Web Technology


Dec. '96 - A.M. van Roeden

© 1996 - Webtechniques Magazine and A.M. van Roeden
  • Introduction
  • What is ActiveX?
  • OLE gets Active
  • ActiveX in Action - Internet Explorer
  • Authenticode Security
  • Activate your site
  • ActiveX and the web
  • Conclusion
  • Tools / How to
  • Books & URLs


The Internet is in a state of rapid development and expectations are high. As more and more people and businesses are getting connected, there is a growing sense that we’re really entering an era were information will be ‘at your fingertips’ (to quote BG). Partly responsible for this are several recent developments which not only will radically change the way we use the net, but will also make the net much more interesting and enjoyable to use.

One of these developments is Java, about which everyone know should have seen and heard enough to understand it’s consequences (it also was the subject of a WT special issue) and another is Microsoft’s ActiveX.

ActiveX was launched by Microsoft in early 1996 and being one of many new announcements (most of them claiming to be ‘revolutionary’, ‘complete’, ‘open’, etc.), I did not pay very much attention to it.

At the time I was quite occupied trying to figure out what Java was and how to program in the Java language. Besides, it seemed to me that ActiveX was only interesting in a Microsoft only environment such as company Intranets, because only Microsoft’s Internet Explorer supported ActiveX.

Another reason for my lack of attention was that I had very little experience programming for the Windows platform and didn’t know all that much about OLE, COM, VBX’s, OCX’s and so on.

I suspect that quite a few readers would agree having had these same thoughts, as a lot of them have a UNIX background (Web sites traditionally have been running on UNIX servers). I also suspect that for the most part, most UNIX users did not have much respect (to put it mildly) for Microsoft’s and/or its contributions to the IT industry.

I admit that I once was one of these users, but several (some personal) developments have changed my mind and made me decide to take a very good look at Microsoft’s Internet products and ActiveX in particular :

  • I recently started working for a company where I (have to) use Microsoft’s products (poor me) for may daily job as a Web master / developer / administrator
  • I attended Microsoft’s Site Builder Conference (Oct 28-30, San Jose, CA.) , were I saw and heard lots of interesting things about ActiveX
  • Netscape will support ActiveX in Netscape 4.0 (a component of its new Communicator suite) which means it will then be supported by all Web browsers (OK, 99%).
  • Microsoft submitted ActiveX to a standards organization (The Open Group), yielding to growing concerns in the industry about having too much control over the technology. This will ensure ActiveX will be ‘open’, as any widely used Internet technology should be.
  • I finally realized (a bit late) that, like it or not, we’re dealing with MICROSOFT here, which by itself should be reason enough to pay close attention when they announce a new technology.

What is ActiveX?

OK, before we have a look at what ActiveX really is, it maybe is a good idea to list here what it’s not, because there may be some confusion out there. ActiveX is not :

  • a programming language
  • an operating system
  • a platform
  • Microsoft’s version of Java
  • a devious scheme to ensure Microsoft will gain absolute control over Internet development (or is it ?)

Let’s try Microsoft’s own definition of ActiveX:

ActiveX is a set of technologies that integrate software components in a networked environment, regardless of the language in which they were created.

Sounds pretty impressive. Here are some more statements:

  1. ‘component software technology’
  2. ‘distributed object computing’
  3. ‘direct extension to Windows OS to support Internet software development’
  4. ‘ActiveX is the desktop applications passport to the net’
  5. ‘ActiveX is an integration technology, while Java is an Internet language’

Indeed, ActiveX is a technology which lets you create applications by putting together software components (1) that can be distributed over several computer systems (2).

Also, ActiveX is not limited to a Web browser, as most people will probably think -- it can also be used by regular Windows applications to enhance their capabilities with Internet functionality.

Microsoft has made an ActiveX SDK available as well as a number of components (ActiveX controls in Microspeak) that let Windows applications do things like loading Web pages, connecting to FTP sites, and so on (3 and 4).

The nice thing is that it also works the other way around, because with ActiveX it’s now also possible to let a browser run ActiveX controls that were formerly used only in desktop applications (OLE controls).

So ActiveX really cuts both ways -- on the one hand, it provides Internet capability to desktop apps and on the other hand it provides extra functionality to a Web browser. Microsoft likes to call these two concepts ‘the active desktop’ and ‘activate the Internet’.

Finally, the last statement (5) is also quite interesting:

Lots of people think that ActiveX is some kind of competitor to Java, but the funny thing is that you can use the Java language very well for writing ActiveX controls.

