Defending ActiveX

One of the benefits of being in the industry for a few years(I’ve been professionally developing and providing systemconsulting services for 12 years now, and of course was in theamateur ranks for a decade before that) is that you get to seehistory revised firsthand. This is especially true in the webapp world, where the history of the platform is being rewritten bypeople who want to change it for their own gain, or who simplyweren’t involved in the industry and thus have incompleteknowledge, rewriting it purely out of ignorance.


A frequent loser in this rewriting is Microsoft: Whether it’simagining Microsoft to be a web app laggard (I was developing forthe Microsoft technology stack, making web apps that blowaway what people are amazed by today…6 and 7years ago. Microsoft was a web technology superstar,but because most shops remained committed to fat apps, or wantedcross platform capabilities, few embraced their innovations), orhaving no influence (a lot of the current platform was eitherinvented or implemented first by Microsoft. From IFRAMEs to most ofCSS to XMLHTTP. Others like behaviors and filtersdied an ignoble death). While Microsoft is far from aperfect netizen, a lot of what they did has significantly andpositively affected the web that we use today.

Rumor has it, and I am prone to believing it, that the web appplatform was getting so powerful that the Internet Explorer teamwas disbanded: It was becoming capable enough that manycorporations were switching many of their in-house applications toweb apps, and the worry was that even with IE-only web apps, tiedto IE-specific functionality, it was just a short jump tomaking them cross-platform (or allowing for parallel, slightly lesscapable cross platform options), dramatically reducing the lock-inof the Windows platform.

In any case, one Microsoft technology that is being particularlymaligned is the infamous ActiveX.

Of course the term itself is a bit of a mess, and offers aclassic example of Microsoft marketing gone awry (just like thedisaster of naming that was .NET. If people weren’t firedover that debacle, then justice wasn’tserved) – According to some Microsoftsources, ActiveX was a set of interfaces that could be addedto a COM (Component Object Model) object to allow it to interactwith the interface of an application. Generally encapsulated in.OCX files (Ole Custom Controls), these provided a replacement tothe venerable VBX controls of yesteryear, providing a binary,language-neutral visual control that could be used in any ActiveXenvironment: Whether a Visual Basic app, a Delphi app, aMS Access form, an Excel worksheet, or a Visual C++ app, youcould make use of a single ActiveX control. At one gig we neededtwo synchronized animated graphs showing engine performance for atradeshow presentation – one quick Delphi ActiveX control later,and it was in the presentation (integrated right in the PowerPoint)and working great. That was the power of ActiveX.

ActiveX was also the technology behind plug-ins in InternetExplorer – Instead of begging theNetscape cabal to let them into the inner circle of Netscapeplug-ins, ActiveX controls could be created by anyone and used inweb pages (presuming some security hurdles were jumped, such asgetting the controls signed). It was a free and open world for webextensions, and of course they proliferated by the thousands,though only a few remained when the dust settled.


Another definition is that ActiveX refers simply to COM controlsthemselves – if it’s a COM control, then it’s an ActiveX control.Another variant is that ActiveX refers to COM controls marked”SafeFor Scripting“.

In any case, COM was a great advance for the platform. Itprovided high performance, binary, language neutral,object-oriented controls that could be used throughout thesystem in a truly modular fashion. They could even be proxiedacross systems, or hosted in service modules (MTS which becamecomponent services).

Seeing the value of this powerful, extensible, system-widetechnology, the Internet Explorer team decided to implement a lotof its functionality via this mechanism – So long as you configuredit with the properregistry entries, and optionally implemented an interface stating its safety level, these components wereusable from scripting in Internet Explorer. An obvious, andincredibly powerful, example was the use of the XMLHTTPcomponent (a part of the MSXML library, which itself is a varietyof COM controls) from within Internet Explorer. Independently bothsides could be upgraded and changed, automatically benefitting theother side where desired. If you implemented visual controls, youcould implement specific functionality that couldn’t be handledwith traditional web technologies in something like Delphi orMFC/C++, and gain all of the advantages of the web model (suchas the document flow layout) alongside extremely rich controls.

It helped a lot of shops start transitioning to web applicationslong before the web platform could do it on its own.

The problem with ActiveX, and the main reason why it’s maligned(apart from the platform lock-in), is that several controls thatwere marked safe for scripting were not, in fact, safe forscripting: Either they were programmed sloppily, and opened holesfor buffer overflow and other nefarious activities, or they haddangerous operations that should never have been allowed fromwithin Internet Explorer. Whatever the case, they opened holes thatshouldn’t have been opened.

Specific implementations gave the whole technology – amodular, high-performance and highly extensible system – a badname. It could be said that it deserved it, given that it didn’tsandbox the operations of the scripted object, but that’s animplementation detail: At the core it really is a fantasticfoundation.

Tagged: [], [],[], []