There are two main differences in terms of security between a JavaScript UWP app and the Edge browser:
Process Model
A JavaScript UWP app has one process (technically not true with background tasks and other edge cases but ignoring that for the moment) that runs in the corresponding appcontainer defined by the
app's appx manifest. This one process is where edgehtml is loaded and is rendering HTML, talking to the network, and executing script. Specifically, the UWP main UI thread is the one where your
script is running and calling into WinRT.
In the Edge browser there is a browser process running in the same appcontainer defined by its appx manifest, but there are also tab processes. These tab processes are running in restricted app
containers that have fewer appx capabilities. The browser process has XAML loaded and coordinates between tabs and handles some (non-WinRT) brokering from the tab processes. The tab processes
load edgehtml and that is where they render HTML, talk to the network and execute script.
There is no way to configure the JavaScript UWP app's process model but using WebViews you can approximate it. You can create out of process WebViews and to some extent configure their
capabilities, although not to the same extent as the browser. The WebView processes in this case are similar to the browser's tab processes. See the MSWebViewProcess object for configuring out of process WebView creation. I also
implemented out of proc WebView tabs in my JSBrowser fork.
ApplicationContentUriRules
The ApplicationContentUriRules (ACUR) section of the appx manifest lets an application define what URIs are considered app code. See a previous post for the list of ACUR effects.
Notably app code is able to access WinRT APIs. Because of this, DOM security restrictions are loosended to match what is possible with WinRT.
Privileged DOM APIs like geolocation, camera, mic etc require a user prompt in the browser before use. App code does not show the same browser prompt. There still may be an OS prompt – the same
prompt that applies to any UWP app, but that’s usually per app not per origin.
App code also gets to use XMLHttpRequest or fetch to access cross origin content. Because UWP apps have separate state, cross origin here might not mean much to an attacker unless your app also
has the user login to Facebook or some other interesting cross origin target.
Occasionally I have need to run a set of unrelated promises in series, for instance an object dealing with a WinRT camera API that can only execute one async operation at a time, or an object
handling postMessage message events and must resolve associated async operations in the same order it received the requests. The solution is very simply to keep track of the last promise and when
adding a new promise in serial add a continuation of the last promise to execute the new promise and point the last promise at the result. I encapsulate the simple solution in a simple
constructor:
function PromiseExecutionSerializer() { var lastPromise = WinJS.Promise.wrap(); // Start with an empty fulfilled promise.
this.addPromiseForSerializedExecution = function(promiseFunction) { lastPromise = lastPromise.then(function () { // Don't call directly so next promise doesn't get previous result parameter. return promiseFunction(); }); } }
The only thing to watch out for is to ensure you don't pass the result of a previous promise onto a subsequent promise that is unrelated.
Sticking to an exercise routine takes dedication, and many fitness junkies swear that a running companion can be a huge help. That’s why researchers
have developed “Joggobot,” a quad-rotor helicopter drone designed to motivate joggers by flying in front of
them.
The aerial robot uses its camera to spot a colorful pattern on a T-shirt worn by the jogger, and flies at a safe distance ahead. The runner can control Joggobot using a smartphone: In
“companion mode,” the drone simply maintains the jogger’s pace; in “coach mode,” it pushes its human trainee a little faster.
A digital camera sends photos to Mechanical Turk service to generate a textual description and print the result on a thermal printer. Thus a camera that prints out a textual description of
what you photographed.
2011 Mar 10, 6:14Polar bears destroy hiddern cameras (filming them for Science!) It is a well known fact that polar bears are very protective of their rights to privacy. videosciencenatureanimalsbbchumor
2010 Sep 4, 8:10"Reminiscent of the Beastie Boys "Awesome; I Fuckin'Shot That", more than 50 Radiohead fans captured the band's Aug. 23 show in Prague on Flip cameras, with the resulting footage later assembled into
the new Live In Praha DVD." radioheadmusicvideoyoutube
Video of racer 0.2 a video game made real sort of. Arcade racing cabinet hooked up to an RC car with wireless video camera placed on a cardboard track.
2010 May 24, 6:26"What You See is What They Get: Protecting users from unwanted use of microphones, cameras, and other sensors," by Jon Howell and Stuart Schechter.
