Developing Safer ActiveX Controls Using the Sitelock Template

Last Friday, Microsoft released a new version of the SiteLock Template for ActiveX Controls. The SiteLock template helps ensure that controls you’ve developed for use on your websites cannot be repurposed and used by other (potentially malicious) websites.

Why use the SiteLock template?
Under the default security model for ActiveX controls, a control is either marked "safe" or "unsafe" for use on any website running inside Internet Explorer. A control that is marked “safe" can be used by any Web page, while a control marked “unsafe” will not run in IE.

The SiteLock Active Template Library (ATL) template enables ActiveX control developers to restrict the use of an ActiveX control to a predetermined list of domain names or security zones. This limits the ability of other Web pages to reuse the control. For example, you can use the SiteLock template to ensure that an ActiveX control developed for use within your Local Intranet cannot be used by pages in the Internet zone. This helps to reduce the attack surface presented by your control-- even if it contains a security flaw, that flaw cannot be exploited by pages on the Internet because your control will refuse to run outside of your Local Intranet.

How it works
The SiteLock Template determines where the control is being hosted and decides if the domain and security zone of the hosting Web page are permitted to run the control. If the hosting domain is not in a pre-selected list of “safe” domain names or security zones, the control declares itself unsafe and Internet Explorer unloads it.

The SiteLock Template replaces the standard ATL template with its own implementation of IObjectSafety, called IObjectSafetySiteLockImpl. It automatically queries the host for the URL of the Web page that is hosting the ActiveX control, extracts the protocol scheme and fully qualified domain name from that URL, and compares it to a list created by the developer at build time to see if the hosting site should be trusted.

In some cases, a control may also have a limited expected lifespan. Once the control’s useful lifespan has elapsed, it will be of no value—except to malicious sites if a security problem is found. Therefore, SiteLock also includes an optional mechanism to automatically “expire” the control after a certain date.

Other Resources
Last month, we blogged about best practices for developing ActiveX updates to help ensure that users of your ActiveX controls are always running the latest version.  

The MSDN article Designing Secure ActiveX Controls provides an overview of the ActiveX security model, what it means for a control to be safe, and other best practices for developing ActiveX controls. You can learn more about IE7 changes to ActiveX support in the MSDN article ActiveX Security: Improvements and Best Practices.

Call to Action
Please help Internet Explorer protect users of your ActiveX controls by incorporating the updated SiteLock Template when developing or updating your ActiveX controls.


Program Manager

Comments (58)
  1. anphanax says:

    Will there be an updated example of this ( that uses IObjectSafetySiteLockImpl?

  2. midio says:

    don’t care about a stupid template to be honest.

    support CSS2.0/CSS2.1 and CSS3.0 beta correctly


    support the javascript DOM correctly

    i don’t need a stupid activeX template thingy.

  3. Jerry Mead says:

    Interesting. The security & licensing of the ‘advanced’ functionality available from our controls Zeepe & ScriptX has been domain- and Security Zone-bound since its introduction in 1998.

    Of course, you guys knew that (because we’ve been talking to you under mutual NDA for all of those nine years), so – before we test for ourselves – presumably someone can advise us off-blog of any likely conflicts?


  4. bruce says:

    Call to Action: post something to do with CSS/DOM/JavaScript for IE8, or even for IE7.


    In IE7, garbage collection on closures is improved to handle (scenario a,b, & c)

    with notes to explain how they are broken in IE6, but can be worked around with example code.

  5. rc says:


    "Work on IE8 continues as they have repeatedly said, but they are not going to discuss it before they are ready."

    But he said unto them, Except I shall see in his hands the print of the nails, and put my finger into the print of the nails, and thrust my hand into his side, I will not believe. (John 20:25)

  6. The IE team have blogged about the release of a new version of the SiteLock Template for ActiveX Controls

  7. Fduch says:

    >they are not going to discuss it before they are ready.

    Ready? You mean like when they shipped IE7 with 1807 open bugs on Connect? (The whole Vista only had 1400 open bugs at that time. And Vista shipped a month later)

  8. program says:

    The IE team have blogged about the release of a new version of the SiteLock Template for ActiveX Controls ~~

  9. Windows Update Faux Pas says:

    Everyone perceives the danger of firearms; you could assuage other’s anxiety by adding security measures to the firearms, but—it’s still unsafe.

