book - Dave's Blog

Search

Edge browser and JavaScript UWP app security model comparison

2018 Nov 29, 2:21

There are two main differences in terms of security between a JavaScript UWP app and the Edge browser:

Process Model

A JavaScript UWP app has one process (technically not true with background tasks and other edge cases but ignoring that for the moment) that runs in the corresponding appcontainer defined by the app's appx manifest. This one process is where edgehtml is loaded and is rendering HTML, talking to the network, and executing script. Specifically, the UWP main UI thread is the one where your script is running and calling into WinRT.

In the Edge browser there is a browser process running in the same appcontainer defined by its appx manifest, but there are also tab processes. These tab processes are running in restricted app containers that have fewer appx capabilities. The browser process has XAML loaded and coordinates between tabs and handles some (non-WinRT) brokering from the tab processes. The tab processes load edgehtml and that is where they render HTML, talk to the network and execute script.

There is no way to configure the JavaScript UWP app's process model but using WebViews you can approximate it. You can create out of process WebViews and to some extent configure their capabilities, although not to the same extent as the browser. The WebView processes in this case are similar to the browser's tab processes. See the MSWebViewProcess object for configuring out of process WebView creation. I also implemented out of proc WebView tabs in my JSBrowser fork.

ApplicationContentUriRules

The ApplicationContentUriRules (ACUR) section of the appx manifest lets an application define what URIs are considered app code. See a previous post for the list of ACUR effects.

Notably app code is able to access WinRT APIs. Because of this, DOM security restrictions are loosended to match what is possible with WinRT.

Privileged DOM APIs like geolocation, camera, mic etc require a user prompt in the browser before use. App code does not show the same browser prompt. There still may be an OS prompt – the same prompt that applies to any UWP app, but that’s usually per app not per origin.

App code also gets to use XMLHttpRequest or fetch to access cross origin content. Because UWP apps have separate state, cross origin here might not mean much to an attacker unless your app also has the user login to Facebook or some other interesting cross origin target.

PermalinkCommentsedge javascript security uwp web-security wwa

Tweet from Seth Abramson

2017 Jan 22, 5:21
Retweet if you want networks to stop booking Kellyanne Conway, the first U.S. presidential counselor to openly advocate lying to the public.
PermalinkComments

Tweet from David_Risney

2016 Feb 16, 2:06
OK Go's beef with YouTube led to latest video release on Facebook: http://www.adweek.com/news/technology/why-ok-go-went-facebook-only-debut-its-buzzy-zero-gravity-music-video-169599 …
PermalinkComments

Retweet of mathias

2016 Jan 27, 10:29
Take any Facebook/Instagram photo URL.👉 append `.txt` → ASCII art👉 append `.html` → colored ASCII artE.g. https://scontent-ams3-1.cdninstagram.com/t51.2885-15/e35/11906246_1700002456899911_1391970345_n.jpg.html …
PermalinkComments

Tweet from David_Risney

2015 Dec 30, 5:07
3 diff kinds of challenges: Three Trials https://supermariomakerbookmark.nintendo.net/courses/4B46-0000-00EC-E0CF … #SuperMarioMaker pic.twitter.com/B2rSxkjtiB
PermalinkComments

Tweet from David_Risney

2015 Dec 29, 6:25
Excited for new Super Mario Maker site! https://supermariomakerbookmark.nintendo.net/courses/68D3-0000-003B-4A17 … #SuperMarioMaker pic.twitter.com/Mz2EGq0HON
PermalinkComments

Retweet of ryanpitts

2015 Dec 6, 9:21
This @replyall about a woman whose Facebook post began a movement that took down corrupt Guatemalan politicians, wow https://gimletmedia.com/episode/47-quit-already/ …
PermalinkComments

Retweet of xeni

2015 Nov 6, 12:26
Facebook's censoring me. Tried to post my @boingboing item re: http://tsu.co . Got blocked. http://boingboing.net/2015/11/06/facebook-is-censoring-links-to.html …
PermalinkComments

Retweet of industrial_book

2015 Mar 6, 6:11
Old war. New battlefield. #mathjoke pic.twitter.com/TvWxI0h8Xw
PermalinkComments

erictanart:I wish there was a #biffs to go to. #backtothefuture...

2015 Feb 28, 2:39


erictanart:

I wish there was a #biffs to go to. #backtothefuture #bttf #matchbookart

PermalinkComments

erictanart:I wish there was a #biffs to go to. #backtothefuture...

2015 Feb 28, 2:39


erictanart:

I wish there was a #biffs to go to. #backtothefuture #bttf #matchbookart

PermalinkComments

Retweet of edent

2015 Feb 26, 3:16
Facebook Mangles Unicode URLs https://shkspr.mobi/blog/?p=20643 
PermalinkComments

Retweet of TimHarford

2015 Feb 26, 2:01
Does using Facebook make you sad? The answer: yes, if you use it in certain ways... http://dlvr.it/8lzYyS 
PermalinkComments

Retweet of theharmonyguy

2015 Feb 24, 7:41
2014 highlights from Facebook's bug bounty program: https://www.facebook.com/notes/1026610350686524/ …
PermalinkComments

Retweet of shaver

2015 Feb 20, 4:19
Facebook Security published a note with some info on Superfish: https://www.facebook.com/notes/protect-the-graph/windows-ssl-interception-gone-wild/1570074729899339 …
PermalinkComments

intoosteep: She died as she lived: walking down stairs checking Facebook statuses.

2015 Jan 17, 6:59
Claire Ayoub @intoosteep :
She died as she lived: walking down stairs checking Facebook statuses.
PermalinkComments

How I Pranked My Roommate With Eerily Targeted Facebook Ads

2014 Sep 18, 2:27

“This is the chronicle of the most epic retaliation and how I pranked my roommate with targeted Facebook Ads to the point of complete paranoia and delusion.”

Funny anecdote but also a how-to on creating a Facebook ad campaign that targets a single person.

PermalinkCommentshumor security ad facebook

Detect login with CSP - When Security Generates Insecurity

2014 Jul 8, 1:13

An interesting way to use the report-uri feature of CSP to detect if a user is logged into Google, Facebook etc.

PermalinkCommentstechnical security csp web

Nieman Journalism Lab - Who’s behind that tweet? Here’s how 7...

2014 May 29, 4:03


Nieman Journalism Lab - Who’s behind that tweet? Here’s how 7 news orgs manage their Twitter and Facebook accounts

PermalinkCommentsnews twitter

thefrogman: Poorly Drawn Lines by Reza...

2013 Oct 15, 7:47


thefrogman:

Poorly Drawn Lines by Reza Farazmand
[website | tumblr | twitter | facebook]

PermalinkCommentshumor comic robot
Older Entries Creative Commons License Some rights reserved.