This flag essentially states that all methods invoked by this COM object will not
damage or ruin the security posture of the system. For example, if an ActiveX COM
object were used with Microsoft Word and marked safe for scripting, a malicious thirdparty
script could be executed remotely on the object to delete files on the user??™s operating
system.
Not marking a control for scripting would prevent any third-party scripts from
accessing the control; however, most controls need the safe for scripting mark for proper
use.
SFS places a large security guarantee on the ActiveX object, since it allows third-party
users to create scripts that invoke the object. While security guarantees are ideal, they are
tough to achieve and tough to maintain. A better method is to remove all SFS flags in an
ActiveX object by default unless they are intended for use on the web and have been
through a rigorous security evaluation.
Marking ActiveX Controls Safe for Initialization (SFI)
Similar to scripting, marking a control safe for initialization (SFI) with the IObjectSafety
method allows controls to be invoked by third-party applications. Marking a control as
SFI basically means that parameters associated with Object tag invocation cannot be
misused.
Pages:
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369