login about faq

Loving your product, but I’m having difficulty accessing the ActiveX components from a plain .js script. Chilkat.FileAccess works fine when written within an HTA for example but not when run as a standalone script. Windows Scripting.FileSystemObject runs from a standalone script just fine, but it’s some 20x slower than your component. All my research on the matter indicates that the cause of the problem is that the ActiveX object is marked “Not Safe for Scripting”. Would you be willing to modify the component so that I may use it in this manner?

asked Jul 23 '12 at 09:48

chilkat's gravatar image

chilkat ♦♦

This is a good question. A good article I would recommend about Script and IE Security is located here: http://blogs.msdn.com/b/ericlippert/archive/2004/01/13/58403.aspx

This part of the article summarizes the issue:

An object which claims to support the "safe for untrusted callers" bit is saying "it does not matter what methods you call on me, I cannot possibly do anything harmful." Essentially the object is saying that its capabilities are so weak that no matter how hostile the caller, nothing bad will happen. The "Scripting.Dictionary" object is an example of such an object -- no matter what, it cannot do anything more than store a list of (key, value) pairs. It cannot format your hard disk or send your private data to www.evilbadguys.com.

An object which supports this bit is also known as a "safe for scripting" object -- it may be safely called from an untrusted script.

It wouldn't be right to mark Chilkat.FileAccess as "safe for scripting" because the intended purpose of the ActiveX is to read/write files, delete files, create/delete directories, etc. All of these things can obviously be harmful if used from an untrusted script. However, if used from a trusted script, or from a trusted Windows application (such as a VB6 app, Delphi app, etc.), then there is no issue.

Microsoft's Scripting.FileSystemObject should also be "not safe for scripting" for exactly the same reason. See http://social.msdn.microsoft.com/Forums/en/iewebdevelopment/thread/27092b49-7d3e-4d86-9ffb-223a26037c3f

The answer to your question is that it's not possible to mark the ActiveX as "safe for scripting". My suggestion for a workaround is to determine how to make your .js script a trusted script, and if trusted, then according to what the referenced article implies, you should be able to use an "unsafe" ActiveX from a trusted script.


answered Jul 23 '12 at 09:56

chilkat's gravatar image

chilkat ♦♦

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Jul 23 '12 at 09:48

Seen: 1,573 times

Last updated: Jul 23 '12 at 09:56

powered by OSQA