alki - Dave's Blog

Search
My timeline on Mastodon

Edge browser and JavaScript UWP app security model comparison

2018 Nov 29, 2:21

There are two main differences in terms of security between a JavaScript UWP app and the Edge browser:

Process Model

A JavaScript UWP app has one process (technically not true with background tasks and other edge cases but ignoring that for the moment) that runs in the corresponding appcontainer defined by the app's appx manifest. This one process is where edgehtml is loaded and is rendering HTML, talking to the network, and executing script. Specifically, the UWP main UI thread is the one where your script is running and calling into WinRT.

In the Edge browser there is a browser process running in the same appcontainer defined by its appx manifest, but there are also tab processes. These tab processes are running in restricted app containers that have fewer appx capabilities. The browser process has XAML loaded and coordinates between tabs and handles some (non-WinRT) brokering from the tab processes. The tab processes load edgehtml and that is where they render HTML, talk to the network and execute script.

There is no way to configure the JavaScript UWP app's process model but using WebViews you can approximate it. You can create out of process WebViews and to some extent configure their capabilities, although not to the same extent as the browser. The WebView processes in this case are similar to the browser's tab processes. See the MSWebViewProcess object for configuring out of process WebView creation. I also implemented out of proc WebView tabs in my JSBrowser fork.

ApplicationContentUriRules

The ApplicationContentUriRules (ACUR) section of the appx manifest lets an application define what URIs are considered app code. See a previous post for the list of ACUR effects.

Notably app code is able to access WinRT APIs. Because of this, DOM security restrictions are loosended to match what is possible with WinRT.

Privileged DOM APIs like geolocation, camera, mic etc require a user prompt in the browser before use. App code does not show the same browser prompt. There still may be an OS prompt – the same prompt that applies to any UWP app, but that’s usually per app not per origin.

App code also gets to use XMLHttpRequest or fetch to access cross origin content. Because UWP apps have separate state, cross origin here might not mean much to an attacker unless your app also has the user login to Facebook or some other interesting cross origin target.

PermalinkCommentsedge javascript security uwp web-security wwa

Tweet from Justin Wolfers

2016 Sep 13, 12:05
Here comes the latest income and poverty statistics... Be prepared to adjust your talking points... http://www.census.gov/content/dam/Census/library/publications/2016/demo/p60-256.pdf 
PermalinkComments

Tweet from David_Risney

2015 Sep 26, 8:47
The Inside Story Behind MS08-067 http://blogs.technet.com/b/johnla/archive/2015/09/26/the-inside-story-behind-ms08-067.aspx …. Are we cool talking about this now?
PermalinkComments

Tweet from David_Risney

2015 Apr 14, 10:06
US will now say if you're on no-fly list: http://boingboing.net/2015/04/15/us-govt-will-now-reluctantly.html … But not talking about new list you're on if you ask if you're on a list.
PermalinkComments

intoosteep: She died as she lived: walking down stairs checking Facebook statuses.

2015 Jan 17, 6:59
Claire Ayoub @intoosteep :
She died as she lived: walking down stairs checking Facebook statuses.
PermalinkComments

99percentinvisible: Walking was invented in Europe, according...

2014 Sep 29, 2:50


99percentinvisible:

Walking was invented in Europe, according to this sign found by a friend in China. 

PermalinkCommentshumor walking china

Keep Talking and Nobody Explodes. Co-op Oculus Rift + Razer Hydra

2014 Jan 28, 6:17PermalinkCommentshumor game videogame bomb

In Depth Review: New NSA Documents Expose How Americans Can Be Spied on Without A Warrant

2013 Jun 21, 10:43

What It All Means: All Your Communications are Belong to U.S. In sum, if you use encryption they’ll keep your data forever. If you use Tor, they’ll keep your data for at least five years. If an American talks with someone outside the US, they’ll keep your data for five years. If you’re talking to your attorney, you don’t have any sense of privacy. And the NSA can hand over you information to the FBI for evidence of any crime, not just terrorism. All without a warrant or even a specific FISA order.

Not sure if this is saying all Tor data is collected or saying if someone uses Tor then start collecting that someone’s communication.

PermalinkCommentstechnical legal tor nsa eff spying security privacy

A Slower Speed of Light Official Trailer — MIT Game Lab (by...

2012 Nov 13, 7:41


A Slower Speed of Light Official Trailer — MIT Game Lab (by Steven Schirra)

“A Slower Speed of Light is a first-person game in which players navigate a 3D space while picking up orbs that reduce the speed of light in increments. A custom-built, open-source relativistic graphics engine allows the speed of light in the game to approach the player’s own maximum walking speed. Visual effects of special relativity gradually become apparent to the player, increasing the challenge of gameplay. These effects, rendered in realtime to vertex accuracy, include the Doppler effect; the searchlight effect; time dilation; Lorentz transformation; and the runtime effect.