"We introduce the sensor-access widget, a graphical user interface element that resides within an application's display. The widget provides an animated representation of the personal data being
collected by its corresponding sensor, calling attention to the application's attempt to collect the data."
2009 Aug 31, 4:53From Ira as part of The Balloon Project "... took the lo-fi diy map making essentials (portable helium tank, party balloons, and a disposable video camera) to Paris, France, where they launched a
video camera into the sky not knowing where it would go, and created some very unique aerial cartography of the Place de la Concorde.' I'd love to see this run through photo stitching software like
Photosynth and then layered on Google Maps.mapballoonartira-mowenfranceparis
2009 Aug 21, 3:31"A woman approaches me and tells me that she's with Getty Images. They're shooting stock photos in the park today, would I be willing to pose?" Then finds her photo on tea, camera ads, Quicken's
website, etc.humorphotoadvertisinggettyvia:waxy
2009 Aug 5, 7:57"Ten times smaller than barcodes, Bokodes’ low-cost optical design can be read from as far as 4 meters away, much farther than barcodes, by taking an out-of-focus photo with any off-the-shelf
camera." Love for stuff like this to catch on, however compared to QR codes, these are much more difficult to produce than barcodes in that you can't just print them out and they require changes to
the photography technique (must be out of focus) rather than just analyzing any photograph of a barcode. They seem to be solving slightly different problems. qrcodeqrbarcodecamerainformationdesignbokodeaugmented-realitytechnical
2009 Jun 20, 9:43How to use the WIA APIs in C#. WIA is Windows API to get images from scanners and cameras. And, as I found out, if you want to use the API in PowerShell try '$deviceManager = new-object -ComObject
WIA.DeviceManager'videoscannerapiwiacsharphowtoprogrammingcameraimagephoto.netwebcamtechnical
2009 May 29, 9:01"These inks are completely invisible to the human eye yet can be seen by using a device which can see in the infrared range - such as our modified cameras and camcorders. These inks do not fluoresce
in the visible range, cannot be seen with ultraviolet lights and cannot be seen by the human eye alone." Via and not via .irir-paintinkpurchase
I like the idea of QR codes, encoding URLs and placing them
on real world objects, but the QR codes themselves are kind of ugly. To make them less obvious I thought I could spray QR codes on to an object with an infrared reflective paint and shine infrared
light on the QR codes, since most cameras, for instance the camera in my G1 phone, pick up infrared that our eyes do not.
In looking for this paint I've found that it comes up a lot in relation to the military for things like paint markers that are visible at
night with proper equipment, and paint that absorbs IR light to make vehicles less obvious to night vision goggles. Even though the first
reflects infrared light and the second absorbs it websites end up refering to both as infrared paint which made it difficult to search.
Additionally I found links to some other geeky infrared projects:
Infrared goggles that block out all light except for the edge of infrared light that humans can perceive.
2009 May 6, 12:56Time lapse photography from the perspective of a large ship at night in Texas. "The camera was fastened to an outside rail and set to take a photo every six seconds. Quicktime then assembled the
photos into a .mov file that plays back at 12 frames per second. So, one minute of movie time represents 72 minutes of trip time on the channel. The first half begins just below the Port of Houston
Authority Turning Basin (the very end of the channel) and continues down to Green's Bayou."flickrvideophotographytravelcameratexasshipboat
There can be no doubt that infomercial pitchmen Billy Mays and Vince Offer are awesome,
but how can I decide which is my favorite?
Infomercial Performance.
Among other things they sell Zorbeez and ShamWow respectively, both of which are absorbant towels so first up I can get a somewhat apples-to-apples comparison on informercials for comparable
products. Thankfully someone has created a Vince Offer vs Billy Mays youtube video featuring these informercials.
Billy has an upbeat yell to everything he says while Vince has an endearing condescension to his "You followin' me camera guy?" In the end I must give this one to Vince Offer.
Billy has challenged Vince to a pitchman-off which on the surface sounds like a point for Billy, but if you listen to the challenge Billy says that Vince attempted to extend the olive branch.
Billy Mays calls out Vince on the Adam Corolla Show
Designing the least JPG compressible fabric pattern: http://dsp.stackexchange.com/questions/2010/what-is-the-least-jpg-compressible-pattern-camera-shooting-piece-of-cloth-sca …. This is the anti @ericlaw
Some rights reserved