Visual J++, Microsoft’s Java development tool, is one of the best Java IDE’s available - it’s very complete and features a very fast compiler. This alone should make clear that Microsoft doesn’t hate Java - they do like it as a programming language and as a technology that lets your applet run on any platform.

Java as an operating system however, is not a very popular concept at Microsoft.

From Microsoft’s point of view, this is understandable -- after all, Operating Systems are Microsoft’s core business. But they also feel that a Java OS lacks quite a bit of features and functionality compared to Windows or any other modern Operating System - and they may have a point there.

So, to put it all together, ActiveX promises to let you write (part of) an application in your favorite language, deploy that application on any system you like and even let it interact with other apps and users over a network.

In the rest of this article I’ll have a look at how ActiveX came to be, how you can use it for your Web site and what tools you can use to help you in your development efforts.

OLE gets Active

‘Now, this all sounds very interesting’, you might say, ‘but isn’t ActiveX just a fancy new name for OLE, cleverly devised by Microsoft’s very capable marketing department?’

This certainly seems to be the case, although by making OLE ‘Internet aware’ Microsoft added some new functionality to the ‘old’ OLE technology, thereby maybe justifying the need for another name. Renaming OLE to ActiveX also made people (like me) aware that there’s more to OLE/ActiveX than displaying spreadsheets in a word processor. But in spite of the fancy new name, ActiveX is essentially the same thing as OLE, so it may be a good idea to take a (brief) look at the history of OLE and how it developed into ActiveX.

OLE, which is an acronym for Object Linking and Embedding, started out as just that - a way to create compound documents which had links to objects or embedded objects made by another application. In this way one could for example have a part of a spreadsheet in many wordprocessor documents, by just linking to the spreadsheet. Any updates to the spreadsheet would then automatically appear in the document. This also saved a lot of space, because only one instance of the spreadsheet was needed for all documents.

This was nice, but not everything the ambitious Microsoft developers had in mind. They wanted something more radical - A standard way to use pieces of software, written in any language, as building blocks for applications (sound familiar ?).

So they went back to work, developed a new set of technologies, and called them ‘COM’ for Component Object Model. Although this acronym is much more to the point, for reasons which are not entirely clear to me (and others I presume), Microsoft decided to call these new technologies OLE 2, although COM clearly was much more capable than just linking and embedding objects in a document (as the name OLE 2 still suggested).

Then in early 1996, Microsoft announced ActiveX, which was the name for all Internet related technologies being developed at Microsoft. Because most of them were based on COM, ActiveX soon also became the name for all COM based technologies. OLE is now once again the thing it was at the beginning – an acronym for Object, Linking and Embedding. All technologies that were developed after OLE are now called ActiveX.

Having cleared up the name confusion (hopefully), lets now find out what’s so special about COM.


COM defines a standard way for pieces of software to use each others services, even across a network (which only was realized recently with the introduction of Distributed COM or DCOM). COM is very much an object oriented technology and supports all its typical benefits like encapsulation of data (data can only be accessed trough an objects interface), polymorphism (different objects acting the same) and inheritance (a new object inherits all functionality of its class).

One special thing about COM is that it is language independent, COM acts like a wrapper about compiled pieces of software, so all COM objects have a binary format and a binary interface, which other objects and applications can use to gain access to an objects methods and properties. The binary format implies that you can’t get to an object’s source code (which makes it safe for distribution) and that it will execute faster compared to a Java applet because it doesn’t run in a Virtual Machine.

The main goal of COM was and is to enable the use of component software. The idea is that when you’re going to build an application, you investigate what you need in terms of functionality, pick the components that provide parts of the functionality and use these components as building blocks for your application. Needless to say, these is a big step forward in software development as you don’t need to rewrite code over and over again and with COM you’re not limited to just one programming language. In practice this all works very much like in the electronics industry where new devices are being built from standard components (IC’s) that have well known specifications and functionalities.

ActiveX Controls

Once COM was defined and implemented in a lot of Microsoft products, people started using these components in the form of OLE controls or OCXs. Since ActiveX really was an effort to use COM for the Internet, and OLE controls were quite ‘heavy’ in terms of functionality and interfaces, Microsoft decided to adapt OLE controls to this new environment and strip them down, so that only the really necessary functionality was supported. These controls are now named ActiveX controls.