    I could have completely scrapped ActiveX, but Windows Update requires such dangerous piece to function.

    I don’t mind how secure ActiveX is; just upgrade IE to comply with latest W3C standard as other "developed" browsers, and I would die in peace.

  10. @midio and others:

    If you don’t use ActiveX it doesn’t mean that other don’t. I personally very happy with this addition (and a post). This is IE blog and developers can post everything they want related to IE.

    Why on earth everytime someone posts to this blog army of web devs start to complain about IE8 and standards. If you’re such fan of open standards and open source you’ve should known by now a very good phrase: "It will be ready when it’s done!"

  11. @Vilius:

    Bravo. I concur.


    Nobody likes a whiner.

  12. hAl says:

    The silence on the future development of IE on this blog is deafening !!!

    It is getting ridiculous.

  13. jacob ÷milas says:

    @Vilius: "It will be ready when it’s done!"

    Your statement implies that you actually believe it *will* be done. As hAl pointed out, the silence on IE development on this blog is deafening!

    There has been no statement about:

    DOM Methods will be fixed (and/or a flag/setting/trigger will be identified so that developers can count on the proper, W3C spec implementation.

    Form element fixes: disabled select options, radio buttons that fire onchange before onblur, DOM create/copies of radio/checkboxes that preserve their checked state.

    CSS Fixes: Full attribute selectors.

    GUI Fixes: re-write the prompt dialog so that it doesn’t look like a borland control from 1992 and make it work (correct position, correct button position, no message truncating, etc)

    Printing: don’t even get me started here

    Zooming: fixing the controls and chrome so that the interface doesn’t look like its exploding on itself

    Until we hear that these things are at least being worked on, we have little faith.

    btw, stating that "MS is actively working on IE8" tells us nothing.


  14. IEX says:

    They won’t even name the next version of IE until they’ve decided whether or not to release it.

  15. hAl says:

    And not just improvements on current features but also other features like downloadmanager, spellingchecking, different inpage search and add-on model…

  16. Bruce says:

    Al Billings – ex MS IE team member, sheds light on the demise of Borgzilla, and how it has essentially ruined confidence in IE (and MS) in the developer community.

    He’s bang on, on various points.

    There *should* be alpha builds available regularly.

    There *should* be a bug tracking system online, always, not shut down (air-quote)temporarily(/air-quote), and it should allow the community to self-triage where possible, and be "integrated" with MS internal tools to avoid pure swivel-chair exercises.

    and surprise, surprise……..

    TALK ABOUT IE8!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Wow, wonder if I’ve heard that requested somewhere before?


  17. limvar says:

    I have try to use the developer toolbar but find a button works different.

    When click [find by click] why does it keep try to find every click? he should stop when I click first object

  18. Mike says:

    I think we need to start a petition to have Al Billings and Dave Massey come back to the IE team ! That way we might finally get some posts about IE8 and where things are headed, like back in the good old pre-IE7 release days.

  19. bill says:

    with the next patch, please remove the automatic execution of signed activex controls in the Internet zone. Let the user to decide if he want to run it or not. A lot of activex controls runs without user’s consent and that exposes the browser to flaws.

  20. bill says:

    @Faux Pas

    In Windows Vista, the new Windows Update doesn’t use activex. Buy Vista

  21. Walter says:

    @ Mike!

    As per your Petition:

    "Bring Al Billings & Dave Massey back into the IE team!"

    – Signed! Walter Braithwaite

  22. Al Billings says:


    That’s a nice thought but I’m a QA guy on Firefox over at Mozilla these days. I did a year in a startup, gathered some stock options, and then went back to doing what I love: browsers. Only, this time I’m working in the open source world and loving it (actually).

    Since I live and own a house in Oakland, California these days, I really doubt if I’ll be returning to Redmond anytime soon. After nearly nine years at Microsoft, I’d had enough and needed a change. I’m well into that change now.

    I appreciate the sentiment though. I actually think my talents, such as they are, have been better used in a much smaller company like Mozilla and our much smaller QA group (all of Mozilla is smaller than the number of QA people who work on IE).

