network - Dave's Blog


Edge browser & JavaScript UWP app security model comparison

2018 Nov 29, 2:21

There are two main differences in terms of security between a JavaScript UWP app and the Edge browser:

Process Model

A JavaScript UWP app has one process (technically not true with background tasks and other edge cases but ignoring that for the moment) that runs in the corresponding appcontainer defined by the app's appx manifest. This one process is where edgehtml is loaded and is rendering HTML, talking to the network, and executing script. Specifically, the UWP main UI thread is the one where your script is running and calling into WinRT.

In the Edge browser there is a browser process running in the same appcontainer defined by its appx manifest, but there are also tab processes. These tab processes are running in restricted app containers that have fewer appx capabilities. The browser process has XAML loaded and coordinates between tabs and handles some (non-WinRT) brokering from the tab processes. The tab processes load edgehtml and that is where they render HTML, talk to the network and execute script.

There is no way to configure the JavaScript UWP app's process model but using WebViews you can approximate it. You can create out of process WebViews and to some extent configure their capabilities, although not to the same extent as the browser. The WebView processes in this case are similar to the browser's tab processes. See the MSWebViewProcess object for configuring out of process WebView creation. I also implemented out of proc WebView tabs in my JSBrowser fork.


The ApplicationContentUriRules (ACUR) section of the appx manifest lets an application define what URIs are considered app code. See a previous post for the list of ACUR effects.

Notably app code is able to access WinRT APIs. Because of this, DOM security restrictions are loosended to match what is possible with WinRT.

Privileged DOM APIs like geolocation, camera, mic etc require a user prompt in the browser before use. App code does not show the same browser prompt. There still may be an OS prompt – the same prompt that applies to any UWP app, but that’s usually per app not per origin.

App code also gets to use XMLHttpRequest or fetch to access cross origin content. Because UWP apps have separate state, cross origin here might not mean much to an attacker unless your app also has the user login to Facebook or some other interesting cross origin target.

PermalinkCommentsedge javascript security uwp web-security wwa

Tweet from Seth Abramson

2017 Jan 22, 5:21
Retweet if you want networks to stop booking Kellyanne Conway, the first U.S. presidential counselor to openly advocate lying to the public.

Tweet from Pwn All The Things

2016 Sep 6, 10:47
Oh My God. This report is such a troll. Hackers cleverly hid their searching of network shares using "SMB protocol"

WPAD Server Fiddler Extension Source

2016 Aug 5, 3:18

I've put my WPAD Fiddler extension source and the installer on GitHub.

Six years ago I made a WPAD DHCP server Fiddler extension (described previously and previously). The extension runs a WPAD DHCP server telling any clients that connect to connect to the running Fiddler instance. I've finally got around to putting the source on GitHub. I haven't touched it in five or so years so this is either for posterity or education or something.

PermalinkCommentsdhcp fiddler network security wpad

Windows Store App WebView Cross Origin XMLHttpRequest Behavior

2016 Jun 2, 6:45

TL;DR: Web content in a JavaScript Windows Store app or WebView in a Windows Store app that has full access to WinRT also gets to use XHR unrestricted by cross origin checks.

By default web content in a WebView control in a Windows Store App has the same sort of limitations as that web content in a web browser. However, if you give the URI of that web content full access to WinRT, then the web content also gains the ability to use XMLHttpRequest unrestricted by cross origin checks. This means no CORS checks and no OPTIONS requests. This only works if the web content's URI matches a Rule in the ApplicationContentUriRules of your app's manifest and that Rule declares WindowsRuntimeAccess="all". If it declares WinRT access as 'None' or 'AllowForWebOnly' then XHR acts as it normally does.

In terms of security, if you've already given a page access to all of WinRT which includes the HttpRequest class and other networking classes that don't perform cross origin checks, then allowing XHR to skip CORS doesn't make things worse.

PermalinkCommentsjavascript uwa uwp web webview windows winrt xhr

Tweet from David_Risney

2016 Jan 6, 10:53
Cracking passwords with neural networks …

Retweet of Esquiring

2015 Nov 23, 10:32
#TIL someone virtualized a bunch of networked Tamagotchis and has an AI caring for them.

Retweet of jvaleski

2015 Nov 9, 2:38
Just had "the talk" w/ my daughter; complete w/ diagram. Everyone needs to know how this all works. #thenetwork

Tweet from David_Risney

2015 Oct 12, 9:31
Auto generating clickbait articles via neural network: …. And the result: 

Tweet from David_Risney

2015 Jul 21, 12:13
I always thought BSG's Galactica disallowing networks and air gapping everything was lame. Starting to get it now.

