When using your component on a Web
page, there are additional considerations. The .ocx
file and all supporting files must be on the target
machine or downloaded across the Internet. This makes
code size and download time an important consideration.
Downloads can be packaged in a signed .cab file.
Packaging Code for Downloading
The CODEBASE Tag
ActiveX components are embedded
in Web pages using the <OBJECT> tag. The CODEBASE
parameter of the <OBJECT> tag specifies the
location from which to download the component. CODEBASE
can point at a number of different file types successfully.
Using the CODEBASE Tag with an OCX
This solution downloads only the component's .ocx
file and requires any supporting DLLs to already be
installed on the client machine.
Using the CODEBASE Tag with an INF
An .inf file will control the installation
of an .ocx file and its supporting files. This method
is not recommended because it is not possible to sign
an .inf file (see Signing Code for pointers on code
Using the CODEBASE Tag with a CAB
Cabinet files are the recommended way
to package ActiveX components in a cabinet file allows
an .inf file to be included to component installation
of the ActiveX component and any dependent DLLs. Using
a CAB file automatically compresses the code for quicker
download. If you are using a .cab file for component
download, it is faster to sign the entire .cab file
than each individual component.
Creating CAB Files
The CABinet Development Kit can
be obtained from the Microsoft developers' Web site,
In this kit, you will find the necessary tools to
construct cabinet files.
The cabinet file pointed to by CODEBASE
should contain the .ocx file for your ActiveX component
and an .inf file to control its installation. You
create the cabinet file by specifying the name of
your control file and an .inf file. Do not include
dependent DLLs that may already exist on the system
in this cabinet file.
The INF File
The following example, trend.inf,
lists the supporting files and the version information
needed for the VB TREND component. Notice the location
for the VB DLLs is a Microsoft Web site. The *.cab
is provided and signed by Microsoft.
Contents of trend.inf:
\\ Mark safe for the trend control \\
The <OBJECT> Tag
The following example illustrates using the <OBJECT>
tag to package the VB TREND component.
<OBJECT ID="Trend" WIDTH="320"
<param name="_ExtentX" value="2646">
<param name="_ExtentY" value="1323">
<param name="GridMode" value="1">
<param name="GridStyle" value="1">
In this case, trend.cab will contain two files, TREND.ocx
and trend.inf. The following command will build the
C:\CabDevKit\cabarc.exe -s 6144 N trend.cab trend.ocx
The -s 6144 parameter reserves space in the cabinet
for code signing.
The Version Tag
Note here that the #Version information
specified with a CAB file applies to the component
specified by the CLASSID parameter of the <OBJECT>
Depending on the version specified,
you can force download of your component. For complete
specifications of the OBJECT tag including the CODEBASE
parameter, see the W3C reference.
If you want to use a licensed component
on a Web page, you must verify that the license agreement
allows its use on the Internet and create a license
package file (LPK) for it.
A licensed ActiveX component will
not load properly in an HTML page if the computer
running Internet Explorer is not licensed to use the
component. For example, if a licensed component was
built using Visual Basic, the HTML page using the
component will load properly on the computer where
the component was built, but it will not load on a
different computer unless licensing information is
To use a licensed ActiveX component
in Internet Explorer, you must check the vendor's
license agreement to verify that the license for the
● Use of
the component on the Internet
● Use of
the Codebase parameter
To use a licensed component in an
HTML page on a non-licensed machine, you must generate
a license package file (LPK). The LPK file contains
run-time licenses for licensed components in the HTML
page. This file is generated via LPKtool.zip
which comes with the ActiveX Software Development
Kit (SDK). You can download the ActiveX SDK through
the Microsoft Web site http://www.microsoft.com/activex.
To create an LPK file
● Run lpktool.exe
on a computer that is licensed to use the component.
● In the License
Package Authoring Tool dialog box, in the Available
Controls list box, select each licensed ActiveX component
that will be used on the HTML page and click Add.
● Click Save
& Exit and type a name for the LPK file. This will
create the LPK file and close the application.
To embed a licensed component on
an HTML page ● Edit
your HTML page. In the HTML page, insert an <OBJECT>
tag for the License Manager object before any other
<OBJECT> tags. The License Manager is an ActiveX
component that is installed with Internet Explorer.
Its class ID is shown below. Set the LPKPath property
of the License Manager object to the path and name of
the LPK file. You can have only one LPK file per HTML
<OBJECT CLASSID = "clsid:5220cb21-c88d-11cf-b347-00aa00a28331">
VALUE="relative URL to .LPK file">
● Insert the
<OBJECT> tag for your licensed component after
the License Manager tag. For example, an HTML page that
displays the Microsoft Masked Edit component is shown
below. The first class ID is for the License Manager
component, the second class ID is for the Masked Edit
component. Change the tags to point to the relative
path of the .lpk file you created earlier, and add an
object tag including the class ID for your component.
● Insert the
<EMBED> attribute for your LPK file, if using
the NCompass ActiveX plug-in. If your component may
be viewed on other ActiveX enabled browsers - for example
Netscape using the NCompass ActiveX plug-in - you must
add the <EMBED> syntax as shown below.
<OBJECT CLASSID = "clsid:5220cb21-c88d-11cf-b347-00aa00a28331">
<PARAM NAME="LPKPath" VALUE="maskedit.lpk">
WIDTH=100 HEIGHT=25> </OBJECT>
Code signing is designed to identify
the source of code and to guarantee that the code
has not changed since it was signed. Depending on
browser safety settings, users may be warned before
the code is downloaded. Users may choose to trust
certain certificate owners or companies, in which
case, code signed by those trusted will be downloaded
without warning. Code is digitally signed to avoid
Make sure your final code is signed so that your component
can be automatically downloaded without displaying
trust warning messages. For details on how to sign
code, check the documentation on Authenticode?in the
ActiveX SDK. For more information on the Microsoft
code-signing initiative, check .
Depending on trust and browser safety
level settings, a certificate may be displayed to
identify the signing person or company. If the safety
level is none, or if the signed component's certificate
owner is trusted, a certificate will not be displayed.
See Safety Levels and Control Behavior for details
on how the browser safety setting will determine whether
your component is downloaded and a certificate displayed.
Digital signing guarantees code
has not changed since it's been signed. A hash of
the code is taken and embedded in the certificate.
This hash is later compared with a hash of the code
taken after the code is downloaded but before it runs.
Companies such as Verisign can supply private and
public keys needed to sign code. The ActiveX SDK ships
with MakeCert, a utility for creating test certificates,
and two registry files, wvtston.reg and wvtstoff.reg,
for specifying whether or not the browser should recognize
test certificates as valid.
Internet Explorer Browser Safety
Levels and Control Behavior
A browser has options for safety
level, configurable by the user. Because Web pages
can contain active content that might potentially
harm a user's computer, browsers allow the user to
select options for safety level. Depending on the
way a browser implements safety levels, a component
may not be downloaded at all, or will display a certificate
or a warning message to allow the user to choose at
run time whether or not to download the component.
The behavior of ActiveX components under high, medium,
and low safety levels on Internet Explorer is listed
High Safety Mode
components will not be downloaded.
components will display a certificate if untrusted
(a user can choose an option to always trust code
from this certificate owner from now on).
● Only components
marked as safe will have persistent data and/or be
Medium Safety Mode
components will display a warning before downloading.
components will display a certificate if untrusted.
not marked as safe will display a warning.
Low Safety Mode
are downloaded without warning.
and persistence occur without warning.