    I have an impact within Mozilla that I would never have attained at Microsoft, even with all of my years there. I was never in a position to REALLY affect where IE was going, being just a mid-level guy in QA. The future of IE is less determined by the rank and file that work on it than by Microsoft’s corporate goals and strategy. Anything that conflicts with that winds up being stillborn or cut.


  23. Dave Massy says:


    I’m not sure I could be tempted back there either. I’m not sure I agree entirely with Al’s assessment but after eleven years at Microsoft it was time for me to leave.


  24. Fabian says:

    Are you guys still fixing bugs with your rendering engine? If so there are still alpha map errors, and min-width errors with css

  25. Jim says:

    Al: Hrm… a Firefox guy who left IE, posting his flamebait ruminations on the IEBlog.  

    I think you might have a bit of a credibility gap here.  Sour grapes, perhaps?

  26. Al Billings says:

    Jim, I’m posting here because my post on *my own blog* was mentioned here.

    You can think that I have a credibility gap all that you want. Yours is the first comment anywhere to even try to say that, so I don’t think that’s the prevailing wisdom.

    Besides, I worked on IE 4, IE5, IE6SP2, and IE7. I spent just a month shy of nine years at Microsoft, working mostly on browsers (I worked on MSN Explorer and the cancelled Netdocs as well). I think I have a pretty fair degree of credibility when it comes to discussing browsers, Internet Explorer, or Microsoft. Why do you think otherwise?

    As a Mozilla guy, I’m allowed to speak my mind with little fear of being chewed out for it. Why? Because Mozilla is an open company that embraces that openness by conducting most of its business in the public eye. I think that the IE team and Microsoft (in general) could learn a bit by that.

    In any case, as the only guy in the world, as far as I know, who has worked on both IE *and* Firefox, I expect that I’ll continue to have things to say about both.

  27. Chris says:

    I wonder how long it’ll take before the conspiracy theory’s begin about how Microsoft have in fact planted Al into the Firefox community, to bring it down from within!

  28. jenna says:

    @Chris: Since the quality control of Mozilla seems to outpace IE by leaps and bounds, I highly doubt it.

    If you read Al’s blog, you’ll see he has taken (as he states) to the open source software development concept quite well, and sees the power it gains over proprietary SW.

    I don’t write C++ (which I presume?) is what both IE and Firefox use at their core, but the simple fact that anyone that discovers a bug/performance issue in Firefox can code, and submit a patch is far beyond any locked software can manage.

    Even with that said, if I could "read" the IE code, I could likely spot where an error is occuring and even hint at what the fix would be: i.e. "This method is casting a number to a string, which causes issues on line: 1234 of blah, blah, blah"

    Take the top 10 Browser/DOM bugs in IE at the moment.  Is there anyone here that doesn’t believe that if IE was open sourced… just for a day!, that they couldn’t all be fixed?

    Now, ask yourself.. those top 10 bugs.. they were in IE6 too, weren’t they!.. count the days from the public release of IE6, until today.. $10 says it is a bit more than a day.. in fact.. ONE THOUSAND EIGHT HUNDRED AND FIFTY THREE DAYS (and counting!)

    I think though that we would all be quite happy if there were at least some news about what is being fixed or has been in IE 8.

    I don’t care if IE is proprietary, thats fine – if you want the burden of fixing all of it – go for it…… but please fill us in so that we know when it will be fixed.

  29. gabe says:

    firefox is 70 percent c++ code and 25 percent html/css the rest is JavaScript

  30. hAl says:

    The whole concept of the connect bug submitting site was useless as it is was. I can understand that the IE team would consider it a burden rather then a usefull tool.

  31. Al Billings says:

    Well, when the IE team lets its rather large community of users and web developers submit issues and track their results, hAl, perhaps something useful will be had.

    IE7 has been out a year. What has the IE team been doing for a year now? Do any of you know? One assumes that a team with more than 200 people has been doing *something* for a year now but you’d never know it from the blog posts or any other public conversation.

    In contrast, if you want to know what Opera is doing, you can find out, and they are a closed source project.

    If you want to find out what Mozilla is doing, you can see the plans and even watch bugs get resolved and check-ins happen.

    IE needs to open up. As I recall, having been around at the time and involved in some of the conversations, that *WAS* the point of this blog a few years ago. Obviously, since I left and at least two other proponents of this blog also left the IE team, the efforts here have stalled out.