Retweet of troyhunt

2015 Jul 13, 10:43
Blogged: How I got XSS’d by my ad network 

Netflix responds to Verizon’s cease & desist letter....

2014 Jun 10, 2:54

Netflix responds to Verizon’s cease & desist letter. Somehow I doubt that Verizon will bite on your offer to work together to increase network transparency Netflix. Nice suggestion though.

PermalinkCommentstechnical net-neutrality Verizon Netflix net

Windows Remote Desktop via Internet

2012 Dec 7, 2:04
To setup my home Windows dev box to be accessible from outside I followed two main steps:
Last time I had to do this there was a service named which seems to still exist but no longer appears to be free. Instead I used which is free and has a web API as well as links to and instructions for setting up native tools to dynamically update my IP address.

I'm an American and I want to watch the Olympics. What do I do? (

2012 Jul 28, 12:05

One persons quest to watch the Olympics online.

The location requirements (guessed at via IP address) are irritating. The requirement that you have a particular cable subscription to view video online seems like not network neutrality.

Also this related article:

PermalinkCommentsolympics video internet web

Living with HTTPS (

2012 Jul 19, 6:03

Notes on practical HTTPS security issues.

PermalinkCommentsnetwork technical https security

NICT Daedalus Cyber-attack alert system #DigInfo (by...

2012 Jun 20, 3:23

NICT Daedalus Cyber-attack alert system #DigInfo (by Diginfonews)

Someone has been watching too much Ghost in the Shell. I’d say someone has been watching too much Hackers but this actually looks cooler than their visualizations and also you can never watch too much of Hackers.

PermalinkCommentstechnical network visualization hack security

Jet Set Radio HD coming soon with awesome soundtrack...

2012 Jun 1, 2:55

Jet Set Radio HD coming soon with awesome soundtrack promised. Exciting!

PermalinkCommentsjet-set-radio video-game game video music xbox

Recommendations for the Remediation of Bots in ISP Networks

2012 Mar 19, 3:11

recommendations on how Internet Service
   Providers can use various remediation techniques to manage the
   effects of malicious bot infestations on computers used by their

Detection and notification recommendations.

PermalinkCommentstechnical isp ietf networking

Client Side Cross Domain Data YQL Hack

2012 Feb 27, 2:28

One of the more limiting issues of writing client side script in the browser is the same origin limitations of XMLHttpRequest. The latest version of all browsers support a subset of CORS to allow servers to opt-in particular resources for cross-domain access. Since IE8 there's XDomainRequest and in all other browsers (including IE10) there's XHR L2's cross-origin request features. But the vast majority of resources out on the web do not opt-in using CORS headers and so client side only web apps like a podcast player or a feed reader aren't doable.

One hack-y way around this I've found is to use YQL as a CORS proxy. YQL applies the CORS header to all its responses and among its features it allows a caller to request an arbitrary XML, HTML, or JSON resource. So my network helper script first attempts to access a URI directly using XDomainRequest if that exists and XMLHttpRequest otherwise. If that fails it then tries to use XDR or XHR to access the URI via YQL. I wrap my URIs in the following manner, where type is either "html", "xml", or "json":

        yqlRequest = function(uri, method, type, onComplete, onError) {
var yqlUri = "" +
encodeURIComponent("SELECT * FROM " + type + ' where url="' + encodeURIComponent(uri) + '"');

if (type == "html") {
yqlUri += encodeURIComponent(" and xpath='/*'");
else if (type == "json") {
yqlUri += "&callback=&format=json";

This also means I can get JSON data itself without having to go through JSONP.
PermalinkCommentsxhr javascript yql client-side technical yahoo xdr cors

(via The Many Samples and Sound-Alikes of Earthbound [Video])

2012 Feb 24, 5:35

(via The Many Samples and Sound-Alikes of Earthbound [Video])

PermalinkCommentsvideo-game music earthbound
Older Entries Creative Commons License Some rights reserved.