none
What is the official solution to the "To help protect your security, your web browser ..." bar?

    Question

  • I tried to use the WebBrowser control on my .NET 3.5 WPF application.

    My application loads an XML and then transforms it into an HTML using XSLT and loads the HTML into the WebBrowser. The transformed HTML contains simple JavaScript to change the style of some elements dynamically. The JavaScript does NOT perform any risky operation to the system and there is no ActiveX control.

     

    The problem is, as you probably know, the WebBrowser control shows the yellow warning bar for every single page, not only once. I am running my application as Full Trust and as Administrator, but still I have to confirm the warning every single time. This seems to be ridiculous. When I open the same HTML with the stand-alone Internet Explorer or the Windows Form's WebBrowser the bar did NOT appear. That is, this warning bar only appears with WPF's WebBrowser.

     

    Of course, I tried to search Google before asking. There were some suggested solutions such as Web Mark Of Trust and using URL's like file://127.0.0.1/C$/. None of them worked and I wasted a few hours doing that. There were questions from other guys who also think those did not work. Maybe the solutions do not work any more?

     

    Since I once got a reply from a Microsoft developer (or a product manager) for other questions in this forum, I would like to hear about the official solution to this problem, if possible. I currently switched to the WindowsFormsHost/Form's WebBrowser as a workaround.

     



    • Edited by Jeong-hun Tuesday, April 12, 2011 7:09 AM To explain the situation.
    Tuesday, April 12, 2011 7:01 AM

All replies

  • Well... not an official MS answer... but...

    What's really odd is that you say you don't get the error in a stand alone browser.  You should get it in all IE browsers both the hosted controls and the stand alone browser.  It occurs when when you are reading an html file directly from your hard drive instead of from a web server.  You should be able to turn it off by turning off that security feature, but I don't recommend that.

    The normal solution is to put the file onto a web server.

    However, does this give you the error?

    string document_text = @"<html><body><h1>Test Page</h1><script type=""text/javascript"">document.write(""<p>"" + Date() + ""</p>"");</script></body></html>";
    web.NavigateToString(document_text);
    

    That works without error on my system. (Win XP)  It does however throw the error if I put the exact same html into a file and try and open that file with IE from my hard drive.

    Edit:  I'm pretty much 100% certain that the the official response is that this behavior is by design.


    John Fenton, MCC
    Wordmasters Direct Mail and Data Processing Services





    Friday, April 15, 2011 1:39 AM
  • Hello and thank you, Mr Fenton.

     

    No, your code did now show the warning bar, and the script worked. If the answer is 'by design', I think this design is stupid. What part of "full trust" and "administrative privilege" is not enough for executing simple JavaScript without warning? I could even delete Windows system files or mess up the system registry with those.

     

    Anyways, I could use the NavigateToString if the web page does not include any resources such as pictures. For now, I will just keep using WindowsFormHost + WinForm's  WebBrowser.

    Wednesday, April 20, 2011 2:53 AM
  • The content displayed in the web browser control is not "full trust" and does not have "administrative privledges" and frankly for security reasons, that is how it should be. I often use that control to browse content out on the Web, I certainly would not want to use it if it had all the security settings turned off by default.  IE has full trust and can be run as administrator, would you really feel safe if it automatically extended that same level of security to it's content.  The web browser is just a wrapper for IE, so in essence that is what you are asking IE to do.

    I played around a bit and discovered one thing.  The WPF browser is not respecting the security settings that are set in IE.  That might be worth posting on the connect site as a bug.  It would explain why you are only seeing the error in WPF.  If you plan on running your code on anything other that your current system you should consider that most systems will throw that error in both IE and in WinForms.  And many users will object to the idea of lowering their security levels for your app.

    If your only using it on your systems then WinForms is probably fine as a work around.

    NavigateToString isn't giving me any issues with pictures, so I'm not sure what issue you ran into.  Wrong path maybe?  I prefer this solution because it cannot easily be compromised.

    Injecting the MOTW into the HTML you are generating should also get rid of that error, and not require lower settings:

    Mark of the Web

    That page also explains why this security setting exists.  If MOTW is not working for you post your code.  It is working fine on my systems.  And should be working on yours.

    This file does not throw that error:

     

    <!-- saved from url=(0026)http://msdn.microsoft.com/ -->
    <html>
    <body>
    <h1>Test Page - Mark of the Web</h1>
    <script type="text/javascript">
    document.write("<p>" + Date() + "</p>");
    </script></body></html>
    
    

     


    John Fenton, MCC
    Wordmasters Direct Mail and Data Processing Services

    Wednesday, April 20, 2011 3:50 AM
  • By "Web Mark Of Trust" in my original post, I meant the "Mark of the Web". I used a wrong name. It never worked for me. Did it work for you? If it works, my life will be much easier.

     

    I did not know that the warning bar would appear even if I use the WinForm's web browser.  I should have tested it on more systems. Thank you for the information.

     

    It would be great if there is a native HTML display control with basic features in WPF. That is not related to IE, but a native WPF. It can just provide a subset of the  features that the full browser, and should be as fast as the WebBrowser control. Since my HTML is not that complicated, I was trying to switch the FlowDocumentViewer (if I remember the name correctly), but when the document was long, the resizing performance of the control was horrible (I mentioned that in this forum and the product manager said he would investigate the problem in the future versions of WPF).

     

    I also searched for other possibilities, such as a WebKit engine for .NET. It turned out to be too many files  and no support for 64bit applications.

     

    By the way, the reason I said about the images when using NavigateToString was the relative address of images. Come to think of it, I may just replace every URL of the images with absolute paths.

    Wednesday, April 20, 2011 4:21 AM
  • By "Web Mark Of Trust" in my original post, I meant the "Mark of the Web". I used a wrong name. It never worked for me. Did it work for you? If it works, my life will be much easier.

    No prob on the wording, I figured that was what you meant.  And yes tested on 2 systems (both XP) and no issues.  Try the above HTML and see if it works on your system.

    I did not know that the warning bar would appear even if I use the WinForm's web browser.  I should have tested it on more systems. Thank you for the information.

    Part of what was confusing me was that you weren't seeing it in IE.  So I turned of the security setting for this on my system and was surprised to see that IE didn't throw the error, but WPF still did.

    It would be great if there is a native HTML display control with basic features in WPF...

    That would be cool,Ive wanted one something like that at points.

    Speaking of alternate browsers, have you seen this:

    http://chriscavanagh.wordpress.com/2009/08/27/wpf-3d-chromium-browser/

    http://wpfchromium4.codeplex.com/

    Not an option as far as I'm concerned because of the licensing on Awesomium, but still cool.


    John Fenton, MCC
    Wordmasters Direct Mail and Data Processing Services
    Wednesday, April 20, 2011 7:16 AM