facebook - Dave's Blog

Search

Edge browser & JavaScript UWP app security model comparison

2018 Nov 29, 2:21

There are two main differences in terms of security between a JavaScript UWP app and the Edge browser:

Process Model

A JavaScript UWP app has one process (technically not true with background tasks and other edge cases but ignoring that for the moment) that runs in the corresponding appcontainer defined by the app's appx manifest. This one process is where edgehtml is loaded and is rendering HTML, talking to the network, and executing script. Specifically, the UWP main UI thread is the one where your script is running and calling into WinRT.

In the Edge browser there is a browser process running in the same appcontainer defined by its appx manifest, but there are also tab processes. These tab processes are running in restricted app containers that have fewer appx capabilities. The browser process has XAML loaded and coordinates between tabs and handles some (non-WinRT) brokering from the tab processes. The tab processes load edgehtml and that is where they render HTML, talk to the network and execute script.

There is no way to configure the JavaScript UWP app's process model but using WebViews you can approximate it. You can create out of process WebViews and to some extent configure their capabilities, although not to the same extent as the browser. The WebView processes in this case are similar to the browser's tab processes. See the MSWebViewProcess object for configuring out of process WebView creation. I also implemented out of proc WebView tabs in my JSBrowser fork.

ApplicationContentUriRules

The ApplicationContentUriRules (ACUR) section of the appx manifest lets an application define what URIs are considered app code. See a previous post for the list of ACUR effects.

Notably app code is able to access WinRT APIs. Because of this, DOM security restrictions are loosended to match what is possible with WinRT.

Privileged DOM APIs like geolocation, camera, mic etc require a user prompt in the browser before use. App code does not show the same browser prompt. There still may be an OS prompt – the same prompt that applies to any UWP app, but that’s usually per app not per origin.

App code also gets to use XMLHttpRequest or fetch to access cross origin content. Because UWP apps have separate state, cross origin here might not mean much to an attacker unless your app also has the user login to Facebook or some other interesting cross origin target.

PermalinkCommentsedge javascript security uwp web-security wwa

Tweet from David_Risney

2016 Feb 16, 2:06
OK Go's beef with YouTube led to latest video release on Facebook: http://www.adweek.com/news/technology/why-ok-go-went-facebook-only-debut-its-buzzy-zero-gravity-music-video-169599 …
PermalinkComments

Retweet of mathias

2016 Jan 27, 10:29
Take any Facebook/Instagram photo URL.👉 append `.txt` → ASCII art👉 append `.html` → colored ASCII artE.g. https://scontent-ams3-1.cdninstagram.com/t51.2885-15/e35/11906246_1700002456899911_1391970345_n.jpg.html …
PermalinkComments

Retweet of ryanpitts

2015 Dec 6, 9:21
This @replyall about a woman whose Facebook post began a movement that took down corrupt Guatemalan politicians, wow https://gimletmedia.com/episode/47-quit-already/ …
PermalinkComments

Retweet of xeni

2015 Nov 6, 12:26
Facebook's censoring me. Tried to post my @boingboing item re: http://tsu.co . Got blocked. http://boingboing.net/2015/11/06/facebook-is-censoring-links-to.html …
PermalinkComments

Retweet of edent

2015 Feb 26, 3:16
Facebook Mangles Unicode URLs https://shkspr.mobi/blog/?p=20643 
PermalinkComments

Retweet of TimHarford

2015 Feb 26, 2:01
Does using Facebook make you sad? The answer: yes, if you use it in certain ways... http://dlvr.it/8lzYyS 
PermalinkComments

Retweet of theharmonyguy

2015 Feb 24, 7:41
2014 highlights from Facebook's bug bounty program: https://www.facebook.com/notes/1026610350686524/ …
PermalinkComments

Retweet of shaver

2015 Feb 20, 4:19
Facebook Security published a note with some info on Superfish: https://www.facebook.com/notes/protect-the-graph/windows-ssl-interception-gone-wild/1570074729899339 …
PermalinkComments

intoosteep: She died as she lived: walking down stairs checking Facebook statuses.