    Are you really happy with the level of real content in this blog? Really?

    Al in Japan

  32. Al Billings says:

    I’ve posted a little something at

    I’d like to see an actual member of the IE team respond there (and to this thread here) instead of just ignoring this. Hey, guys, remember why you started blogging in the first place? Start talking to the web community about the future and IE8…

  33. Dave Massy says:


    I don’t entirely agree 🙂 IE isn’t and probably never will be open source.

    The IE team does need to open up at least to the level they had when IE7 was under development and show some vision or direction.

    Let’s be real though. Releasing nightly builds and watching bugs get resolved and checkins happen is not going to happen with IE and quite frankly given the noise they’d receive I don’t see the point.

    The IE team does need to start talking though. Currently only Eric Lawrence seems to post and respond to comments here. All online chats have stopped and it is as if the IE team has disappeared just as it did after the release of IE6. I know that isn’t the case but you can’t blame people for starting to think that when the team can’t be bothered to talk to their customers and engage in any conversation.


  34. Luthar says:

    @Dave and Al;

    I’m with Al on this.  Fine, IE is a closed source project, we get that.  But that doesn’t stop the IE team from telling us what they hope to do, or have done in IE8.

    Even the small things! like "Hey, we noticed the bug when you de-focus the printer selection dialog in a print preview too (when everything blanks out)", "and yes, we’ve fixed that!"

    Things like this are good, because:

    a.) It means you listened to the community and the bugs we reported.

    b.) You care about shipping a good SW product

    c.) It might be a minor thing, but its fixed now, we can move on to other things.

    d.) It tells us seriously, that MS HAS BEEN DOING SOMETHING!

    Otherwise, this blog has died.  It no longer contains any useful information on THE DEVELOPMENT of IE.

  35. Dave Massy says:


    I agree entirely. The IE team can talk about progress without issueing nightly builds or opening up their checkin process. This is abotu the IE team showing they care about their customers. Silence does not help. I know the individuals on the IE team do care about customers but it certainly isn’t being shown.


  36. A very undesirable CSS1 bug, simple/minimal test case for IE7, resize IE7 with the code in my reply post…

    I think it’s important to put emphasis on the all but confirmed fact that IE8 will probably be the last version of Internet Explorer for Windows XP. With the resistance to adopting Vista this version of IE will have a much more dramatic impact on the corporate strategy and general PR for Microsoft in the long term. It’s therefor probably in their best (corporate) interests (from my perspective) to keep a lid on things at the moment. I’m going to presume IE9 will be the DirectX 10 of sorts for Windows 7 and web designers. This is my take on the silence here and I won’t complain.

    I’d also like to point out a couple things. First off if you’re leaving a link to your homepage when you post on this blog you have (in my mind) a bit more credibility to what you say then just anonymously posting on the blog.

    Secondly Internet Explorer isn’t really that bad of a browser. IE4 handles a liquid layout I’ve been working on just fine. In fact it’s also keyboard-only accessible. It was released in September 1997, TEN years ago! Webkit nightly builds **STILL** can’t tab to anything other then form input elements rendering keyboard-only navigation (on either Windows or OS X) pretty much completely useless. In my not so humble opinion there is currently no "best" browser. Gecko has great CSS2 compliance, IE has great printer support (in comparison to other browsers especially Gecko, if you test this then ensure you’re using a printer specific stylesheet), Webkit has the best CSS3 property support, and Opera eh…it’s moderately good in all those categories. But no single browser/rendering engine truly shines above all others.

    Also I’ve started a new cartoon series on the lighter aspects of computer/internet software. Please enjoy my MS Paint skills in full glorious mono and default font! This one was partially inspired by the IE blog…

  37. Jim says:

    John A. Bilicki III: Your "All but confirmed fact" is pure speculation.  

    The reason no one would "confirm" such a statement is that Microsoft isn’t remotely close to making any kind of decision on the supported platforms for IE9.  As you point out, uptake of Vista is probably a major factor here.

  38. Al Billings says:

    Dave, I know that the IE team isn’t going to release nightly builds but, seriously, there are months that go by on this blog with only one post, maybe two, and they aren’t anything forward looking.

