cop - Dave's Blog

Search
My timeline on Mastodon

Changing the User Agent string in UWP WebView

2018 Oct 23, 9:32

There's no perfect way to change the user agent string for the UWP WebView (x-ms-webview in HTML, Windows.UI.Xaml.Controls.WebView in XAML, and Windows.Web.UI.Interop.WebViewControl in Win32) but there are two imperfect methods folks end up using.

The first is to call UrlMkSetSessionOption. This is an old public API that allows you to configure various arcane options including one that is the default user agent string for requests running through urlmon. This API is allowed by the Microsoft Store for UWP apps. The change it applies is process wide which has two potential drawbacks. If you want to be able to have different UA strings set for different requests from a WebView that's not really possible with this solution. The other drawback is if you're using out of process WebView, you need to ensure you're calling into UrlMkSetSessionOption in the WebView's process. You'll need to write third party WinRT that calls UrlMkSetSessionOption, create the out of proc WebView, navigate it to some trusted local page, use AddWebAllowedObject or provide that URI WinRT access, and call into your third party WinRT. You'll need to do that for any new WebView process you create.

The second less generally applicable solution is to use NavigateWithHttpRequestMessage and set the User-Agent HTTP header. In this case you get to control the scope of the user agent string changes but has the limitations that not all sub resource downloads will use this user agent string and for navigations you don't initiate you have to manually intercept and re-request being careful to transfer over all POST body state and HTTP headers correctly. That last part is not actually possible for iframes.

PermalinkCommentsuser-agent uwp webview

Tiny browser features: JSBrowser crash resistance

2018 May 13, 4:59

JSBrowser is a basic browser built as a Win10 JavaScript UWP app around the WebView HTML element. Its fun and relatively simple to implement tiny browser features in JavaScript and in this post I'm implementing crash resistance.

The normal DOM mechanisms for creating an HTML WebView create an in-process WebView, in which the WebView runs on a unique UI thread. But we can use the MSWebView constructor instead to create an out-of-process WebView in which the WebView runs in its own distinct WebView process. Unlike an in-process WebView, Web content running in an out-of-process WebView can only crash the WebView process and not the app process.

        this.replaceWebView = () => {
let webview = document.querySelector("#WebView");
// Cannot access webview.src - anything that would need to communicate with the webview process may fail
let oldSrc = browser.currentUrl;
const webviewParent = webview.parentElement;
webviewParent.removeChild(webview);
webview = new MSWebView();
Object.assign(this, {
"webview": webview
});
webview.setAttribute("id", "WebView");

// During startup our currentUrl field is blank. If the WebView has crashed
// and we were on a URI then we may obtain it from this property.
if (browser.currentUrl && browser.currentUrl != "") {
this.trigger("newWebview");
this.navigateTo(browser.currentUrl);
}
webviewParent.appendChild(webview);

I run replaceWebView during startup to replace the in-process WebView created via HTML markup with an out-of-process WebView. I could be doing more to dynamically copy styles, attributes, etc but I know what I need to set on the WebView and just do that.

When a WebView process crashes the corresponding WebView object is no longer useful and a new WebView element must be created. In fact if the old WebView object is used it may throw and will no longer have valid state. Accordingly when the WebView crashes I run replaceWebView again. Additionally, I need to store the last URI we've navigated to (browser.currentUrl in the above) since the crashed WebView object won't know what URI it is on after it crashes.

            webview.addEventListener("MSWebViewProcessExited", () => { 
if (browser.currentUrl === browser.lastCrashUrl) { ++browser.lastCrashUrlCrashCount;
}
else {
browser.lastCrashUrl = browser.currentUrl;
browser.lastCrashUrlCrashCount = 1;
}
// If we crash again and again on the same URI, maybe stop trying to load that URI.
if (browser.lastCrashUrlCrashCount >= 3) {
browser.lastCrashUrl = "";
browser.lastCrashUrlCrashCount = 0;
browser.currentUrl = browser.startPage;
}
this.replaceWebView();
});

I also keep track of the last URI that we recovered and how many times we've recovered that same URI. If the same URI crashes more than 3 times in a row then I assume that it will keep happening and I navigate to the start URI instead.

