static void set_safety_options(IUnknown *unk, BOOL use_sec_mgr)
{
IObjectSafety *safety;
DWORD supported, enabled, options_all, options_set;
HRESULT hres;
hres = IUnknown_QueryInterface(unk, &IID_IObjectSafety, (void**)&safety);
ok(hres == S_OK, "Could not get IObjectSafety: %08x\n", hres);
if(FAILED(hres))
return;
options_all = INTERFACESAFE_FOR_UNTRUSTED_DATA|INTERFACE_USES_DISPEX|INTERFACE_USES_SECURITY_MANAGER;
if(use_sec_mgr)
options_set = options_all;
else
options_set = INTERFACE_USES_DISPEX;
hres = IObjectSafety_SetInterfaceSafetyOptions(safety, &IID_IActiveScriptParse, options_all, options_set);
ok(hres == S_OK, "SetInterfaceSafetyOptions failed: %08x\n", hres);
supported = enabled = 0xdeadbeef;
hres = IObjectSafety_GetInterfaceSafetyOptions(safety, &IID_IActiveScriptParse, &supported, &enabled);
ok(hres == S_OK, "GetInterfaceSafetyOptions failed: %08x\n", hres);
ok(supported == options_all, "supported=%x, expected %x\n", supported, options_all);
ok(enabled == options_set, "enabled=%x, expected %x\n", enabled, options_set);
IObjectSafety_Release(safety);
}
static void test_responseXML(const char *expect_text)
{
IDispatch *disp;
IXMLDOMDocument *xmldom;
IObjectSafety *safety;
DWORD enabled = 0, supported = 0;
HRESULT hres;
disp = NULL;
hres = IHTMLXMLHttpRequest_get_responseXML(xhr, &disp);
ok(hres == S_OK, "get_responseXML failed: %08x\n", hres);
ok(disp != NULL, "disp == NULL\n");
xmldom = NULL;
hres = IDispatch_QueryInterface(disp, &IID_IXMLDOMDocument, (void**)&xmldom);
ok(hres == S_OK, "QueryInterface(IXMLDOMDocument) failed: %08x\n", hres);
ok(xmldom != NULL, "xmldom == NULL\n");
hres = IXMLDOMDocument_QueryInterface(xmldom, &IID_IObjectSafety, (void**)&safety);
ok(hres == S_OK, "QueryInterface IObjectSafety failed: %08x\n", hres);
hres = IObjectSafety_GetInterfaceSafetyOptions(safety, NULL, &supported, &enabled);
ok(hres == S_OK, "GetInterfaceSafetyOptions failed: %08x\n", hres);
ok(broken(supported == (INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA)) ||
supported == (INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA | INTERFACE_USES_SECURITY_MANAGER) /* msxml3 SP8+ */,
"Expected supported: (INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA | INTERFACE_USES_SECURITY_MANAGER), got %08x\n", supported);
ok(enabled == (INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA | INTERFACE_USES_SECURITY_MANAGER),
"Expected enabled: (INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA | INTERFACE_USES_SECURITY_MANAGER), got 0x%08x\n", enabled);
IObjectSafety_Release(safety);
if(!expect_text)
test_illegal_xml(xmldom);
IXMLDOMDocument_Release(xmldom);
IDispatch_Release(disp);
}
static void test_safety(IUnknown *unk)
{
IObjectSafety *safety;
DWORD supported, enabled;
HRESULT hres;
hres = IUnknown_QueryInterface(unk, &IID_IObjectSafety, (void**)&safety);
ok(hres == S_OK, "Could not get IObjectSafety: %08x\n", hres);
if(FAILED(hres))
return;
hres = IObjectSafety_GetInterfaceSafetyOptions(safety, &IID_NULL, &supported, NULL);
ok(hres == E_POINTER, "GetInterfaceSafetyOptions failed: %08x, expected E_POINTER\n", hres);
hres = IObjectSafety_GetInterfaceSafetyOptions(safety, &IID_NULL, NULL, &enabled);
ok(hres == E_POINTER, "GetInterfaceSafetyOptions failed: %08x, expected E_POINTER\n", hres);
supported = enabled = 0xdeadbeef;
hres = IObjectSafety_GetInterfaceSafetyOptions(safety, &IID_NULL, &supported, &enabled);