Containers, Methods, Properties and Events

To use an ActiveX control you’ll have to plug it in into a control container such as a Web browser, a Visual Basic form or a program like Microsoft Word or Excel. Furthermore, all controls have certain properties, methods and events which you can set, call or respond to when you use them in your web page or application. Properties have to do with the ‘look and feel’ of a control, methods are the functions that a control supports and events are a way to indicate to other controls and applications that something has happened.

When you use controls in a Web page you would typically set the properties of a control using the OBJECT and PARAM tags and use its methods and events from a scripting language such as Javascript or Vbscript.

In case of the Marquee ActiveX control these tags will look something like this:

<OBJECT ID="ActiveXMarquee1" WIDTH=753 HEIGHT=47
<PARAM NAME="_ExtentX" VALUE="19923">
<PARAM NAME="_ExtentY" VALUE="1217">
<PARAM NAME="Text" VALUE="read web techniques">
<PARAM NAME="Scrolling" VALUE="-1">

ActiveX in Action - Internet Explorer

Maybe the best example or ‘proof of concept’, that ActiveX really works is Internet Explorer 3.0 (IE).

IE is really nothing more than a set of very tightly integrated COM objects and ActiveX controls. The capability to display several documents formats (HTML, Word, Excel etc.) for example, is implemented in an object (called Web Browser) that can act as an ActiveX Document Container. For each kind of document an ActiveX Document server (like Excel) is loaded into the container that knows how to display the specific document format. To display HTML pages, an object called the HTML viewer is loaded. The HTML viewer in turn, can load and run the components it would need to support things like Java, Realaudio, Shockwave and scripting, which are all implemented as separate components. Of course, it can also download and run ‘regular’ ActiveX controls.

The Web Browser object itself also acts as an ActiveX control, which - you guessed it - can also be used by other applications. (see Figure xx - How to create your own Web browser with 1 line of code)

As you can see, ActiveX makes it relatively simple to extend IE’s functionality - the HTML layout control for example, is a recent control that you can download and that enhances IE with extra layout possibilities. To add support for other scripting languages like Perl, all that is needed is getting another scripting engine, implemented as a COM object.

So while all this downloading and executing of controls sounds pretty cool, you may start to wonder if anyone at Microsoft has thought of the implications all this has on security. Well, not surprisingly, someone did.

Authenticode Security

As is the case with Java applets , IE downloads ActiveX controls in order to be able to execute them on a users computer. And like Java, this introduces some potential security risks, which need to be addressed.

Microsoft has realized this of course and chose to solve this problem in another way than Sun did with Java. The Java security model is based upon the ‘sandbox’ model - applets execute in a closed environment (the sandbox) from which they cannot escape.

Microsoft’s solution to the security issue is a technology named Authenticode which is quite different from the Java sandbox model. Authenticode is based upon the two terms ‘Authenticity’ and ‘Accountability’.

By using Authenticode, software components (ActiveX controls) can be issued a unique code (a digital certificate). A producer of software has to register with a certificate authority like Verisign, to obtain such a certificate. He can use the certificate to ‘sign’ his software, after which he can start distribution - i.e. making it available for users to download. This is where Authenticity and Accountability come in.


Each time a user downloads a control, an Authenticode window will pop up that displays the software producers certificate, name and a link to more information. The users know knows who is responsible for the software (and any unwanted effects it might produce).


Both the user and the producer of the software know that it’s impossible to tamper with the software without disabling the certificate. The user will know that the software is no longer in its original state (and thus might be dangerous) and the producer knows he can safely distribute his software without others ripping him off.

Internet Explorers default setting is not to download software that has no (valid) certificate. You can override this setting however, but you should be aware of the risks.

Once a control has been downloaded by a user, it can pretty much do anything it wants (like deleting files, transmitting your private data, etc.). Clearly, the user will indeed have to ‘trust’ that the producer of the software has only the best of intentions. This is comparable to buying shrink-wrapped (authenticity) software from a well known (accountability) company - you’re confident that the software is safe to install (but not 100% sure).

A potential problem with this approach to security is that a downloaded control can appear to function normally (a tickertape, a game, whatever) and meanwhile can install a virus on the computer that will activate itself several months later. How on earth is a user to know who to hold responsible (accountable) for the disaster caused by that ‘must have cool control’ she downloaded? This will be pretty difficult, considering the fact that once ActiveX takes off, users will maybe download something like 10 controls a day on average.

Another risk could be that users get tired of constantly acknowledging a control’s security by clicking away the Authenticode window. They’ll probably just turn the security mechanism off so all controls get automatically downloaded by default.

