Hi,
I am using ActiveXobject as
var xp = new ActiveXObject("WPrint.PrintCtl");
in my JSP application.
I have heard that using ActiveXobject may be dangerous for my application as i am using Bluetooth mode of commmunication.Can anyone tell me why ActiveXobject is dengerous ?


Regards:
Rohit Kumar

this is JavaScript related question ....

ActiveX is usually limited to Internet Explorer on Windows. It's dangerous because it allows access to the operating system outside the browser sandbox. Any that you use should be from trusted sources and will require changes to your security settings.

But i am not using Internet Explorer on PDA (containing Windows Mobile 5.0).Instead i am using Lotus Expeditor (IBM product),which has it's own browser and our application runs over it.Will ActiveXobject be dengerous now?

I'm not familiar with Lotus Expeditor. I'm not sure how it integrates ActiveX, so can't really comment on how effective it is with regards to security. You'd have better luck asking IBM.

i'm not familiar with Lotus Expeditor too ... but as long as your application runs in a browser the potential security issues with activeX should be the same as with a normal browser. typically a browser doesn't allow any program to break out of the browser's sandbox so you might consider the browser your runtime-environment and the code that runs in a browserapp just has very limited access to machine-resources like file-system or similar security related resources. java applets might have some more possibilities but they run within the JVM and are even limited to the JVM's sandbox ... while an activeX-control runs outside of any sandbox and might have direct access to all windows-ressources ... so everytime, when you use such a control you have a potential security risk unless you have really trusted controls, that could be verified, signed etc. ... so that it needn't be a real issue ... just make sure that you could trust the used controls ;)

kind regards

But i use ActiveXobjet control in Bluetooth mode of communiction.GPRS does not come in picture at that time.So no use of Internet Explorer is there.Now will ActiveX control be dengerous in this situation?

i'm confused now ... whatfor do you need the activeX control now? is it part of the application or is it used for the communication only? bluetooth itself has its own drawbacks, and when you have a insecure connection then it doesn't matter whether you run an activeX-control or whatever. when the activeX control could allow further access to your PDA like adresses, data, whatever ... then the control could open the next door to the attacker, but in case you avoid unauthorized connections then it shouldn't be a problem at all. i guess the application just runs locally on the PDA? ...

ActiveX control is the part of application.But It is used only one time when user wants to take print out of that page.There is a form on that JSP page,in which user fills all details and clicks on "print" button.Now bluetooth & ActiveX control comes into picture.By clicking on print button a bluetooth connection is establised between PDA & Bluetooth printer.When connection is establised properly,the desired print out comes from the printer.
Yes,my application runs locally on PDA after downloading of fresh data to PDA.And we need GPRS connection for this.Actually we need GPRS connection only 2 times.(1-When fresh data is downloaded on PDA.2- When this data (after several modifications) is uploaded back to server.).Between these two points my appliocation runs locally on PDA.

ActiveX control is the part of application.But It is used only one time when user wants to take print out of that page.There is a form on that JSP page,in which user fills all details and clicks on "print" button.Now bluetooth & ActiveX control comes into picture.By clicking on print button a bluetooth connection is establised between PDA & Bluetooth printer.When connection is establised properly,the desired print out comes from the printer.
Yes,my application runs locally on PDA after downloading of fresh data to PDA.And we need GPRS connection for this.Actually we need GPRS connection only 2 times.(1-When fresh data is downloaded on PDA.2- When this data (after several modifications) is uploaded back to server.).Between these two points my appliocation runs locally on PDA.

so the only security risk i could see at the moment would be: when the bluetooth connection is established your PDA might be visible and an atacker could try to connect to it ... now the activeX control might be insecure and allow the attacker to steal something or load something up to the PDA ... a trojan or whatever ... but i guess that is quite more hype then reality :) ... first i think its a very short connection? next i guess the bluetooth service of the PDA is just invoked when it is needed and not always running? The device should be hidden all the time? etc. ... the more problematic then the activeX control in your case is just the bluetooth useage itself that just need to be secured as good as possible.

kind regards

Ok.Thanx for your suggestion.