When using your component on a Web page, there are additional considerations. The .ocx file and all supporting files must be on the target machine or downloaded across the Internet. This makes code size and download time an important consideration. Downloads can be packaged in a signed .cab file.
Packaging Code for Downloading
The CODEBASE Tag
ActiveX components are embedded in Web pages using the <OBJECT> tag. The CODEBASE parameter of the <OBJECT> tag specifies the location from which to download the component. CODEBASE can point at a number of different file types successfully.
Using the CODEBASE Tag with an OCX File
This solution downloads only the component's .ocx file and requires any supporting DLLs to already be installed on the client machine.
Using the CODEBASE Tag with an INF File
An .inf file will control the installation of an .ocx file and its supporting files. This method is not recommended because it is not possible to sign an .inf file (see Signing Code for pointers on code signing).
Using the CODEBASE Tag with a CAB File
Cabinet files are the recommended way to package ActiveX components in a cabinet file allows an .inf file to be included to component installation of the ActiveX component and any dependent DLLs. Using a CAB file automatically compresses the code for quicker download. If you are using a .cab file for component download, it is faster to sign the entire .cab file than each individual component.
Creating CAB Files
The CABinet Development Kit can be obtained from the Microsoft developers' Web site, http://www.microsoft.com/workshop/. In this kit, you will find the necessary tools to construct cabinet files.
The cabinet file pointed to by CODEBASE should contain the .ocx file for your ActiveX component and an .inf file to control its installation. You create the cabinet file by specifying the name of your control file and an .inf file. Do not include dependent DLLs that may already exist on the system in this cabinet file.
The INF File
The following example, trend.inf, lists the supporting files and the version information needed for the VB TREND component. Notice the location for the VB DLLs is a Microsoft Web site. The *.cab is provided and signed by Microsoft.
Contents of trend.inf:
[AddToRegistry] // Mark safe for the trend control //
The <OBJECT> Tag
The following example illustrates using the <OBJECT> tag to package the VB TREND component.
<OBJECT ID="Trend" WIDTH="320" HEIGHT="86"
<param name="_ExtentX" value="2646">
<param name="_ExtentY" value="1323">
<param name="GridMode" value="1">
<param name="GridStyle" value="1">
In this case, trend.cab will contain two files, TREND.ocx and trend.inf. The following command will build the cabinet file:
C:/CabDevKit/cabarc.exe -s 6144 N trend.cab trend.ocx trend.inf
The -s 6144 parameter reserves space in the cabinet for code signing.
The Version Tag
Note here that the #Version information specified with a CAB file applies to the component specified by the CLASSID parameter of the <OBJECT> tag.
Depending on the version specified, you can force download of your component. For complete specifications of the OBJECT tag including the CODEBASE parameter, see the W3C reference.
If you want to use a licensed component on a Web page, you must verify that the license agreement allows its use on the Internet and create a license package file (LPK) for it.
A licensed ActiveX component will not load properly in an HTML page if the computer running Internet Explorer is not licensed to use the component. For example, if a licensed component was built using Visual Basic, the HTML page using the component will load properly on the computer where the component was built, but it will not load on a different computer unless licensing information is included.
To use a licensed ActiveX component in Internet Explorer, you must check the vendor's license agreement to verify that the license for the component permits:
● Use of the component on the Internet
● Use of the Codebase parameter
To use a licensed component in an HTML page on a non-licensed machine, you must generate a license package file (LPK). The LPK file contains run-time licenses for licensed components in the HTML page. This file is generated via LPKtool.zip which comes with the ActiveX Software Development Kit (SDK). You can download the ActiveX SDK through the Microsoft Web site http://www.microsoft.com/activex.
To create an LPK file
● Run lpktool.exe on a computer that is licensed to use the component.
● In the License Package Authoring Tool dialog box, in the Available Controls list box, select each licensed ActiveX component that will be used on the HTML page and click Add.
● Click Save & Exit and type a name for the LPK file. This will create the LPK file and close the application.
To embed a licensed component on an HTML page
● Edit your HTML page. In the HTML page, insert an <OBJECT> tag for the License Manager object before any other <OBJECT> tags. The License Manager is an ActiveX component that is installed with Internet Explorer. Its class ID is shown below. Set the LPKPath property of the License Manager object to the path and name of the LPK file. You can have only one LPK file per HTML page.
<OBJECT CLASSID = "clsid:5220cb21-c88d-11cf-b347-00aa00a28331">
<PARAM NAME="LPKPath" VALUE="relative URL to .LPK file">
● Insert the <OBJECT> tag for your licensed component after the License Manager tag. For example, an HTML page that displays the Microsoft Masked Edit component is shown below. The first class ID is for the License Manager component, the second class ID is for the Masked Edit component. Change the tags to point to the relative path of the .lpk file you created earlier, and add an object tag including the class ID for your component.
● Insert the <EMBED> attribute for your LPK file, if using the NCompass ActiveX plug-in. If your component may be viewed on other ActiveX enabled browsers - for example Netscape using the NCompass ActiveX plug-in - you must add the <EMBED> syntax as shown below.
<OBJECT CLASSID = "clsid:5220cb21-c88d-11cf-b347-00aa00a28331">
<PARAM NAME="LPKPath" VALUE="maskedit.lpk">
<EMBED SRC ="maskedit.LPK">
</OBJECT CLASSID="clsid:C932BA85-4374-101B-A56C-00AA003668DC" WIDTH=100 HEIGHT=25> </OBJECT>
Code signing is designed to identify the source of code and to guarantee that the code has not changed since it was signed. Depending on browser safety settings, users may be warned before the code is downloaded. Users may choose to trust certain certificate owners or companies, in which case, code signed by those trusted will be downloaded without warning. Code is digitally signed to avoid tampering.
Make sure your final code is signed so that your component can be automatically downloaded without displaying trust warning messages. For details on how to sign code, check the documentation on Authenticode?in the ActiveX SDK. For more information on the Microsoft code-signing initiative, check .
Depending on trust and browser safety level settings, a certificate may be displayed to identify the signing person or company. If the safety level is none, or if the signed component's certificate owner is trusted, a certificate will not be displayed. See Safety Levels and Control Behavior for details on how the browser safety setting will determine whether your component is downloaded and a certificate displayed.
Digital signing guarantees code has not changed since it's been signed. A hash of the code is taken and embedded in the certificate. This hash is later compared with a hash of the code taken after the code is downloaded but before it runs. Companies such as Verisign can supply private and public keys needed to sign code. The ActiveX SDK ships with MakeCert, a utility for creating test certificates, and two registry files, wvtston.reg and wvtstoff.reg, for specifying whether or not the browser should recognize test certificates as valid.
Internet Explorer Browser Safety Levels and Control Behavior
A browser has options for safety level, configurable by the user. Because Web pages can contain active content that might potentially harm a user's computer, browsers allow the user to select options for safety level. Depending on the way a browser implements safety levels, a component may not be downloaded at all, or will display a certificate or a warning message to allow the user to choose at run time whether or not to download the component. The behavior of ActiveX components under high, medium, and low safety levels on Internet Explorer is listed below.
High Safety Mode
● Unsigned components will not be downloaded.
● Signed components will display a certificate if untrusted (a user can choose an option to always trust code from this certificate owner from now on).
● Only components marked as safe will have persistent data and/or be scriptable.
Medium Safety Mode
● Unsigned components will display a warning before downloading.
● Signed components will display a certificate if untrusted.
● Components not marked as safe will display a warning.
Low Safety Mode
● Components are downloaded without warning.
● Scripting and persistence occur without warning.