Security Manager Core Terminology and Concepts
Before going into the details of a Security Manager implementation, you should understand the following core concepts and terms.
Secure Base URL and Base URL
These two terms are important in the context of a Security Manager. The secure base URL is the URL that a security manager uses to make security decisions. When the security manager determines that cross-zone access is occurring, it uses the secure base URL to determine the zone that is currently being accessed. The base URL is the current URL that a document is accessing. When you use MSXML to initially open a document, the secure base URL and base URL are the same: the URL of the initially opened document. If the document refers to and resolves another external document, when MSXML opens the other document the base URL changes to the new document’s URL, but the secure base URL stays the same (the URL of the original document).
URL Actions, Policies, and Zones
The following concepts relate to how MSXML interacts with URLs it processes in documents.
An action that MSXML can take while processing documents that might pose a security risk. Such actions include executing a script block in an XSLT context, running an ActiveX control, or loading a referenced document. For a complete list, see URL Action Flags.
A policy correlated to a specific URL action. In general, the policies you associate with most security actions are simple, and mirror the settings in the Internet Explorer user interface: Allow (Enable), Disallow (Disable), or Prompt the user for a decision. For example, if you are accepting and loading documents from unknown Internet sources, running scripts would be a high risk; in this case the policy for the Internet zone should be set to disallow running them. For a complete list, see URL Policy Flags.
URL Security Zone
A group of URLs that are assigned an equal level of permissions or trust. Each URL action for the zone has an appropriate URL policy assigned to it that reflects the level of trust given to URLs in that zone. For more information, see the URLZONE enumerated type.
URL Security Zones
Microsoft Internet Explorer 6.0 and later versions provide users with the ability to determine the level of security that they want for a particular URL Security Zone. The following table describes the complete list of these zones.
|Local Machine Zone (LMZ)||An implicit zone for content that exists on the local computer. This zone is treated with a high level of trust.|
|Trusted Zone||The list of sites to which the user have given trust. By default, the Trusted Sites zone uses the Low Template.|
|Intranet Zone||Includes all local (intranet) sites not listed in other zones, all sites that bypass the proxy server, and all network paths (UNCs). You can also add sites to the intranet zone and require server verification for all the sites in this zone. By default, the Local Intranet zone uses the Medium-Low Template.|
|Internet Zone||Websites on the Internet that do not belong to another zone. By default, the Internet zone uses the Medium Template (Medium-High Template in Internet Explorer 7).|
|Restricted Sites Zone||The list of sites for which the highest level of restriction are imposed. By default, the Restricted Sites zone uses the High Template.|
For more information on URL Security Zones Templates, see About URL Security Zone Templates.
The figure below reflects the default cross-zone and cross-domain access permissions used by MSXML. Note that these settings differ slightly from Internet Explorer security settings.
To create a custom security manager component, you have to write a class that provides MSXML some relevant security information, including the following:
The secure base URL.
The URL Security Zone of a specified URL.
The security policy for a specified URL action.
An instance of this class is generally called a site object, because MSXML interacts with it through the IObjectWithSite COM interface. To create your site object, write a class that, at minimum, implements the following interfaces.
||This interface is a part of the URL Security Zones API, which allows developers to manage URL security zones and create security zone managers.|
||Provides a generic access mechanism to locate a GUID-identified service that is provided by the object, either directly or as a proxy for another COM object. The
- The service ID (SID, a type of GUID) of the service.
- The interface ID (IID) of the desired COM interface of that service.
- The address of the caller's interface pointer variable, an
In most security decisions around zone policy, the caller is URLMON and the IID of the interface desired in return is
||Represents the primary means by which an embedded object obtains information about the location and extent of its display site, its moniker, its user interface, and other resources provided by its container. Your site object provides a moniker object to MSXML, which MSXML uses as the secure base URL.|
URLMON is the Microsoft Win32 implementation of the URL Moniker library. This library specifically deals with Web resource management. Monikers are resource identifiers that implement the
IMoniker COM interface.
MSXML has a dependency on URLMON, because URLMON (through the default MSXML-provided site object) provides the default implementation of the Internet Security Manager. When XML content is run within the security context of Internet Explorer, MSXML contacts URLMON every time it has to make a security-related decision, such as whether to allow script to run, or whether to include and import elements. Even outside the context of the browser, MSXML interacts with URLMON extensively. In general, MSXML is not aware whether a default or a custom security manager is being used.
MSXML takes the following steps whenever it has to make a security-related decision.
During application initialization, the application provides a site object to an MSXML object.
URLMON detects that a security decision must be made, and asks MSXML for a security manager.
MSXML responds by providing URLMON with (a pointer to) the security manager from its site object.
URLMON calls the security manager to make a security decision based on a URL and an action.