overriding GetSecurityId in IInternetSecurityManager

Question

I have built an executable which launches a dialog box in which is embedded the IE web browser active-x control (C++).

I want this control to allow cross site scripting. One frame on the web page loads local html, the other loads from a server. I then want the server page to call a javascript function that lives in the local html file.

I am trying to achieve this by having the control implement it's own "IInternetSecurityManager" interface in which I am providing my own ProcessUrlAction and GetSecurityId methods.

From what I've read, what I need to do is make GetSecurityId return the same domain for all urls. My custom implementations are getting called, but no matter what I do, I get the "Permission denied" error when the server html tries to access script on the local html file. Below are my implementations. Does anyone see anything wrong?

#define SECURITY_DOMAIN "http:www.mysite.com"


    STDMETHOD (GetSecurityId)(      
        LPCWSTR pwszUrl,
        BYTE *pbSecurityId,
        DWORD *pcbSecurityId,
        DWORD_PTR dwReserved)
    {
        if (*pcbSecurityId >=512)
        {
            memset(pbSecurityId,0,*pcbSecurityId);
            strcpy((char*)pbSecurityId,SECURITY_DOMAIN);
            pbSecurityId[strlen(SECURITY_DOMAIN)] = 3;
            pbSecurityId[strlen(SECURITY_DOMAIN)+1] = 0;
            pbSecurityId[strlen(SECURITY_DOMAIN)+2] = 0;
            pbSecurityId[strlen(SECURITY_DOMAIN)+3] = 0;

            *pcbSecurityId = (DWORD)strlen(SECURITY_DOMAIN)+4;
            return S_OK;


        }
        return INET_E_DEFAULT_ACTION;
    }

STDMETHOD(ProcessUrlAction)(
        /* [in] */ LPCWSTR pwszUrl,
        /* [in] */ DWORD dwAction,
        /* [size_is][out] */ BYTE __RPC_FAR *pPolicy,
        /* [in] */ DWORD cbPolicy,
        /* [in] */ BYTE __RPC_FAR *pContext,
        /* [in] */ DWORD cbContext,
        /* [in] */ DWORD dwFlags,
        /* [in] */ DWORD dwReserved)
    {

        DWORD dwPolicy=URLPOLICY_ALLOW;
        if ( cbPolicy >= sizeof (DWORD))
        {
            *(DWORD*) pPolicy = dwPolicy;
            return S_OK;
        } 

        return INET_E_DEFAULT_ACTION;
    }

Answer 1

By delegating these functions to the normal security manager and having a look at the structures the normal security manager fills in, I was able to determine that my issue was in GetSecurityId. For my purposes, I wanted to set the security domain to be a local file for all comers.

#define SECURITY_DOMAIN "file:"

if (*pcbSecurityId >=512)
{
    memset(pbSecurityId,0,*pcbSecurityId);
    strcpy((char*)pbSecurityId,SECURITY_DOMAIN);
    pbSecurityId[strlen(SECURITY_DOMAIN)+1] = 0;
    pbSecurityId[strlen(SECURITY_DOMAIN)+2] = 0;
    pbSecurityId[strlen(SECURITY_DOMAIN)+3] = 0;
    pbSecurityId[strlen(SECURITY_DOMAIN)+4] = 0;

    *pcbSecurityId = (DWORD)strlen(SECURITY_DOMAIN)+4;
}