2015 Jan 17, 6:59
Claire Ayoub @intoosteep :
She died as she lived: walking down stairs checking Facebook statuses.
PermalinkComments

How I Pranked My Roommate With Eerily Targeted Facebook Ads

2014 Sep 18, 2:27

“This is the chronicle of the most epic retaliation and how I pranked my roommate with targeted Facebook Ads to the point of complete paranoia and delusion.”

Funny anecdote but also a how-to on creating a Facebook ad campaign that targets a single person.

PermalinkCommentshumor security ad facebook

Detect login with CSP - When Security Generates Insecurity

2014 Jul 8, 1:13

An interesting way to use the report-uri feature of CSP to detect if a user is logged into Google, Facebook etc.

PermalinkCommentstechnical security csp web

Nieman Journalism Lab - Who’s behind that tweet? Here’s how 7...

2014 May 29, 4:03


Nieman Journalism Lab - Who’s behind that tweet? Here’s how 7 news orgs manage their Twitter and Facebook accounts

PermalinkCommentsnews twitter

thefrogman: Poorly Drawn Lines by Reza...

2013 Oct 15, 7:47


thefrogman:

Poorly Drawn Lines by Reza Farazmand
[website | tumblr | twitter | facebook]

PermalinkCommentshumor comic robot

Will Arnett Explains the Origins of His Arrested Development Chicken Dance

2013 May 8, 11:26

thebluthcompany:

To decide what Gob’s bad impression of a chicken might be, Arnett consulted on set in 2003 with series executive producers Mitch Hurwitz and James Vallely. They all tried out different versions for each other. “Jimmy started doing a little bit, then Mitch got up and did some, and then I began trying things,” remembers Arnett. “Picture three grown men hopping around, working out what it would be … They were pitching this really taunting dance, but I wanted to give it this very sharp, almost roosterlike, chest-sticking-out mannerism, like a real macho bravado dance.” And how did clapping get introduced to the move? “Because I wanted it to be only sort of threatening.”

Read More | Vulture

PermalinkCommentshumor chicken chicken-dance arrested-development

Scumbag Steve's Advice for Annoying Facebook Girl

2012 May 4, 2:46

Blake Boston of the Scumbag Steve meme writes an open letter to the woman in the Annoying Facebook Girl meme.

PermalinkCommentshumor meme scumbag-steve

Privacy through Obscurity

2012 Mar 9, 3:30

With Facebook changing its privacy policy and settings so frequently and just generally the huge amount of social sites out there, for many of us it is far too late to ensure our name doesn't show up with unfortunate results in web searches. Information is too easily copyable and archive-able to make removing these results a viable option, so clearly the solution is to create more data.

Create fake profiles on Facebook using your name but with a different photo, different date of birth, and different hometown. Create enough doppelgangers to add noise to the search results for your name. And have them share embarrassing stories on their blogs. The goal is to ensure that the din of your alternates drowns out anything embarrassing showing up for you.

Although it will look suspicious if you're the only name on Google with such chaff. So clearly you must also do this for your friends and family. Really you'll be doing them a favor.

PermalinkCommentstechnical facebook stupid internet privacy

Cursor:none abuse (trick users into clicking Facebook 'like') (co.uk)

2012 Mar 6, 7:19

Cursor spoofing. Great job!

PermalinkCommentstechnical javascript css html cursor security

(via Failbook: Making the Switch)

2011 Dec 7, 11:26


(via Failbook: Making the Switch)

PermalinkCommentshumor facebook google-plus indiana-jones

Lessons of the Chewbacca Incident « Binary Bonsai

2010 Sep 27, 1:51Learn how to correctly generalize about the users of Reddit, Facebook, BoingBoing, etc based on the redirect HTTP stats collected from this sites recent popular post on Chewbacca.PermalinkCommentsstatistics internet web blog
Older Entries Creative Commons License Some rights reserved.