security Considerations: URL Security Zones API
DOM Document with a Site Object (C++ Code Listing)