Problems with WebBrowser in Outlook plugin

Question

Hi, I've created a couple of Office plugins. The plugin shows a set of html files installed on the clients computer. The plugin uses a COM-accessible assembly which shows a WinForm with a WebBrowser on it. The plugin makes the WebBrowser navigate to a file on the clients computer. The assembly is also used in other programs to show the same information.

When showing the local html files using a 'normal' browser (e.g. double clicking a file in Windows Explorer) the browser popup a security warning about running active content. This is because we have some javascript in it. This warning is supressed by setting the 'Allow active content to run in files on My Computer' in the Internet Explorer settings. This solves the issue using a 'normal' browser.

Funny enough the 'active content' warning is not shown when getting the same file using a Word/Excel/PowerPoint plugin. It calls the same assembly, using the same WinForm and using the same content. Despite the setting 'Allow active content to run from My Computer' being false, the content is shown without a warning and the javascript is executed.

Now, the problem and the real question is that Outlook does the reverse. No matter what I use for 'Allow active content to run from My Computer' the browser warning about the active content in the html file is shown. When I confirm the message and allow the scripts to continue, the javascript runs fine. So, even when I set the 'Allow active content to run from My Computer' to true, the warning is given.

I've gone through all (sort of) relevant settings in Outlook, but nothing helps.

I assume that Outlook is using some kind of private context for a webbrowser (probably because it is using a webbrowser object internally).

The real question is: how can I make the Outlook plugin respect the IE settings?

(I understand this is a long story and maybe not clear enough. Please let me know if I have to elaborate more).

Answer 1

Hello,

this is a security related problem. Because if you allow scripts to run inside of the Outlook Application Instance it could potenntially harm your computer. Even if you allow local files to run opens a security hole as I know, because when you browse files, they are cached on your local filesystem. But I'm not a security expert.

However - there are two possible solutions as I know:
A: set the internal zone to allow scripts. You need to do it using the registry editor (That helped in the past for Active-X Controls shown in the Browser.
[HKEY_CURRENT_USER\Software\Microsoft\WindowsCurrentVersion\
Internet Settings\Zones\0

!!! Not recommended to lower security settings !!!!

B: if you are in an ActiveDirectory Environment, use ADM files to adjust Outlook Security Settings (I'm not sure if that helps in your Environment)

There's one other thing that maybe can help - but this is an advanced scenario.
Create a resource-only DLL, and piut in a HTML file with an IFrame.
You can set the IFrame source dynamically using your Addin.
This would be treated as safe, because the HTML is loaded from inside the Outlook Process.

I have done this even with Silverlight Content - but only for Outlook Folders.

Hope this helps, greets - Helmut

---

Helmut Obertanner [http://www.x4u.de] [http://www.outlooksharp.de]

Answer 2

Hello Helmut,

Thanks for your answer. Sure it is a security issue.

When you are talking about the ADM files for Outlook Security I assume you mean settings options in the group policy. I will have a look, but it won't help me much. This all is for a big deployment over millions of computers and I can't ask my customers to create those policies - they will simply refuse. I won't even begin to talk about lowering security settings :-|

The HTML with iFrame might be solution. I will try that. I will let you know if it helps.

THanks for now. It is greatly appreciated!

Bart

Answer 3

I have tried your embedded resource suggestion. Unfortunately this fails when I try to load something from the local hard disk. If I use an iframe, the iframe isn't loaded and stays blank without a message. If I try to do a javascript redirect, I get an access denied error. All these things work fine outside of the content of Outlook.

I will have to think of something else. If you have any suggestions, I would be very grateful.

Answer 4

I couldn't get rid of the security warning without lowering the security setting. And that is not an option: we are talking about a project that will be installed on millions of computers.

I decided to go another route. Let's see if we can make the browser trust the html pages. So, what to do to get rid of the 'Active content' warning.

First I investigated what exactly triggers the warning. That was easy: any <script/> tag in your html file will do. And I need script, so removing that isn't an option. But, when hosted from a website, the scripts run fine and don't suffer from a warning. So, I investigated if it is possible to run my files in the Internet-context.

I found out there is a way, at least for IE (which in my case is sufficient). If you save a webpage as a complete HTML file from IE, the browser adds a comment to the html to signal its origin. Something like: <!-- saved from url=(somewhere) -->. If you later open that stored html file, the file is shown in the Internet context.

So, I tried adding <!-- saved from url=(0014)about:internet --> to the html file. And, voila, the file is opened in the Internet context. The security warning about active content is gone and the scripts are executed fine.

But, that raised another problem. We have a couple of window.open statements in the scripts and using that causes he cross domain browsing problems that in recent IE versions are blocked. Even if you use a relative path in the window.open call, if fails and you end up with a blank window.

In our case, we can (probably) decide to get rid of the window.open calls. But, if a reader ever finds a solution for using window.open in this scenario, I would be very happy if you let me know.

So, for now: case closed...

Answer 5

Hi - The save about is a good hint.
So what I did is to load the initial HTML with the IFrame from the Resource.dll
Then - when you open the Inspector, get the HTMLDocument Object from Browser,
get the IFrame Object and set the Source of the IFrame to whatever you want.
That worked for me - no security warnings.

I don't know how you changed the source of the IFrame.
Greets - Helmut

---

Helmut Obertanner [http://www.x4u.de] [http://www.outlooksharp.de]