    Do you see a response from the IE team to comments here? No. Eric has responded in my blog but then he was always the most active on the blog and in talking to the public from the development team. Kudos to him.

    You and I will have to disagree about the value of having a bug database and communication of some sort (I see a lot of value in giving people a means to post issues and see comments on them, as well as validate other issues) but the sheer lack of communication for a year is appalling. IE7 has been done for a long time.

    Personally, I expect that there might be little to say and that the IE team has spent six months chasing Vista SP1 issues instead of working on IE8. I could be wrong though (as always).

  39. Dave Massy says:


    We agree on everything except on the value of releasing nightly builds. Everything else about the value of a bug database etc. we are in violent agreement on and I’m confused why you think I don’t agree with you since I’ve been saying pretty much the same thing for months. The shame of it is that we are having a conversation here but the IE team is completely failing to have a conversation with its customers. Shame on them.

    We all worked hard to start to reestablish IE’s credibility with developers during the IE7 project. We knew it was going to be a long hard slog and that it would take time, possibly longer than the IE7 project itself. Unfortunately all that hard work has been thrown away and any credibility we did establish during that time has been lost.


  40. Al Billings says:

    I guess I misunderstood, Dave. It’s good to see that we’re in violent agreement. 🙂

  41. Chris Wedgwood says:

    Since when has "Repurposed" been a word?

  42. hAl says:

    I am all for input by the IE community. However the connect site was useless in that regard.

    More usefull I think might be a public moderated forum or something like that. you could have different area’s for dicussing features, HTML and or CSS conformance, Rendering of pages, scripting and add-ons and make discussions more focussed.

    For straightforward bugtracking they might use an internet bugtracking tool but only for a limited (alpha)testing community and not for public use.

    It is worrying that the IE team does not give information on what they are doing. It seems uncertain whether they are actually producing something usefull and choose the solutions for issues that are what their customers want.

  43. rc says:


    "It is worrying that the IE team does not give information on what they are doing."

    There is no "IE team" at this moment, and they do nothing. Maybe in two or three years we will hear something.

    Somebody may not believe me again, but this "somebody" cannot adduce any real facts that refute my statements.

  44. EricLaw [MSFT] says:

    @Dave & Al: It’s always nice to see you guys here: I read your blogs with interest.

    @RC: I don’t know why you persist in attempting to perpetuate the fantasy that I and my many colleagues don’t exist.  

    Of course, once your theories are inevitably shown to be completely baseless, I suspect "RC" will disappear and we’ll get a new anonymous poster named "CR" who will invent a new set of tales for our amusement.

  45. EricLaw [MSFT] says:

    @Chris Wedgwood: Interesting question.  According to the Oxford English dictionary, "repurposed" dates back to 1984, with the same meaning used here.

  46. PatriotB says:

    Sitelock is very useful.  It would have stopped this issue dead in its tracks:

  47. rc says:

    "I don’t know why you persist in attempting to perpetuate the fantasy that I and my many colleagues don’t exist."

    Don’t distort my words. Maybe you do exist, if you want so, but no real work on future versions of IE exists. And I will repeat to contend this until somebody shows whatever REAL proof of the contrary.

    This is the common method of science: any thing is considered not existing until there is a scientifically grounded proof that it exist. Did you ever hear something about science?

  48. @ RC

    While the scientific statement is true that we must show proof to even suggest something exists in the first place you’re applying this in the wrong manner.

    What percentage of the time do Microsoft developers get to spend working on what they prefer? Assuming they get any time to do so would they (assuming they’d want to) be allowed to work on IE? Keep in mind that the IE team members have people above them who make a lot of decisions for them or box them in to limiting their options.

    From my perspective it’s pretty pointless to personally attack IE team members because they probably get little choice in the decision making as I’ve read from former employees. It’s sort of like yelling at some guy stuck in traffic because someone else decided to drive drunk and got in to an accident. What’s the point?

  49. Jon says:

    "any thing is considered not existing until there is a scientifically grounded proof that it exist"

    Hah.  You might want to wait until you reach Grade 7 before you start talking about science.  You’re not seriously trying to imply that DNA didn’t exist until 1953?  Bacteria magically sprang into the world in the 1860s?  

    Sigh.  If this is how the rest of today’s junior high students view the world, humanity is screwed.

