model - Dave's Blog

Search
My timeline on Mastodon

Edge browser and JavaScript UWP app security model comparison

2018 Nov 29, 2:21

There are two main differences in terms of security between a JavaScript UWP app and the Edge browser:

Process Model

A JavaScript UWP app has one process (technically not true with background tasks and other edge cases but ignoring that for the moment) that runs in the corresponding appcontainer defined by the app's appx manifest. This one process is where edgehtml is loaded and is rendering HTML, talking to the network, and executing script. Specifically, the UWP main UI thread is the one where your script is running and calling into WinRT.

In the Edge browser there is a browser process running in the same appcontainer defined by its appx manifest, but there are also tab processes. These tab processes are running in restricted app containers that have fewer appx capabilities. The browser process has XAML loaded and coordinates between tabs and handles some (non-WinRT) brokering from the tab processes. The tab processes load edgehtml and that is where they render HTML, talk to the network and execute script.

There is no way to configure the JavaScript UWP app's process model but using WebViews you can approximate it. You can create out of process WebViews and to some extent configure their capabilities, although not to the same extent as the browser. The WebView processes in this case are similar to the browser's tab processes. See the MSWebViewProcess object for configuring out of process WebView creation. I also implemented out of proc WebView tabs in my JSBrowser fork.

ApplicationContentUriRules

The ApplicationContentUriRules (ACUR) section of the appx manifest lets an application define what URIs are considered app code. See a previous post for the list of ACUR effects.

Notably app code is able to access WinRT APIs. Because of this, DOM security restrictions are loosended to match what is possible with WinRT.

Privileged DOM APIs like geolocation, camera, mic etc require a user prompt in the browser before use. App code does not show the same browser prompt. There still may be an OS prompt – the same prompt that applies to any UWP app, but that’s usually per app not per origin.

App code also gets to use XMLHttpRequest or fetch to access cross origin content. Because UWP apps have separate state, cross origin here might not mean much to an attacker unless your app also has the user login to Facebook or some other interesting cross origin target.

PermalinkCommentsedge javascript security uwp web-security wwa

WinRT Toast from PowerShell

2016 Jun 15, 3:54

I've made a PowerShell script to show system toast notifications with WinRT and PowerShell. Along the way I learned several interesting things.

First off calling WinRT from PowerShell involves a strange syntax. If you want to use a class you write [-Class-,-Namespace-,ContentType=WindowsRuntime] first to tell PowerShell about the type. For example here I create a ToastNotification object:

[void][Windows.UI.Notifications.ToastNotification,Windows.UI.Notifications,ContentType=WindowsRuntime];
$toast = New-Object Windows.UI.Notifications.ToastNotification -ArgumentList $xml;
And here I call the static method CreateToastNotifier on the ToastNotificationManager class:
[void][Windows.UI.Notifications.ToastNotificationManager,Windows.UI.Notifications,ContentType=WindowsRuntime];
$notifier = [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier($AppUserModelId);
With this I can call WinRT methods and this is enough to show a toast but to handle the click requires a little more work.

To handle the user clicking on the toast I need to listen to the Activated event on the Toast object. However Register-ObjectEvent doesn't handle WinRT events. To work around this I created a .NET event wrapper class to turn the WinRT event into a .NET event that Register-ObjectEvent can handle. This is based on Keith Hill's blog post on calling WinRT async methods in PowerShell. With the event wrapper class I can run the following to subscribe to the event:

function WrapToastEvent {
param($target, $eventName);

Add-Type -Path (Join-Path $myPath "PoshWinRT.dll")
$wrapper = new-object "PoshWinRT.EventWrapper[Windows.UI.Notifications.ToastNotification,System.Object]";
$wrapper.Register($target, $eventName);
}

[void](Register-ObjectEvent -InputObject (WrapToastEvent $toast "Activated") -EventName FireEvent -Action {
...
});

To handle the Activated event I want to put focus back on the PowerShell window that created the toast. To do this I need to call the Win32 function SetForegroundWindow. Doing so from PowerShell is surprisingly easy. First you must tell PowerShell about the function:

Add-Type @"
using System;
using System.Runtime.InteropServices;
public class PInvoke {
[DllImport("user32.dll")] [return: MarshalAs(UnmanagedType.Bool)]
public static extern bool SetForegroundWindow(IntPtr hwnd);
}
"@
Then to call:
[PInvoke]::SetForegroundWindow((Get-Process -id $myWindowPid).MainWindowHandle);

But figuring out the HWND to give to SetForegroundWindow isn't totally straight forward. Get-Process exposes a MainWindowHandle property but if you start a cmd.exe prompt and then run PowerShell inside of that, the PowerShell process has 0 for its MainWindowHandle property. We must follow up process parents until we find one with a MainWindowHandle:

$myWindowPid = $pid;
while ($myWindowPid -gt 0 -and (Get-Process -id $myWindowPid).MainWindowHandle -eq 0) {
$myWindowPid = (gwmi Win32_Process -filter "processid = $($myWindowPid)" | select ParentProcessId).ParentProcessId;
}
PermalinkComments.net c# powershell toast winrt

Tweet from David_Risney

2015 Aug 5, 8:09
"@TeslaMotors: Charger prototype finding its way to Model S " Elon Musk audition video for next Spiderman as Doc Ock
PermalinkComments

Free Universal Construction Kit is a set of 3D models you can...