The Java ‘sandbox’ security model (and it’s very rigid implementation by the Netscape browser) may cause frustrations for developers, at least one knows that things like that won’t happen by downloading and executing Java applets.

Activate Your Site

Having looked at ActiveX from a general, historic and security perspective, it’s about time to have a look at what it has to offer in terms of Web site development :

.ActiveX controls can be created in any language.

Just like Java applets, you can use ActiveX controls in your web pages. Unlike Java applets however, you can use several languages to create them. At this time you can use C++, Java and Visual Basic, but more languages will be added (like Borland’s Delphi).

It is worth noting here that Visual Basic is used by millions of users because it lets you build applications fast and easy. And because you can directly create ActiveX controls in the new 5.0 version (Control Creation Edition), VB has a good chance of becoming far more popular than the Java language for creating interactive content for the Web.

.Leverage existing technology

It’s possible to use existing OLE Controls (OCX’s) as ActiveX controls. This could be one of Microsoft’s strongest selling points, as there are thousands of OLE controls available and millions of Visual Basic and C++ users out there who use OLE controls all the time.

What this means is that instead of starting from scratch, as would be the case if Java is used, you can now choose from a vast amount of controls, pick the functionality you need and tie them together with scripts. In case some required functionality does not exist, it should be much easier to create new controls by using your (or someone else’s) existing Visual Basic or C++ programming experience.

.ActiveX is platform independent.

Well, that’s not yet the case, but in the long run controls should run on most popular Operating Systems. You will have to compile a separate version for each platform however (unlike Java, there’s no Virtual Machine). ActiveX is currently available for all the Windows platforms and the Mac (beta). Microsoft is working with Software AG on a UNIX implementation (DCOM FTE).

Today, most users probably use ActiveX only in a browser context, and right now, IE 3.x is the only browser that supports ActiveX directly. You’ll have to keep in mind though, that IE 3.x is now a standard component of Windows 95/NT, which will have a market share of > 80% after all Windows 3.x users have upgraded. So for a lot of users this whole notion of platform independency will not be a big deal.

Right now, however, the Netscape browser is still the big one, and until NS will support ActiveX directly (in version 4.0 of the browser), you’ll need the ActiveX plugin from Ncompass Labs (who interestingly enough, developed an OLE capable browser long before Microsoft had even thought of ActiveX – but that’s another story).

.ActiveX controls can be scripted.

On the client..

Scripting allows you to program and tie controls together, so they will work in concert on a Web page. Scripts are mixed with the HTML in a Web page and can be written in any scripting language. At this time Microsoft supports Netscape’s Javascript and VBscript, the latter having essentially the same syntActiveX as Visual Basic.

Of course, it’s also possible to use these scripting languages in their traditional way - i.e. as a means to control the browser itself. In time, third party developers will probably make it possible to also use other scripting languages like Perl, Rexx, Phyton and so on.

.Active Server / Denali

..and on the Server.

Not only can ActiveX controls be executed by the client browser, you can also use them on the server, although this may seem a bit strange at first because a lot of people think an ActiveX control requires a windows user interface.

However, since ActiveX controls are simply software components that can do all kinds of things (including things that don’t require user interaction), a Web server can use ActiveX controls to dynamically generate HTML pages. The big advantage of this approach is that it is browser independent – you use ActiveX controls on the server to generate HTML that every browser understands.

Microsoft calls this concept ‘Active Server’ (code name ‘Denali’).Denali is one of several extensions to Microsofts Internet Information Server (IIS 2.0) which together form the upgrade to IIS 3.0.

Active Server pages are a combination of HTML and scripts, The scripts in ASP pages can call ActiveX controls on the server to execute a specific function. A good example of this is the ‘Ad rotator’ control which loads a new image (the ad) and generates the required HTML, every time the ASP page is requested by a user. The (VB)script will look something like this:

<% set Ad = Server.CreateObject("MicrosoftWC.Adrotator") %>
<% = Ad.GetAdvertisement("/aspsamp/tutorial/lessons/adrot.txt") %>

Another example are the ActiveX Data Objects that you can use for fast connectivity to ODBC-compliant databases like Access or SQL server.

You’ve probably noticed quite some pages at the Microsoft site whose name ended in .asp - so obviously this concept has had some pretty though testing.

.ActiveX controls can manipulate the client’s file system

Is it a bug or a feature ? Discussions about whether this should be allowed will probably never end. Anyway --as discussed earlier in this article, ActiveX controls can read and write to the local file system once they have been downloaded. And while this capability introduces potential security hazards, it also allows more interesting things to happen. For example, a user can download and use a word processor control and store her (private) documents on the local hard disk, instead of on some remote server, over which she has no control. Another example might be a virus scanner control which checks the local hard disk for malicious programs.

