Security Considerations: URL Security Zones API
This topic provides information about security considerations related to the URL security zones API. This topic doesn't provide all you need to know about security issues—instead, use it as a starting point and reference for this technology area.
- Using the Default Implementation
- Security Alerts
- Related topics
Using the Default Implementation
It is important that your custom security manager only process input that is both valid and specific to your application. This could include URLs with custom protocols, additional pieces of information not considered by the default manager, or custom URL actions that you wish to process. All other input should be handled by the default security manager by returning INET_E_DEFAULT_ACTION from the method you are implementing. Failure to defer to the default security manager may introduce security holes into your application by allowing invalid input to result in a successful method call.
For applications relying on the default security manager, it is important to make use of methods that generate secure information. Do not attempt to create your own security IDs or URLs based on the information you find in the security zone documentation. If your application generates or processes information independently of the default methods, it is possible to introduce subtle differences that can cause a URL to be placed into the wrong security zone.
Security Alerts
The following table lists features that, if used incorrectly, can compromise the security of your applications.
| Feature documentation | Alert |
|---|---|
| About URL Security Zones Templates, About URL Security Zones | Setting the registry keys |
| About URL Security Zones | Implementing IInternetSecurityManager methods incorrectly can compromise the security of your application. Any methods or URL actions that the customized security manager wants the default security manager to act on should return INET_E_DEFAULT_ACTION. If a method does not override default behavior and returns an HRESULT indicating success, the action is unhandled and can put users at risk of an elevation of privilege attack. |
| About URL Security Zones, IInternetHostSecurityManager::ProcessUrlAction | Using IInternetHostSecurityManager::ProcessUrlAction incorrectly can compromise the security of your application. Upon a return value indicating S_FALSE or any error, your component should assume that the URL action is not allowed under the current policy. If your component performs an action after receiving an error, users may be at risk of an elevation of privilege attack. |
| IInternetHostSecurityManager::GetSecurityId | Failure to use this method to obtain a security ID can compromise the security of your application. The formation of IDs should be handled by the default implementation when possible. If you generate your own security ID there may be slight differences from IDs generated by IInternetHostSecurityManager::GetSecurityId which may be exploitable by an attacker. |
| IInternetSecurityManager::GetSecurityId | Implementing this method incorrectly can compromise the security of your application. A custom implementation of IInternetSecurityManager::GetSecurityId should only generate IDs for hosts which cannot be handled by the default implementation. For all other hosts, this method should return INET_E_DEFAULT_ACTION. Attempting to duplicate the default implementation may result in the creation of IDs that are less secure and are susceptible to a spoofing attack. |
| IInternetSecurityManager::MapUrlToZone | Implementing this method incorrectly can compromise the security of your application. A custom implementation of IInternetSecurityManager::MapUrlToZone should only return zones for URLs which cannot or should not be handled by the default implementation. For all other URLs, this method should return INET_E_DEFAULT_ACTION. Attempting to duplicate the default implementation may result in the incorrect mapping of zones and possibly leave users susceptible to spoofing or elevation of privilege attacks. |
| IInternetSecurityManager::ProcessUrlAction | Implementing this method incorrectly can compromise the security of your application. A custom implementation of IInternetSecurityManager::ProcessUrlAction should only process URL actions which cannot or should not be handled by the default implementation. For all other URL actions, this method should return INET_E_DEFAULT_ACTION. Attempting to duplicate the default implementation may result in the incorrect processing of URL actions and possibly leave users susceptible to elevation of privilege attacks. |
Â