2012 Mar 19, 4:05


Free Universal Construction Kit is a set of 3D models you can print on a 3D printer that allow you to connect Lego to Duplo to Lincoln Logs, etc.

PermalinkCommentstoy video 3d-printer

With WP7 Mango available for all, Microsoft pushes ahead with new updates

2011 Dec 1, 3:22

“including driver updates to enable Internet sharing on some models such as the HTC HD7” Just upgraded and saw this. Very cool.

PermalinkCommentstechnical cell-phone wifi router wp7

Console Build Window Jump Lists Tool

2010 Dec 13, 11:14

I've made two simple command line tools related to the console window and Win7 jump lists. The source is available for both but neither is much more than the sort of samples you'd find on MSDN =).

SetAppUserModelId lets you change the Application User Model ID for the current console window. The AppUserModelId is the value Win7 uses to group together icons on the task bar and is what the task bar's jump lists are associated with. The tool lets you change that as well as the icon and name that appear in the task bar for the window, and the command to launch if the user attempts to re-launch the application from its task bar icon.

SetJumpList lets you set the jump list associated with a particular AppUserModelId. You pass the AppUserModelId as the only parameter and then in its standard input you give it lines specifying items that should appear in the jump list and what to execute when those items are picked.

I put these together to make my build environment easier to deal with at work. I have to deal with multiple enlistments in many different branches and so I wrote a simple script around these two tools to group my build windows by branch name in the task bar, and to add the history of commands I've used to launch the build environment console windows to the jump list of each.

PermalinkCommentswin7 jumplist technical console

google-caja - Project Hosting on Google Code

2010 May 6, 7:22"Caja allows websites to safely embed DHTML web applications from third parties, and enables rich interaction between the embedding page and the embedded applications. It uses an object-capability security model to allow for a wide range of flexible security policies, so that the containing page can effectively control the embedded applications' use of user data and to allow gadgets to prevent interference between gadgets' UI elements."PermalinkCommentssecurity web browser web-sandbox caja google javascript html technical

The Hitchhiker's Guide to the Galaxy (film) - Wikipedia, the free encyclopedia

2010 Mar 12, 11:11"All of the sculpted noses on the planet Viltvodle VI were fashioned after Douglas Adams' own. The creators used a 3D model he had created for the game Starship Titanic." The noses mentioned in the previous sentence were depicted in the movie in a church. The religion of this church maintains that the universe was created by their god sneezing out the universe and so they have statues of their god's nose throughout the church. Of course this is intended to seem absurd, however based on the previous sentence -- that the nose belonged to Douglas Adams -- then they really were worshping the nose of their creator.PermalinkCommentsdouglas-adams book hhgttg movie religion nose

Protecting Browsers from Extension Vulnerabilities

2010 Feb 27, 10:06A web browser add-on security research paper that describes the Google Chrome security model. "We propose a new browser extension system that improves security by using least privilege, privilege separation,
and strong isolation. Our system limits the misdeeds an attacker can perform through an extension vulnerability.
Our design has been adopted as the Google Chrome extension system."PermalinkCommentssecurity design google chrome firefox addon plugin web browser technical research adam-barth system:filetype:pdf system:media:document

Just Add Johansson

2009 Dec 16, 9:41"This sort of model should remind you of 1-piece click-out toys packaged with action figures such as Teenage Mutant Ninja Turtles. Michael Johansson specializes in parodying this particular moment in toydom by creating life-sized models with that molded-plastic “break-apart and play” action specifically in mind."
PermalinkCommentsart sculpture design product commodity parody

Discontinued desktop 3D printers on the cheap Boing Boing

2009 Dec 8, 1:56More good gift ideas just in time for the holidays: "The Invision LD 3D-Modeler printer has been discontinued and is being sold off for $5,000 a throw -- it uses Laminated Object Manufacturing to produce low-rez 3D models"PermalinkComments3d printer purchase gift wishlist

PLoS ONE: Clickstream Data Yields High-Resolution Maps of Science

2009 Nov 23, 11:33A map of the sciences generated via science web portals: "Over the course of 2007 and 2008, we collected nearly 1 billion user interactions recorded by the scholarly web portals of some of the most significant publishers, aggregators and institutional consortia...The resulting model was visualized as a journal network that outlines the relationships between various scientific domains and clarifies the connection of the social sciences and humanities to the natural sciences."PermalinkCommentsvia:pskomoroch visualization science map graph

Composing the Semantic Web: Units ontology with SPIN support published

2009 Sep 1, 4:25"Each unit has a stable URI, making it possible to link to it from your own domain models in a reliable way. For each unit, the ontology defines some useful metadata including abbreviation, a link to DBpedia and a categorization of units into groups, such as length units."PermalinkCommentssemanticweb via:connolly web unit conversion uri technical

WHEN ZOMBIES ATTACK!: MATHEMATICAL MODELLING OF AN OUTBREAK OF ZOMBIE INFECTION

2009 Aug 25, 7:10Research paper modelling zombie infection. "The key difference between the models presented here and other models of infectious disease is that the dead can come back to life." Also, love the references section with "Snyder, Zack (director), 2004 Dawn of the Dead" next to things like "Bainov, D.D. & Simeonov, P.S. Impulsive Differential Equations: Asymptotic Properties of the Solutions. World Scientific, Singapore (1995)."PermalinkCommentshumor zombie research via:schneier math science health apocalypse system:filetype:pdf system:media:document

Self-Portrait Machine - we make money not art

2009 Jul 27, 4:29"Jen Hui Liao's Self-Portrait Machine is a device that takes a picture of the sitter and draws it but with the model's help. The wrists of the individual are tied to the machine and it is his or her hands that are guided to draw the lines that will eventually form the portrait." With video!PermalinkCommentsvideo drawing art technology machine robot automation self-portrait

Content-Type Processing Model

2009 Jun 22, 3:12HTML5's mime-sniffing is getting moved to an IETF doc: "Many web servers supply incorrect Content-Type headers with their HTTP responses. In order to be compatible with these servers, user agents must consider the content of HTTP responses as well as the Content-Type header when determining the effective media type of the response. This document describes an algorithm for determining the effective media type of HTTP responses that balances security and compatibility considerations."PermalinkCommentsmime mime-sniffing ietf http w3c html5 technical

Michael(tm) Smith - WebKit destined to get its own content sniffer

2009 Jun 22, 3:09"Web/browser-security maven and coder Adam Barth has been working on implementing a content sniffer in WebKit, based on a content-sniffing algorithm that was originally specified in the HTML5 draft, but that's now specified as a separate IETF draft that Adam is editing and that's titled, Content-Type Processing Model."PermalinkCommentsmime mime-sniffing webkit http technical

Mostly Moved Into New House

2009 Jun 19, 8:07

New House ExteriorThe weekend before the previous, Sarah and I moved our belongings into the new house and spent a lot of time packing and unpacking, and now we're officially living there (interested Facebook friends can find my new address or just ask me). The Saturday of the previous weekend Sarah's family came over for a half house warming and half Sarah's birthday celebration which was fun and served to force us to do more unpacking and forced me to take trips to Home Depot, Bed Bath and Beyond, etc. On Sunday, Sarah and I went out to her favorite restaurant and she opened her gifts that I had to hide to keep her from opening before her birthday. Happy Birthday Sarah!

While at Home Depot I had trouble finding what I was actually looking for, but I did find everything I needed to terminate the Cat5e cables that are wired in the house. Each room has a wall plate with two RJ45 sockets, both sockets wired to Cat5e cable. One of the cables per plate was already hooked up to a standard phone service punchdown board and the other cables per plate were all hanging unterminated next to the punchdown board. So now I've terminated them all with RJ45 connectors and hooked them up to my hub, wireless router, cable modem, etc. I had the same sort of fun setting all that up as I did playing with model train sets as a child. Hopefully no therapy will be required to figure out why that is.

PermalinkCommentspersonal2 train address sarah house new-house birthday

XML.com: The Atom Link Model

2009 Jun 3, 9:55"A "via" link is simply a link back to the site where you found the article you're linking to. Atom has a link tag for this scenario: ." Is there an HTML version?PermalinkCommentsatom rss xml link syndication via

LDC Catalog - Web 1T 5-gram Version 1

2009 Mar 16, 4:22"This data set, contributed by Google Inc., contains English word n-grams and their observed frequency counts. The length of the n-grams ranges from unigrams (single words) to five-grams. We expect this data will be useful for statistical language modeling, e.g., for machine translation or speech recognition, as well as for other uses." 6 DVDs for only $150 with licensing restri... ok nm.PermalinkCommentslanguage google statistics database text
Older Entries Creative Commons License Some rights reserved.