WebBrowser Control and the Embed Tag

13
votes

I believe I am having a security problem related to using the embed tag with a WebBrowser control in my C# 2008 WinForms application.

Here is my code:

private void button2_Click(object sender, EventArgs e)
{
    webBrowser1.Navigate("C:/page1.html");
}

private void button1_Click(object sender, EventArgs e)
{
    webBrowser1.Navigate("about:blank");
    Thread.Sleep(1000);
    webBrowser1.Document.Write("<html><body><p>Hello</p><embed src='C:/test.wmv' /></body></html>");
}

This is the contents of page1.html:

<html><body><p>Hello</p><embed src='C:/test.wmv' /></body></html>

Button1 generates the word "Hello". Button2 generates the word "Hello" with an embedded movie player below it.

When I view the sources for both pages I notice they are identical, except for the name of the source file.

This leads me to believe it is something to do with my IE security settings, but I notice that I have full permissions set for embedded content. Perhaps the control doesn't recognize the source of the page as proper and therefore doesn't allow the embed tag to be used.

How can I overcome this programatically? I want to avoid writing my page to file, and navigating to that file at all cost. Any suggestions on how to trick the browser control into working properly?

1st Editor:

According to this article Webbrowser Navigate Embedded Resource this will work, but I (JT) tried and it didn't:

System.IO.Stream stream = this.GetType().Assembly.GetManifestResourceStream("WindowsFormsApplication1.Properties.test.html");
webBrowser1.DocumentStream = stream;

Odd behavior while reproducing problem:

webBrowser1.Navigate("about:blank");
do
{
Thread.Sleep(100);
} while (webBrowser1.IsBusy == true);

//Method 1. Doesn't work
string htmlString1 = File.ReadAllText("C:/page1.html");
webBrowser1.Document.Write(htmlString1);

//Method 2. Doesn't work
string htmlString2 = "<html><body><p>Hello</p><embed src='C:/test.wmv' /></body></html>";
webBrowser1.Document.Write(htmlString2);

//Method 3. DOES WORK
webBrowser1.Document.Write("<html><body><p>Hello</p><embed src='C:/test.wmv' /></body></html>");

Edit 2

Here is an example of a page created with JavaScript, with no real source file, that does display the embedded player in IE:

<html><head>
<script language="JavaScript">
function go()
{
test1 = window.open("","","menubar=0,status=0,toolbar=0");
test1.document.writeln("<html><body><p>Hello</p><embed src='test.wmv' /></body></html>");
}
</script>
</head><body><h1 onclick="go()">click</h1></body></html>

The only difference here is that IE thinks the source of the HTML is a file, although, it is created by "writeln".

While it is popular opinion that IE does not support the tag, it does, and there are many examples proving it. Attempting with IE on jsfiddle.net in IE will yeild an embedded player, while in FF it will not.

Edit 3

This issue is related to cross-domain security. Not only do the newer versions of IE refuse to allow any changes to the domain of a page once it exists, the WebBrowser control doesn't let you write text to a document that already has text in it. Only the first call to Document.Write does anything. Not only is there no apparent way to force the domain of page, there is also no way to write anything new to a page with a domain that is set because "openNew", which is required in order to do any writing, opens about:blank and defaults to a null domain that causes exceptions if set or get is attempted.

Edit 4

The issue lies in Cross-Domain security shenanigans. See THIS IE8 decided that Document.Domain can't be written to. Even if it were writable, you can apparently never communicate between protocols. So the "file://" protocol, and the "about" protocol can't communicate, or have tags pointed at one another. Here are the stumbling blocks:

  • The version of IE used by the Browser Control can't do anything to Document.Domain, not even with JavaScript.
  • You can't read the domain of about:blank.
  • You can't load a page with the proper domain, and expect to use Document.Write to write HTML into it, because you are forced to call Document.OpenNew before using Document.Write.
  • You can't modify the DocumentText by using WebBrowser.DocumentText = anything because you can only set DocumentText once per navigation. This is like some other security thing.

