ActiveX is a software framework created by Microsoft for sharing information and functionality among different applications. As for web application, ActiveX only works with Internet Explorer.
Choose a secure ActiveX control
Due to the fact that ActiveX control can literally do anything you can do to a computer, it is important that you choose a secure ActiveX that you can trust.
Things you can check:
- Whether the ActiveX is digitally signed
If an unsigned control is infected by a virus or maliciously changed by hackers, and it has full access to the resources on your machine, it’d be very dangerous. Digital signing tells users where the control came from and verifies that the control has not been tampered with since its publication.
- Whether the control is marked safe for initializing and scripting
This way, you can protect by restricting the domains in which the control can be scripted. This is referred to as “site locking” (or, locking down your control) and makes it harder for a control to be maliciously repurposed.
Licensing ActiveX control
Windows Internet Explorer uses the license package file (LPK) to verify if an ActiveX control is licensed. The LPK file can be included in any HTML page by using the OBJECT object.
Below is a simple sample:
<OBJECT CLASSID="clsid:5220CB21-C88D-11cf-B347-00AA00A28331"> <PARAM NAME="LPKPath" VALUE="time.lpk"> </OBJECT>
- The CLSID identifies the object as a license package
- The PARAM object specifies the relative location of the license package file with respect to the HTML page.
Note: Only one .lpk file can be included in a given HTML page.
However, we have received quite a lot requests on license error from our customer using our TWAIN scanning ActiveX. Because it is cumbersome to create LPK files – users need to download the LPK tool, ensure the license information of the ActiveX on the machine is correct, and run the LPK tool to generate a LPK file and then put the LPK at proper path and refer to it in the LPK object correctly. During the steps, it is easy for web developers to miss something and got license error for ActiveX.
So for Dynamic Web TWAIN, the TWAIN interface for web application, we have introduced another way to license the control – using a ProductKey property to license Dynamic Web TWAIN ActiveX at runtime.
Deploy ActiveX control on web server
ActiveX control is usually package in CAB file, which helps reduce the file size and the associated download time for Web content from web servers.
An ActiveX control is identified by the OBJECT object in an HTML file. If the control has been stored in a .cab file, OBJECT must include a CODEBASE attribute that specifies the URL for this .cab file.
For example, below is the object for the trial version of Dynamic Web TWAIN ActiveX v9.0:
<object classid = "clsid:FFC6F181-A5CF-4ec4-A441-093D7134FBF2" id="DWObject" CodeBase = "DynamicWebTWAIN.cab#version=9,0"style ="width :500px; height:500px;">
<param name = "Manufacturer" value = "Dynamsoft Corporation" />
<param name = "ProductName" value = "Dynamic Web TWAIN" />
After you deploy the ActiveX on web server properly, on the first visit of web page with the control, users will get prompt to install the control.
Here is what it looks like when you visit the web scan page with Dynamic Web TWAIN ActiveX:
You can try it out by visiting the online demo of Dynamic Web TWAIN.
Besides CAB, you can also use MSI installer for ActiveX control. In that case, you can add a download link to the path of the MSI file for end users to download and install it on client machines.