Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-70983

ActiveQt doesn't support sandboxing

    XMLWordPrintable

Details

    • Task
    • Resolution: Fixed
    • Not Evaluated
    • None
    • 5.11.0
    • ActiveX Support
    • None
    • Visual Studio 2015. Windows 7 & 10.

    • Windows

    Description

      Windows have since Vista supported a mandatory access control scheme referred to as Windows Integrity Mechanism, which can be used for application sandboxing. The CLSCTX_ENABLE_CLOAKING flag introduced in QTBUG-70744 can be combined with the instructions on https://msdn.microsoft.com/en-us/library/bb625960.aspx to instantiate ActiveX controls built as EXE in a limited privilege "low integrity" process. However, this doesn't work yet due to window parenting issues.

      More specifically, the CreateWindow call in ActiveQt-based controls fail with ERROR_ACCESS_DENIED, since it doesn't have permission to assign the container window as parent. According to https://groups.google.com/forum/#!topic/microsoft.public.win32.programmer.kernel/h7tsbl_OdR4 this is a known issue that is worked around by setting the parent window in the "high integrity" container process.

      Google Chrome already does this, and the implementation is found in https://github.com/chromium-googlesource-mirror/chromium/blob/master/src/content/browser/plugin_process_host.cc#L58

      Attachments

        For Gerrit Dashboard: QTBUG-70983
        # Subject Branch Project Status CR V

        Activity

          People

            kleint Friedemann Kleint
            forderud Fredrik Orderud
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes