mode - Dave's Blog

Search
My timeline on Mastodon

Edge browser and JavaScript UWP app security model comparison

2018 Nov 29, 2:21

There are two main differences in terms of security between a JavaScript UWP app and the Edge browser:

Process Model

A JavaScript UWP app has one process (technically not true with background tasks and other edge cases but ignoring that for the moment) that runs in the corresponding appcontainer defined by the app's appx manifest. This one process is where edgehtml is loaded and is rendering HTML, talking to the network, and executing script. Specifically, the UWP main UI thread is the one where your script is running and calling into WinRT.

In the Edge browser there is a browser process running in the same appcontainer defined by its appx manifest, but there are also tab processes. These tab processes are running in restricted app containers that have fewer appx capabilities. The browser process has XAML loaded and coordinates between tabs and handles some (non-WinRT) brokering from the tab processes. The tab processes load edgehtml and that is where they render HTML, talk to the network and execute script.

There is no way to configure the JavaScript UWP app's process model but using WebViews you can approximate it. You can create out of process WebViews and to some extent configure their capabilities, although not to the same extent as the browser. The WebView processes in this case are similar to the browser's tab processes. See the MSWebViewProcess object for configuring out of process WebView creation. I also implemented out of proc WebView tabs in my JSBrowser fork.

ApplicationContentUriRules

The ApplicationContentUriRules (ACUR) section of the appx manifest lets an application define what URIs are considered app code. See a previous post for the list of ACUR effects.

Notably app code is able to access WinRT APIs. Because of this, DOM security restrictions are loosended to match what is possible with WinRT.

Privileged DOM APIs like geolocation, camera, mic etc require a user prompt in the browser before use. App code does not show the same browser prompt. There still may be an OS prompt – the same prompt that applies to any UWP app, but that’s usually per app not per origin.

App code also gets to use XMLHttpRequest or fetch to access cross origin content. Because UWP apps have separate state, cross origin here might not mean much to an attacker unless your app also has the user login to Facebook or some other interesting cross origin target.

PermalinkCommentsedge javascript security uwp web-security wwa

WinRT Toast from PowerShell

2016 Jun 15, 3:54

I've made a PowerShell script to show system toast notifications with WinRT and PowerShell. Along the way I learned several interesting things.

First off calling WinRT from PowerShell involves a strange syntax. If you want to use a class you write [-Class-,-Namespace-,ContentType=WindowsRuntime] first to tell PowerShell about the type. For example here I create a ToastNotification object:

[void][Windows.UI.Notifications.ToastNotification,Windows.UI.Notifications,ContentType=WindowsRuntime];
$toast = New-Object Windows.UI.Notifications.ToastNotification -ArgumentList $xml;
And here I call the static method CreateToastNotifier on the ToastNotificationManager class:
[void][Windows.UI.Notifications.ToastNotificationManager,Windows.UI.Notifications,ContentType=WindowsRuntime];
$notifier = [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier($AppUserModelId);
With this I can call WinRT methods and this is enough to show a toast but to handle the click requires a little more work.

To handle the user clicking on the toast I need to listen to the Activated event on the Toast object. However Register-ObjectEvent doesn't handle WinRT events. To work around this I created a .NET event wrapper class to turn the WinRT event into a .NET event that Register-ObjectEvent can handle. This is based on Keith Hill's blog post on calling WinRT async methods in PowerShell. With the event wrapper class I can run the following to subscribe to the event:

function WrapToastEvent {
param($target, $eventName);

Add-Type -Path (Join-Path $myPath "PoshWinRT.dll")
$wrapper = new-object "PoshWinRT.EventWrapper[Windows.UI.Notifications.ToastNotification,System.Object]";
$wrapper.Register($target, $eventName);
}

[void](Register-ObjectEvent -InputObject (WrapToastEvent $toast "Activated") -EventName FireEvent -Action {
...
});

To handle the Activated event I want to put focus back on the PowerShell window that created the toast. To do this I need to call the Win32 function SetForegroundWindow. Doing so from PowerShell is surprisingly easy. First you must tell PowerShell about the function:

Add-Type @"
using System;
using System.Runtime.InteropServices;
public class PInvoke {
[DllImport("user32.dll")] [return: MarshalAs(UnmanagedType.Bool)]
public static extern bool SetForegroundWindow(IntPtr hwnd);
}
"@
Then to call:
[PInvoke]::SetForegroundWindow((Get-Process -id $myWindowPid).MainWindowHandle);

But figuring out the HWND to give to SetForegroundWindow isn't totally straight forward. Get-Process exposes a MainWindowHandle property but if you start a cmd.exe prompt and then run PowerShell inside of that, the PowerShell process has 0 for its MainWindowHandle property. We must follow up process parents until we find one with a MainWindowHandle:

$myWindowPid = $pid;
while ($myWindowPid -gt 0 -and (Get-Process -id $myWindowPid).MainWindowHandle -eq 0) {
$myWindowPid = (gwmi Win32_Process -filter "processid = $($myWindowPid)" | select ParentProcessId).ParentProcessId;
}
PermalinkComments.net c# powershell toast winrt

Retweet of stevefaulkner

2016 Feb 10, 4:57
Chrome change breaks the visual viewport http://www.quirksmode.org/blog/archives/2016/02/chrome_change_b.html … by @ppk via @powrsurg
PermalinkComments

Tweet from David_Risney

2015 Aug 5, 8:09
"@TeslaMotors: Charger prototype finding its way to Model S " Elon Musk audition video for next Spiderman as Doc Ock
PermalinkComments

laughingsquid: Live Band Performs ‘Mario Kart’ Song as Man...

2015 May 27, 3:11


laughingsquid:

Live Band Performs ‘Mario Kart’ Song as Man Races Down the Video Game Track

PermalinkComments

laughingsquid: Live Band Performs ‘Mario Kart’ Song as Man...

2015 May 27, 3:11


laughingsquid:

Live Band Performs ‘Mario Kart’ Song as Man Races Down the Video Game Track

PermalinkComments

laughingsquid: A Real Hedgehog Scurries Along to Music From the...

2015 Apr 23, 1:17


laughingsquid:

A Real Hedgehog Scurries Along to Music From the ‘Sonic the Hedgehog’ Video Game While Collecting Golden Rings

PermalinkComments

laughingsquid: A Real Hedgehog Scurries Along to Music From the...

2015 Apr 23, 1:17


laughingsquid:

A Real Hedgehog Scurries Along to Music From the ‘Sonic the Hedgehog’ Video Game While Collecting Golden Rings

PermalinkComments

RIP CadburdyShe died yesterday. Besides the normal grief its...

2015 Apr 8, 2:43


RIP Cadburdy

She died yesterday. Besides the normal grief its strange being the adult and dealing with a deceased pet.

PermalinkComments

RIP CadburdyShe died yesterday. Besides the normal grief its...

2015 Apr 8, 2:43


RIP Cadburdy

She died yesterday. Besides the normal grief its strange being the adult and dealing with a deceased pet.

PermalinkComments

laughingsquid:‘Find a Fish’, The Classic Surreal Intermission...

2015 Apr 8, 5:02


laughingsquid:

‘Find a Fish’, The Classic Surreal Intermission Sketch From Monty Python’s 1983 Film ‘The Meaning of Life’

Surprisingly often quoted ‘a fish fish fishy, oh!’ with my roommates in college.

PermalinkComments

laughingsquid:‘Find a Fish’, The Classic Surreal Intermission...

2015 Apr 8, 5:02


laughingsquid:

‘Find a Fish’, The Classic Surreal Intermission Sketch From Monty Python’s 1983 Film ‘The Meaning of Life’

Surprisingly often quoted ‘a fish fish fishy, oh!’ with my roommates in college.

PermalinkComments

laughingsquid:Researcher Cracks His Knuckles in Only One Hand...

2015 Mar 24, 12:01


laughingsquid:

Researcher Cracks His Knuckles in Only One Hand for Over 60 Years to See if He Would Get Arthritis

PermalinkComments

laughingsquid:Researcher Cracks His Knuckles in Only One Hand...

2015 Mar 24, 12:01


laughingsquid:

Researcher Cracks His Knuckles in Only One Hand for Over 60 Years to See if He Would Get Arthritis

PermalinkComments

laughingsquid:Photo-Editing Professionals React With Surprise...

2015 Mar 17, 3:05


laughingsquid:

Photo-Editing Professionals React With Surprise and Frustration as They Attempt to Use Photoshop 1.0 From 1990

PermalinkComments

laughingsquid:Photo-Editing Professionals React With Surprise...

2015 Mar 17, 3:05


laughingsquid:

Photo-Editing Professionals React With Surprise and Frustration as They Attempt to Use Photoshop 1.0 From 1990

PermalinkComments

Retweet of stevefaulkner

2015 Mar 3, 2:49
browser support? "no clue" "I do not understand the point of this type. Neither do browsers." http://quirksmode.org/html5/inputs/mobile.html …
PermalinkComments

laughingsquid:A Fun Offbeat Parody of the ‘Jurassic World’...

2015 Feb 17, 5:53


laughingsquid:

A Fun Offbeat Parody of the ‘Jurassic World’ Teaser Trailer Featuring Raptors on Motorcycles

PermalinkComments

laughingsquid:A Fun Offbeat Parody of the ‘Jurassic World’...

2015 Feb 17, 5:53


laughingsquid:

A Fun Offbeat Parody of the ‘Jurassic World’ Teaser Trailer Featuring Raptors on Motorcycles

PermalinkComments

jacobrossi: now uses HSTS, which "coincidentally" is in EdgeHTML engine rolling out to the tech preview

2015 Jan 22, 11:45
Jacob Rossi @jacobrossi :
http://status.modern.IE  now uses HSTS, which "coincidentally" is in EdgeHTML engine rolling out to the tech preview https://github.com/InternetExplorer/Status.IE/commit/31297bc1c8aaf43b4459d49764b5a865b5f66223 …
PermalinkComments
Older Entries Creative Commons License Some rights reserved.