web page 2 - Dave's Blog

Search
My timeline on Mastodon

Windows Store App WebView Cross Origin XMLHttpRequest Behavior

2016 Jun 2, 6:45

TL;DR: Web content in a JavaScript Windows Store app or WebView in a Windows Store app that has full access to WinRT also gets to use XHR unrestricted by cross origin checks.

By default web content in a WebView control in a Windows Store App has the same sort of limitations as that web content in a web browser. However, if you give the URI of that web content full access to WinRT, then the web content also gains the ability to use XMLHttpRequest unrestricted by cross origin checks. This means no CORS checks and no OPTIONS requests. This only works if the web content's URI matches a Rule in the ApplicationContentUriRules of your app's manifest and that Rule declares WindowsRuntimeAccess="all". If it declares WinRT access as 'None' or 'AllowForWebOnly' then XHR acts as it normally does.

In terms of security, if you've already given a page access to all of WinRT which includes the HttpRequest class and other networking classes that don't perform cross origin checks, then allowing XHR to skip CORS doesn't make things worse.

PermalinkCommentsjavascript uwa uwp web webview windows winrt xhr

Tweet from David Risney

2016 Jun 1, 1:51
Cool JS image diff'ing including browser webcam based demos https://twitter.com/lonekorean/status/737630487913455616 
PermalinkComments

Retweet of amirrajan

2016 Feb 11, 6:46
Somebody please make this text based game a reality. https://medium.com/@pistacchio/i-m-a-web-developer-and-i-ve-been-stuck-with-the-simplest-app-for-the-last-10-days-fb5c50917df#.7bbx2ziut … pic.twitter.com/NbcuQukO1T
PermalinkComments

Retweet of AndyPavia

2016 Feb 11, 1:33
@k_seks @jarennert Using FaceDetect on a Raspberry Pi #WebOnPi #IoT #windows10 @MSEdgeDev pic.twitter.com/Qk2PyoedBP
PermalinkComments

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Retweet of kennwhite

2016 Feb 2, 4:34
I didn't realize so many Debian/Ubuntu apps don't/can't do cert verification. Also "untrusted websites" is a thing. pic.twitter.com/euTZzXuxzw
PermalinkComments

Retweet of JustRogDigiTec

2016 Jan 22, 5:43
This is becoming increasingly more relevant as high quality games/apps move to #html5https://hacks.mozilla.org/2016/01/webgl-off-the-main-thread/ …#html5games #webGL
PermalinkComments

Retweet of lukew

2016 Jan 6, 6:33
Web vs. native apps or why you want both (with data) http://www.lukew.com/ff/entry.asp?1954 … pic.twitter.com/wuEkpsyWo2
PermalinkComments

Retweet of SwiftOnSecurity

2016 Jan 2, 6:04
Adware uses Fiddler libraries to proxy HTTPS traffic and inject ads (cc @ericlaw) http://blog.malwarebytes.org/security-threat/2016/01/websearcher-pup-applies-proxy-lockdown/ …
PermalinkComments

Retweet of ericlaw

2015 Dec 22, 7:08
I want users to win. I want the web to win, and I want to make life harder for bad guys every day. My next role: http://textslashplain.com/2015/12/23/my-next-adventure/ …
PermalinkComments

Tweet from David_Risney

2015 Nov 12, 1:42
Yay, Mario Maker is getting web portal. Seems absurd Mario Maker levels currently don't have offical web presence http://kotaku.com/mario-maker-is-getting-a-better-way-to-find-good-course-1742223816 …
PermalinkComments

laughingsquid: ‘Everything Is a Remix’ Celebrates Its Five-Year...

2015 Sep 17, 3:05


laughingsquid:

‘Everything Is a Remix’ Celebrates Its Five-Year Anniversary With a Remastered Release and New Merchandise

PermalinkComments

Retweet of ohunt

2015 Sep 16, 1:57
Is your site/app not loading resources in ios9? WebKit now blocks mixed content: You can't load CSS or JS over http from https _ever_.
PermalinkComments

Retweet of bcrypt

2015 Aug 18, 2:17
did you know that you can't read Oracle's Terms of Service on their website without agreeing to it? workaround: pic.twitter.com/AEdyN6njwS
PermalinkComments

Retweet of simevidas

2015 Jul 26, 8:27
The size of web fonts (per page) quadrupled over the last 2 years: http://httparchive.org/trends.php?s=All&minlabel=Jul+15+2013&maxlabel=Jul+15+2015#bytesFont&reqFont … pic.twitter.com/zl8HgpZDg0
PermalinkComments

Retweet of KevinJHill

2015 Jul 22, 8:04
The Microsoft Edge @MSEdgeDev team is hiring a Senior Software Engineer! http://bit.ly/1CRaQz8 . Help us make the web better #cpp #jobs
PermalinkComments

Retweet of KevinJHill

2015 Jul 22, 7:12
The Microsoft Edge team @MSEdgeDev is hiring C++ Devs! http://bit.ly/1MJxEAX , help us make the web better!
PermalinkComments

Retweet of thegrugq

2015 Apr 12, 9:47
War in the Web 2.0 era: how Air Forces deal (or don’t) with Internet-based flight tracking tools. Interesting http://theaviationist.com/2014/10/13/war-2-adsb-opsec/ …
PermalinkComments

Retweet of secretGeek

2015 Apr 2, 5:00
So a centralized website for managing distributed repos is being hit by a distributed attack.
PermalinkComments

Tweet from David_Risney

2015 Mar 25, 12:15
Cool Creative Commons limited edition shirt made of Noun Project images - http://creativecommons.org/weblog/entry/45224 … @creativecommons. Just ordered mine!
PermalinkComments
Older EntriesNewer Entries Creative Commons License Some rights reserved.