ok(hres == S_OK, "GetInterfaceSafetyOptions failed: %08x\n", hres);
ok(supported == (INTERFACESAFE_FOR_UNTRUSTED_DATA|INTERFACE_USES_DISPEX|INTERFACE_USES_SECURITY_MANAGER),
"supported=%x\n", supported);
ok(enabled == INTERFACE_USES_DISPEX, "enabled=%x\n", enabled);
supported = enabled = 0xdeadbeef;
hres = IObjectSafety_GetInterfaceSafetyOptions(safety, &IID_IActiveScript, &supported, &enabled);
ok(hres == S_OK, "GetInterfaceSafetyOptions failed: %08x\n", hres);
ok(supported == (INTERFACESAFE_FOR_UNTRUSTED_DATA|INTERFACE_USES_DISPEX|INTERFACE_USES_SECURITY_MANAGER),
"supported=%x\n", supported);
ok(enabled == INTERFACE_USES_DISPEX, "enabled=%x\n", enabled);
supported = enabled = 0xdeadbeef;
hres = IObjectSafety_GetInterfaceSafetyOptions(safety, &IID_IActiveScriptParse, &supported, &enabled);
ok(hres == S_OK, "GetInterfaceSafetyOptions failed: %08x\n", hres);
ok(supported == (INTERFACESAFE_FOR_UNTRUSTED_DATA|INTERFACE_USES_DISPEX|INTERFACE_USES_SECURITY_MANAGER),
"supported=%x\n", supported);
ok(enabled == INTERFACE_USES_DISPEX, "enabled=%x\n", enabled);
hres = IObjectSafety_SetInterfaceSafetyOptions(safety, &IID_IActiveScriptParse,
INTERFACESAFE_FOR_UNTRUSTED_DATA|INTERFACE_USES_DISPEX|INTERFACE_USES_SECURITY_MANAGER
|INTERFACESAFE_FOR_UNTRUSTED_CALLER,
INTERFACESAFE_FOR_UNTRUSTED_DATA|INTERFACE_USES_DISPEX|INTERFACE_USES_SECURITY_MANAGER);
ok(hres == E_FAIL, "SetInterfaceSafetyOptions failed: %08x, expected E_FAIL\n", hres);
hres = IObjectSafety_SetInterfaceSafetyOptions(safety, &IID_IActiveScriptParse,
INTERFACESAFE_FOR_UNTRUSTED_DATA|INTERFACE_USES_DISPEX|INTERFACE_USES_SECURITY_MANAGER,
INTERFACESAFE_FOR_UNTRUSTED_DATA|INTERFACE_USES_DISPEX|INTERFACE_USES_SECURITY_MANAGER);
ok(hres == S_OK, "SetInterfaceSafetyOptions failed: %08x\n", hres);
supported = enabled = 0xdeadbeef;
hres = IObjectSafety_GetInterfaceSafetyOptions(safety, &IID_IActiveScriptParse, &supported, &enabled);
ok(hres == S_OK, "GetInterfaceSafetyOptions failed: %08x\n", hres);
ok(supported == (INTERFACESAFE_FOR_UNTRUSTED_DATA|INTERFACE_USES_DISPEX|INTERFACE_USES_SECURITY_MANAGER),
"supported=%x\n", supported);
ok(enabled == (INTERFACESAFE_FOR_UNTRUSTED_DATA|INTERFACE_USES_DISPEX|INTERFACE_USES_SECURITY_MANAGER),
"enabled=%x\n", enabled);
IObjectSafety_Release(safety);
}
static void set_safety_opt(IUnknown *unk, DWORD mask, DWORD opts)
{
IObjectSafety *obj_safety;
HRESULT hr;
hr = IUnknown_QueryInterface(unk, &IID_IObjectSafety, (void**)&obj_safety);
ok(hr == S_OK, "Could not get IObjectSafety iface: %08x\n", hr);
hr = IObjectSafety_SetInterfaceSafetyOptions(obj_safety, &IID_IDispatch, mask, mask&opts);
ok(hr == S_OK, "SetInterfaceSafetyOptions failed: %08x\n", hr);
IObjectSafety_Release(obj_safety);
}
static HRESULT confirm_safety_load(HTMLDocumentNode *This, struct CONFIRMSAFETY *cs, DWORD *ret)
{
IObjectSafety *obj_safety;
HRESULT hres;
hres = IUnknown_QueryInterface(cs->pUnk, &IID_IObjectSafety, (void**)&obj_safety);
if(SUCCEEDED(hres)) {
hres = IObjectSafety_SetInterfaceSafetyOptions(obj_safety, &IID_IDispatch,
INTERFACESAFE_FOR_UNTRUSTED_DATA, INTERFACESAFE_FOR_UNTRUSTED_DATA);
IObjectSafety_Release(obj_safety);
*ret = SUCCEEDED(hres) ? URLPOLICY_ALLOW : URLPOLICY_DISALLOW;
}else {
CATID init_catid = CATID_SafeForInitializing;
hres = ICatInformation_IsClassOfCategories(This->catmgr, &cs->clsid, 1, &init_catid, 0, NULL);