PermalinkCommentsbrowser javascript jsbrowser uwp webview win10

Tweet from David Risney

2016 Apr 28, 4:14
Coincidentally YouTuber on hacking dispute res by incl IP from diff large companies in same video http://kotaku.com/game-critic-uses-brilliant-workaround-for-youtubes-copy-1773452452 
PermalinkComments

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Retweet of BoingBoing

2016 Jan 19, 8:50
We'll probably never "Free Mickey." #copyfight http://boingboing.net/2016/01/19/well-probably-never-free-m.html … pic.twitter.com/Z4nQfGRfvm
PermalinkComments

Tweet from David_Risney

2016 Jan 7, 9:30
'Works "produced by nature, animals, or plants" cannot be granted copyright protection the US Copyright Office said' http://arstechnica.com/tech-policy/2016/01/judge-says-monkey-cannot-own-copyright-to-famous-selfies/ …
PermalinkComments

Tweet from David_Risney

2015 Nov 13, 1:37
Cop pulls over car for driving 10mph under speed limit to find no driver in self driving car and issues no ticket. http://boingboing.net/2015/11/13/cop-pulls-over-google-self-dri.html …
PermalinkComments

Retweet of alisternburg

2015 Oct 26, 6:41
"Please stop yelling at me, I did not make up copyright law." Read @sarahjeong's explainer on © & Internet radio: http://motherboard.vice.com/en_uk/read/internet-radio-copyright-is-bad-and-dumb-a-comprehensive-explainer …
PermalinkComments

Retweet of TheOnion

2015 Jul 26, 2:30
Top Story: Ticketed Motorist Pointing Finger Just The Green Light Cop Needed http://onion.com/1LMi9JY  pic.twitter.com/uB245nVu5x
PermalinkComments

Retweet of kottke

2015 Jul 22, 2:01
With a technique called Crispr, DNA editing is becoming easy, cheap, and potentially scary http://kottke.org/15/07/copy-and-paste-but-for-dna …
PermalinkComments

laughingsquid: Live Band Performs ‘Mario Kart’ Song as Man...

2015 May 27, 3:11


laughingsquid:

Live Band Performs ‘Mario Kart’ Song as Man Races Down the Video Game Track

PermalinkComments

laughingsquid: Live Band Performs ‘Mario Kart’ Song as Man...

2015 May 27, 3:11


laughingsquid:

Live Band Performs ‘Mario Kart’ Song as Man Races Down the Video Game Track

PermalinkComments

laughingsquid: A Real Hedgehog Scurries Along to Music From the...

2015 Apr 23, 1:17


laughingsquid:

A Real Hedgehog Scurries Along to Music From the ‘Sonic the Hedgehog’ Video Game While Collecting Golden Rings

PermalinkComments

laughingsquid: A Real Hedgehog Scurries Along to Music From the...

2015 Apr 23, 1:17


laughingsquid:

A Real Hedgehog Scurries Along to Music From the ‘Sonic the Hedgehog’ Video Game While Collecting Golden Rings

PermalinkComments

Retweet of ChromiumDev

2015 Apr 14, 7:29
Now in Chrome 43, document.execCommand() gives you programmatic access to copy and cut content to the clipboard! http://updates.html5rocks.com/2015/04/cut-and-copy-commands …
PermalinkComments

RIP CadburdyShe died yesterday. Besides the normal grief its...

2015 Apr 8, 2:43


RIP Cadburdy

She died yesterday. Besides the normal grief its strange being the adult and dealing with a deceased pet.

PermalinkComments

RIP CadburdyShe died yesterday. Besides the normal grief its...

2015 Apr 8, 2:43


RIP Cadburdy

She died yesterday. Besides the normal grief its strange being the adult and dealing with a deceased pet.

PermalinkComments

laughingsquid:Researcher Cracks His Knuckles in Only One Hand...

2015 Mar 24, 12:01


laughingsquid:

Researcher Cracks His Knuckles in Only One Hand for Over 60 Years to See if He Would Get Arthritis

PermalinkComments

laughingsquid:Researcher Cracks His Knuckles in Only One Hand...

2015 Mar 24, 12:01


laughingsquid:

Researcher Cracks His Knuckles in Only One Hand for Over 60 Years to See if He Would Get Arthritis

PermalinkComments

Retweet of dangoodin001

2015 Mar 23, 5:55
We know where you’ve been: Ars acquires 4.6M license plate scans from the cops. Fantastic reporting by @cfarivar http://ars.to/1LShUdc 
PermalinkComments
Older Entries Creative Commons License Some rights reserved.