.ActiveX provides for automatic downloading of controls

Finally, one nice feature of ActiveX is that it enables browsers to ‘sense’ where to go when they encounter some piece of active content for which they have no ‘playback’ capability. A good example of this are Shockwave files – when IE comes across such a file, it will automatically start downloading the appropriate ActiveX control that can play back Shockwave movies. Of course this is an advantage both for web site developers and for users. Users won’t need to get hold of a separate plugin anymore and Web site developers can put all kinds of content on their site without fearing that users will go away because they don’t have the right plugin.

ActiveX and the Web

It seems safe to say that ActiveX will have a major impact on the Web. Because it supports legacy code in the form of OLE controls and because new controls are relatively easy to create, the proliferation of pages with active content will spread much faster. On the other hand, the notion of ‘the web browser’ as a separate program might disappear (at least to a lot of users) because it is so easy to add Internet functionality to desktop applications. This already is apparent in the new version of IE 4.0 which blurs the distinction between the old Windows explorer shell and Internet explorer. This is an interesting development because it partly is a reversal of an existing trend where it looked for a long time as if the Web browser would become the program wherein everything happened, whereas the OS became less important all the time (something which Netscape encouraged of course, but Microsoft certainly not).

ActiveX is also interesting for the Intranet Developers, as it allows for the seamless viewing of corporate information from several sources in a Web browser, the (re) use of existing code for Web pages and easy database connectivity.

Finally, it is estimated that there already exists a $240 million market for OLE controls, so with the adaptation of COM and OLE for the Internet this market stands every chance of getting very big and offers a lot of opportunities for software developers.


Microsoft certainly has come up with a very interesting technology for the Internet, although the roots of ActiveX go way back, even before the Web existed. You can compare ActiveX to Java in some ways, but it really offers several benefits in that it is language independent, supports legacy code, has faster execution speed (no virtual machine), has a different security model which offers more possibilities for downloaded controls and is very tightly integrated with the Windows OS.

Of course, lots of people will stay skeptical and dismiss these benefits (especially non-Windows users), simply because it is a Microsoft technology. Nevertheless, ActiveX will probably get pretty important, but given the fact Java has had enough time to get accepted and used by many developers it will coexist with Java for a long time.

Thanks to ActiveX, and the many possibilities it offers for the creation of active content on the Web, the Internet is now an even more interesting place than it was before.

Tools and Samples

(See also 'how to create your own browser with one line of code')

Microsoft has made quite a lot of controls (freely) available through their Web site. This is a good place to start and check out what ActiveX controls have to offer. Naturally this is also a good place to find tons of links to ActiveX related information.

C|Net has started a site which is totally dedicated to ActiveX and is aptly named www.ActiveX.com. Lots of information and controls there as well.

ActiveX SDK

The SDK (freely downloadable) is a +20 MB collection of tools, samples and documents (in HTML and in Microsoft’s infoviewer format) to aid you in the development of ActiveX based projects.

# figure xx (oleview.bmp) The OLE viewer, contained in the ActiveX SDK

ActiveX Control Pad

This is a tool which lets you insert ActiveX controls into a HTML page and generates the HTML and scripts needed to use them. It consists of a HTML source editor, ActiveX control Editor, HTML Layout editor and a script Wizard.

# figure xx (ActiveXcp.bmp) Using control pad to implement the marquee control


Visual Basic 5.0 Control Creation Edition can be downloaded from the Microsoft Web site. VB5 CCE features an Application Setup Wizard which lets you prepare a control created with VB5 CCE for Internet distribution. The wizard will find out what the dependencies of the control are, and puts all necessary files together in a downloadable .cab file. It will also generate a HTML template that you can use in your own pages to display the control. There is also quite a lot of documentation about VB and creating ActiveX controls with it on the VB Web site at Microsoft.

# figure xx (vbasw.bmp) Use the application setup wizard to make an existing VB program ‘ready for the Web’.

Visual J++

Microsoft’s visual IDE for Java. Features a very fast compiler and lets you use and create ActiveX controls.



ActiveX Source Book
Coombs, Coombs and Brewer
Wiley and sons
ISBN 0-471-16714

Understanding ActiveX and OLE
Microsoft Press
ISBN 1-57231-216-5

Inside OLE, 2nd Edition
Microsoft Press
ISBN 1-55615-843-2