assert(SUCCEEDED(hres));
*ret = hres == S_OK ? URLPOLICY_ALLOW : URLPOLICY_DISALLOW;
}
return S_OK;
}
static HRESULT WINAPI HTMLXMLHttpRequest_get_responseXML(IHTMLXMLHttpRequest *iface, IDispatch **p)
{
HTMLXMLHttpRequest *This = impl_from_IHTMLXMLHttpRequest(iface);
IXMLDOMDocument *xmldoc = NULL;
BSTR str;
HRESULT hres;
VARIANT_BOOL vbool;
IObjectSafety *safety;
TRACE("(%p)->(%p)\n", This, p);
hres = CoCreateInstance(&CLSID_DOMDocument, NULL, CLSCTX_INPROC_SERVER, &IID_IXMLDOMDocument, (void**)&xmldoc);
if(FAILED(hres)) {
ERR("CoCreateInstance failed: %08x\n", hres);
return hres;
}
hres = IHTMLXMLHttpRequest_get_responseText(iface, &str);
if(FAILED(hres)) {
IXMLDOMDocument_Release(xmldoc);
ERR("get_responseText failed: %08x\n", hres);
return hres;
}
hres = IXMLDOMDocument_loadXML(xmldoc, str, &vbool);
SysFreeString(str);
if(hres != S_OK || vbool != VARIANT_TRUE)
WARN("loadXML failed: %08x, returning an empty xmldoc\n", hres);
hres = IXMLDOMDocument_QueryInterface(xmldoc, &IID_IObjectSafety, (void**)&safety);
assert(SUCCEEDED(hres));
hres = IObjectSafety_SetInterfaceSafetyOptions(safety, NULL,
INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA | INTERFACE_USES_SECURITY_MANAGER,
INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA | INTERFACE_USES_SECURITY_MANAGER);
assert(SUCCEEDED(hres));
IObjectSafety_Release(safety);
*p = (IDispatch*)xmldoc;
return S_OK;
}
static HRESULT confirm_safety(HTMLDocumentNode *This, const WCHAR *url, struct CONFIRMSAFETY *cs, DWORD *ret)
{
DWORD policy, enabled_opts, supported_opts;
IObjectSafety *obj_safety;
HRESULT hres;
TRACE("%s %p %s\n", debugstr_w(url), cs->pUnk, debugstr_guid(&cs->clsid));
/* FIXME: Check URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY */
hres = IInternetSecurityManager_ProcessUrlAction(This->basedoc.window->secmgr, url, URLACTION_SCRIPT_SAFE_ACTIVEX,
(BYTE*)&policy, sizeof(policy), NULL, 0, 0, 0);
if(FAILED(hres) || policy != URLPOLICY_ALLOW) {
*ret = URLPOLICY_DISALLOW;
return S_OK;
}
hres = IUnknown_QueryInterface(cs->pUnk, &IID_IObjectSafety, (void**)&obj_safety);
if(SUCCEEDED(hres)) {
hres = IObjectSafety_GetInterfaceSafetyOptions(obj_safety, &IID_IDispatchEx, &supported_opts, &enabled_opts);
if(FAILED(hres))
supported_opts = 0;
enabled_opts = INTERFACESAFE_FOR_UNTRUSTED_CALLER;
if(supported_opts & INTERFACE_USES_SECURITY_MANAGER)
enabled_opts |= INTERFACE_USES_SECURITY_MANAGER;
hres = IObjectSafety_SetInterfaceSafetyOptions(obj_safety, &IID_IDispatchEx, enabled_opts, enabled_opts);
if(FAILED(hres)) {
enabled_opts &= ~INTERFACE_USES_SECURITY_MANAGER;
hres = IObjectSafety_SetInterfaceSafetyOptions(obj_safety, &IID_IDispatch, enabled_opts, enabled_opts);
}
IObjectSafety_Release(obj_safety);
if(FAILED(hres)) {
*ret = URLPOLICY_DISALLOW;
return S_OK;
}
}else {
CATID scripting_catid = CATID_SafeForScripting;
if(!This->catmgr) {
hres = CoCreateInstance(&CLSID_StdComponentCategoriesMgr, NULL, CLSCTX_INPROC_SERVER,
&IID_ICatInformation, (void**)&This->catmgr);
if(FAILED(hres))
return hres;
}
hres = ICatInformation_IsClassOfCategories(This->catmgr, &cs->clsid, 1, &scripting_catid, 0, NULL);
if(FAILED(hres))
return hres;
if(hres != S_OK) {
*ret = URLPOLICY_DISALLOW;
return S_OK;
}
}
if(cs->dwFlags & CONFIRMSAFETYACTION_LOADOBJECT)
return confirm_safety_load(This, cs, ret);
*ret = URLPOLICY_ALLOW;
return S_OK;
}