When using your component on
a Web page, there are additional considerations.
The .ocx file and all supporting files must
be on the target machine or downloaded across
the Internet. This makes code size and download
time an important consideration. Downloads can
be packaged in a signed .cab file.
Packaging Code for Downloading
The CODEBASE Tag
ActiveX components are embedded
in Web pages using the <OBJECT> tag. The
CODEBASE parameter of the <OBJECT> tag
specifies the location from which to download
the component. CODEBASE can point at a number
of different file types successfully.
Using the CODEBASE Tag with an OCX File
CODEBASE="http://www.mysite.com/mycontrol.ocx#version=3,6,0,0"
This solution downloads only the component's
.ocx file and requires any supporting DLLs to
already be installed on the client machine.
Using the CODEBASE Tag with an INF File
CODEBASE="http://www.mysite.com/trustme.inf"
font size="2" face="MS Sans Serif">An .inf file
will control the installation of an .ocx file
and its supporting files. This method is not
recommended because it is not possible to sign
an .inf file (see Signing Code for pointers
on code signing). Using
the CODEBASE Tag with a CAB File
CODEBASE="http://www.somesite.com/acontrol.cab#version=1,2,0,0"
Cabinet files are the recommended
way to package ActiveX components in a cabinet
file allows an .inf file to be included to
component installation of the ActiveX component
and any dependent DLLs. Using a CAB file automatically
compresses the code for quicker download.
If you are using a .cab file for component
download, it is faster to sign the entire
.cab file than each individual component.
Creating CAB Files
The CABinet Development
Kit can be obtained from the Microsoft developers'
Web site, http://www.microsoft.com/workshop/.
In this kit, you will find the necessary tools
to construct cabinet files.
The cabinet file pointed
to by CODEBASE should contain the .ocx file
for your ActiveX component and an .inf file
to control its installation. You create the
cabinet file by specifying the name of your
control file and an .inf file. Do not include
dependent DLLs that may already exist on the
system in this cabinet file.
The INF File
The following example, trend.inf,
lists the supporting files and the version
information needed for the VB TREND component.
Notice the location for the VB DLLs is a Microsoft
Web site. The *.cab is provided and signed
by Microsoft.
Contents of trend.inf:
[TREND.OCX]
file-win32-x86=thiscab
RegisterServer=yes
DestDir=
FileVersion=3,5,0,0
[ASYCFILT.DLL]
hook=AsycFilt.cab_Installer
FileVersion=2,20,4118,1
[AsycFilt.cab_Installer]
file-win32-x86=http://activex.microsoft.com/controls/vb5/AsycFilt.cab
InfFile=AsycFilt.inf
[MSVBVM50.DLL]
hook=MSVBVM50.cab_Installer
FileVersion=5,2,82,44
[MSVBVM50.cab_Installer]
file-win32-x86=http://activex.microsoft.com/controls/vb5/MSVBVM50.cab
InfFile=MSVBVM50.inf
[Setup Hooks]
AddToRegHook=AddToRegHook
[AddToRegHook]
InfSection=DefaultInstall
[DefaultInstall]
AddReg=AddToRegistry
[AddToRegistry]
\\ Mark safe for the trend control \\
HKLM,"SOFTWARE\Classes\CLSID\{9687C44A-906A-11D4-987D-DA7EAAB63647}\Implemented
Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}"
HKLM,"SOFTWARE\Classes\CLSID\{9687C44A-906A-11D4-987D-DA7EAAB63647}\Implemented
Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}"
The <OBJECT> Tag
The following example illustrates using the
<OBJECT> tag to package the VB TREND
component.
<OBJECT ID="Trend"
WIDTH="320" HEIGHT="86"
CLASSID="CLSID:9687C44A-906A-11D4-987D-DA7EAAB63647"
CODEBASE="Trend.CAB#version=3,5,0,0">
<param name="_ExtentX"
value="2646">
<param name="_ExtentY"
value="1323">
<param name="GridMode"
value="1">
<param name="GridStyle"
value="1">
</OBJECT>
In this case, trend.cab will contain two files,
TREND.ocx and trend.inf. The following command
will build the cabinet file:
C:\CabDevKit\cabarc.exe -s 6144 N trend.cab
trend.ocx trend.inf
The -s 6144 parameter reserves space in the
cabinet for code signing.
The Version Tag
Note here that the #Version
information specified with a CAB file applies
to the component specified by the CLASSID
parameter of the <OBJECT> tag.
Depending on the version
specified, you can force download of your
component. For complete specifications of
the OBJECT tag including the CODEBASE parameter,
see the W3C reference.
Licensing Issues
If you want to use a licensed
component on a Web page, you must verify that
the license agreement allows its use on the
Internet and create a license package file
(LPK) for it.
A licensed ActiveX component
will not load properly in an HTML page if
the computer running Internet Explorer is
not licensed to use the component. For example,
if a licensed component was built using Visual
Basic, the HTML page using the component will
load properly on the computer where the component
was built, but it will not load on a different
computer unless licensing information is included.