  50. rc says:


    You dont’t understand the difference between "exists" and "is considered existing in the science".

  51. tom says:

    Direct Link to the MP3 Audio:

    Good talk, oddly enough, the ONLY talk about IE8 features and fixes… go figure!

    Executive / Developer Summary:


    – New Layout Engine

    – Standards Compliant (opt-in)*

    * Although not indicated, in IE8, if you want rendering to follow the spec for [some/all/certain] things, you (the developer) will need to "opt-in" somehow.  (The exact context of this is not indicated)

    Based on existing stuff in IE, the preliminary guess would be a CC (Conditional Comment), similar to the MOTW. to dictate/enforce desire to render in standards mode.

    In general summary… Chris Wilson cares about standards, and is doing whatever he can to ensure IE8 is on the right path!

    YEEE HAAAAAW!!!! I can’t wait!

  52. Thank you Tom for the interview clip.

    What Chris is ultimately saying and that I can agree with is that the standards were inconsistent and full of holes. Remember, the W3C does not exist directly for those using the code, but those who implement support for the code.

    To be completely fair we all have to remember that there are people writing these standards. Who is to say the standards they produce are absolutely perfect?

    (X)HTML / CSS Pyramid…

    W3C –> Browser Vendors –> Web Designers –> End Users

    Since there are going to be holes in the standards (HTML 4, XHTML 1.0, HTML 5, XHTML 5, CSS 1, CSS 2, CSS3, etc) it’s obvious that since Opera, Mozilla, and Microsoft aren’t exactly working in different cubicles on the same floor in the same building that if each of these browser vendors have to fill a hole that has no specification listed in the standard itself that they understandably are likely to implement different behaviors based on how they perceive the spec but at the same time as businesses they must release new versions of their software within a set time frame.

    What would ultimately benefit web designers is an active collaboration between web designers and browser vendors to collaboratively work together on patching holes in the standards. This means that instead of harassing Microsoft employees on their blog to instead ask them what holes exist in the standard, look at the standard, make inquiries to those responsible at the W3C, and work towards solutions that can be implemented in to the standards therefor giving a consistent patch to holes creating rendering engine inconsistencies.

    Who here knows much about the folks working over at the W3C? Do the people who work on (X)HTML and CSS dedicate all their work time to the specifications or do they have to do it in their spare time while working another job to pay the bills and support their families?

    (X)HTML 5 is an excellent chance to do exactly that. Unless you’re willing to cover the living expenses of W3C developers to free up their time and resources the extra work load could easily be handled by the community, standards are in some sense open source? Our input is taken in to consideration at the W3C.

    An example of seeing the opt-in mode is simple to me.

    The #body element on my site requires CSS2…

    #body {

    border: #f0f solid 1px;

    bottom: 4px;

    left: 4px;

    overflow: auto;

    position: absolute;

    top: 4px;

    right: 4px;


    Quirks mode in IE from my understanding after listening to Chris’s comments are the ‘best guess’ at how the spec would be implemented if the issue was covered. My layout with the #body is not buggy in IE7 but requires quirks mode by using the XML declaration in IE6 and earlier. Essentially I can agree with this implementation and while I’m not going to attempt to digest the W3C specs, figure out what point in time each version of IE was being developed how far along the specifications had reached, it supports another statement that Chris made that the standards aren’t complete yet and that many holes are still exist.

    With the new opt-in mode and following Chris’s comments I only have one comment, thank you IE Team!

  53. I was reading my buddy Alex Smolen’s post the other day on Java Applet Security and figured I would see

  54. optman says:

    在前面《再谈IObjectSafety》一文里,我们讲了声明一个ActiveX为脚本安全可能会被滥用而带来安全隐患。现在微软推出了一个新的ATL模板类IObjectSafetySiteLockImpl ,可以在编写ActiveX组件的时候设置只能在特定站点上加载,从而避免被恶意站点使用。

  55. IEBlog says:

    Hi, I’m Matt Crowley, Program Manager for Extensibility with Internet Explorer. The team was very excited

  56.     아래 글은 IEBlog에 올라온 IE 8 보안 관련 글 중 두번째 글을 번역한 것입니다. 현재 파트 5까지 나와있는데 시리즈로 번역할 예정입니다. 이 글 뿐

Comments are closed.

Skip to main content