In conclusion, it is sufficient to say that you don't have any extra control over security with the WebBrowser control, likely even less than you have with some JavaScript generated pages (because these pages share the domain of the launch script).

Thanks for the votes/support in my endeavor, but it looks like I'm going to give up and write a page to file every time I want to change what is in the browser control. Yuck.

3
c#winformswebbrowser-control
Does webBrowser1.Refresh(); help?Hans Z
Refresh() does not help. The content displayed remains identical.Gorchestopher H
Funny I had a IBM App Scan on one of my applications the other day and it picked up shelling a browser with query string parameters, but hard coded URLs were less of a threat. Perhaps this point (and my edit) might give someone else an idea as to what the problem is.Jeremy Thompson
I am thoroughly confused why your "method 2" and "method 3" execute differently at all. I'm especially confused why "method 3" works for you, when my original example essentially is "method 3". Can anyone comment on the difference between "method 2" and "method 3"?Gorchestopher H
I suppose I may have made the introduction to my problem a little obscure. Any help to get this question improved would be much appreciated. I'm surprised no one has a reasonable method to get the control to behave like IE, when the control uses IE.Gorchestopher H

3 Answers

2
votes

The issue lies in Cross-Domain security shenanigans. See THIS IE8 decided that Document.Domain can't be written to. Even if it were writable, you can apparently never communicate between protocols. So the "file://" protocol, and the "about" protocol can't communicate, or have tags pointed at one another. Here are the stumbling blocks:

  • The version of IE used by the Browser Control can't do anything to Document.Domain, not even with JavaScript.
  • You can't read the domain of about:blank.
  • You can't load a page with the proper domain, and expect to use Document.Write to write HTML into it, because you are forced to call Document.OpenNew before using Document.Write.
  • You can't modify the DocumentText by using WebBrowser.DocumentText = anything because you can only set DocumentText once per navigation. This is like some other security thing.

In conclusion, it is sufficient to say that you don't have any extra control over security with the WebBrowser control, likely even less than you have with some JavaScript generated pages (because these pages share the domain of the launch script).

Thanks for the votes/support in my endeavor, but it looks like I'm going to give up and write a page to file every time I want to change what is in the browser control. Yuck.

1
votes

This is why:

http://msdn.microsoft.com/en-us/library/windows/desktop/dd562847(v=vs.85).aspx

The preceeding examples work in Firefox but not in Internet Explorer. To embed the Player control in a webpage that can be displayed by Internet Explorer, you must create an OBJECT element that has a classid attribute set to the class ID of the Windows Media Player control. The following example shows how to embed the Windows Media Player control in a webpage that can be displayed correctly by both Internet Explorer and Firefox. Script on the page detects the browser type and generates the appropriate OBJECT tag.

For your convenience here it is: 

private void button3_Click(object sender, EventArgs e)
{
    webBrowser1.Navigate("about:blank");
    do
    {
        Thread.Sleep(100);
    } while (webBrowser1.IsBusy == true);

    string htmlString1 = File.ReadAllText("C:/test.html");
    webBrowser1.Document.Write(htmlString1);
    return;
}

Contents of Test.html:

<OBJECT id="VIDEO" width="320" height="240" 
    style="position:absolute; left:0;top:0;"
    CLASSID="CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6"
    type="application/x-oleobject">

    <PARAM NAME="URL" VALUE="c:\test.wmv">
    <PARAM NAME="SendPlayStateChangeEvents" VALUE="True">
    <PARAM NAME="AutoStart" VALUE="True">
    <PARAM name="uiMode" value="none">
    <PARAM name="PlayCount" value="9999">
</OBJECT>
1
votes

@GorchestopherH thats a shame to hear the outcome. You might wish to put the 4th edit as an answer - it'd be a shame to loose the 50pts bounty altogether.

The other solution is another webbrowser control: http://code.google.com/p/geckofx/

Embeding Firefox Brower In C# Using GeckoFX