To use a licensed ActiveX
component in Internet Explorer, you must check
the vendor's license agreement to verify that
the license for the component permits:
Redistribution
Use
of the component on the Internet
Use
of the Codebase parameter
To use a licensed component
in an HTML page on a non-licensed machine,
you must generate a license package file (LPK).
The LPK file contains run-time licenses for
licensed components in the HTML page. This
file is generated via LPKtool.zip
which comes with the ActiveX Software Development
Kit (SDK). You can download the ActiveX SDK
through the Microsoft Web site http://www.microsoft.com/activex.
To create an LPK file
Run
lpktool.exe on a computer that is licensed
to use the component.
In
the License Package Authoring Tool dialog
box, in the Available Controls list box, select
each licensed ActiveX component that will
be used on the HTML
page and click Add.
Click
Save & Exit and type a name for the LPK
file. This will create the LPK file and close
the application.
To embed a licensed component
on an HTML page
Edit
your HTML page. In the HTML page, insert an
<OBJECT> tag for the License Manager
object before any other <OBJECT> tags.
The License Manager
is an ActiveX component that is installed
with Internet Explorer. Its class ID is shown
below. Set the LPKPath property of the License
Manager object
to the path and name of the LPK file. You
can have only one LPK file per HTML page.
<OBJECT CLASSID = "clsid:5220cb21-c88d-11cf-b347-00aa00a28331">
<PARAM
NAME="LPKPath" VALUE="relative
URL to .LPK file">
<OBJECT>
Insert
the <OBJECT> tag for your licensed component
after the License Manager tag. For example,
an HTML page that displays the Microsoft Masked
Edit
component is shown below. The first class
ID is for the License Manager component, the
second class ID is for the Masked Edit component.
Change
the tags to point to the relative path of
the .lpk file you created earlier, and add
an object tag including the class ID for your
component.
Insert
the <EMBED> attribute for your LPK file,
if using the NCompass ActiveX plug-in. If
your component may be viewed on other ActiveX
enabled browsers
- for example Netscape using the NCompass
ActiveX plug-in - you must add the <EMBED>
syntax as shown below.
<OBJECT CLASSID = "clsid:5220cb21-c88d-11cf-b347-00aa00a28331">
<PARAM NAME="LPKPath" VALUE="maskedit.lpk">
<EMBED SRC ="maskedit.LPK">
</OBJECT>
</OBJECT CLASSID="clsid:C932BA85-4374-101B-A56C-00AA003668DC"
WIDTH=100 HEIGHT=25> </OBJECT>
Signing Code
Code signing is designed
to identify the source of code and to guarantee
that the code has not changed since it was
signed. Depending on browser safety settings,
users may be warned before the code is downloaded.
Users may choose to trust certain certificate
owners or companies, in which case, code signed
by those trusted will be downloaded without
warning. Code is digitally signed to avoid
tampering.
Make sure your final code
is signed so that your component can be automatically
downloaded without displaying trust warning
messages. For details on how to sign code,
check the documentation on Authenticode?in
the ActiveX SDK. For more information on the
Microsoft code-signing initiative, check.
Depending on trust and browser
safety level settings, a certificate may be
displayed to identify the signing person or
company. If the safety level is none, or if
the signed component's certificate owner is
trusted, a certificate will not be displayed.
See Safety Levels and Control Behavior for
details on how the browser safety setting
will determine whether your component is downloaded
and a certificate displayed.
Digital signing guarantees
code has not changed since it's been signed.
A hash of the code is taken and embedded in
the certificate. This hash is later compared
with a hash of the code taken after the code
is downloaded but before it runs. Companies
such as Verisign can supply private and public
keys needed to sign code. The ActiveX SDK
ships with MakeCert, a utility for creating
test certificates, and two registry files,
wvtston.reg and wvtstoff.reg, for specifying
whether or not the browser should recognize
test certificates as valid.
Internet Explorer Browser
Safety Levels and Control Behavior
A browser has options for
safety level, configurable by the user. Because
Web pages can contain active content that
might potentially harm a user's computer,
browsers allow the user to select options
for safety level. Depending on the way a browser
implements safety levels, a component may
not be downloaded at all, or will display
a certificate or a warning message to allow
the user to choose at run time whether or
not to download the component. The behavior
of ActiveX components under high, medium,
and low safety levels on Internet Explorer
is listed below.
High Safety Mode
Unsigned
components will not be downloaded.
Signed
components will display a certificate if untrusted
(a user can choose an option to always trust
code from this certificate owner from now
on).
Only
components marked as safe will have persistent
data and/or be scriptable.
Medium Safety Mode
Unsigned
components will display a warning before downloading
Signed
components will display a certificate if untrusted.
Components
not marked as safe will display a warning.
Low Safety Mode
Components
are downloaded without warning.
Scripting
and persistence occur without warning.