A production of the MIT Game Lab.

Play now for Mac and PC! http://gamelab.mit.edu/games/a-slower-speed-of-light/

PermalinkCommentsscience game video-game mit 3d light-speed

Alex walking via walker

2012 Aug 6, 4:44
From: David Risney
Views: 69
0 ratings
Time: 00:53 More in People & Blogs
PermalinkCommentsvideo

More Walking Dead macro photos.

2012 Mar 21, 2:56


More Walking Dead macro photos.

PermalinkCommentshumor meme walking-dead tv zombie

The Walking Dead Alternate Intro (by tlunsford)

2012 Jan 27, 2:56


The Walking Dead Alternate Intro (by tlunsford)

PermalinkCommentshumor video walking-dead zombie tv

Everyone Hates Ticketmaster — But No One Can Take It Down | Magazine

2010 Nov 8, 3:32We were just talking about hating Ticketmaster. A brief history and business of Ticketmaster.PermalinkCommentsticketmaster software wired concert music business

Schneier on Security: The Effectiveness of Air Marshals

2010 Apr 11, 3:51"In fact, more air marshals have been arrested than the number of people arrested by air marshals." Its easy to get awesome stats like this when talking about lawlessness on airplanes given its great infrequency.PermalinkCommentsstatistics humor security bruce-schneier airplane

YouTube - Hitler finds out his subtitles are wrong

2009 Aug 26, 3:28"Don't they know this is just another passing lame-ass internet fad?" Hitler mocks the subtitled Hitler Internet meme, and those not in on the joke. Note that this is a bit meta: see some of the other videos first for examples of what Hitler is talking about here.PermalinkCommentshumor youtube video hitler meme

Anecdotes from Work

2008 Sep 23, 2:15

Diveristy in NumbersThe names in the following anecdote have been changed. Except for my name (I'm Dave).

I got a new laptop a while back. I had it in my office and Tim came in to ask me something but paused when he saw my laptop. "Oh, is this one of those new touch screen laptops?" he asked, the whole time moving his hand towards my laptop and punctuating his sentence by pressing his finger to the screen. "No" I responded.

Walking down a hallway I heard Winston, one of our managers, say, "Hey Tim!" Winston catches up to me and asks, "Are you almost done with the XYZ bug?" I realized Winston was talking to me and got my name wrong but I figured I'll ignore it and perhaps he'll realize his mistake. Winston continued "I just talked with some people who say they're blocked and waiting for Tim to finish the XYZ bug." "Dave" I said helpfully attempting to diplomatically correct Winston since he apparently hadn't realized his error. "No, it was Jeremy and Bill." Winston said naming the people he had talked to who were waiting for me to fix the XYZ bug. At this point I decided it would be easier to just answer his question and end the conversation than to get into this whole thing. As far as I know, Winston has not gotten my name wrong at any other time.

PermalinkCommentswork nontechnical

Eat the City - Munich - Google Maps

2008 Sep 14, 7:14Map of places to eat in Munich. "Eat the City - Munich, Some people like museums, others do walking tours, I get to know a city by eating it. By Megan D"PermalinkCommentsmap google munich germany travel restaurant

Birthday Weekend

2008 Sep 4, 11:30

A photo of the Seattle skyline in the distance over water.This past weekend Sarah and I went to Salty's on Alki. I had never been down to the Alki area so that was fun and I took a few photos while we were there. It turns out they were the last few photos I'll be taking with that camera as it turned itself on in my pocket and the lens extension mechanism broke for the inner most lens. So now I'm looking for a new camera, preferably one that has a lock mechanism so I can't accidentally turn it on in my pocket. The dinner was good and Salty's has a great view. On an unrelated note, the next day we went to an Audi dealership and test-drove the new 2009 A4 which was fun. I'm happy with my car but Sarah's feeling antsy.

PermalinkCommentsalki rambling camera weekend birthday nontechnical

Sarah on Bench in Alki

2008 Sep 1, 9:40

sequelguy posted a photo:

Sarah on Bench in Alki

Sarah sits on a bench in Alki beach, Seattle, WA

PermalinkCommentsseattle sarah washington alki

Seattle Skyline and Street

2008 Sep 1, 9:35

sequelguy posted a photo:

Seattle Skyline and Street

PermalinkCommentsseattle washington alki waterspaceneedle
Older Entries Creative Commons License Some rights reserved.