pc - Dave's Blog

Search

Edge browser and JavaScript UWP app security model comparison

2018 Nov 29, 2:21

There are two main differences in terms of security between a JavaScript UWP app and the Edge browser:

Process Model

A JavaScript UWP app has one process (technically not true with background tasks and other edge cases but ignoring that for the moment) that runs in the corresponding appcontainer defined by the app's appx manifest. This one process is where edgehtml is loaded and is rendering HTML, talking to the network, and executing script. Specifically, the UWP main UI thread is the one where your script is running and calling into WinRT.

In the Edge browser there is a browser process running in the same appcontainer defined by its appx manifest, but there are also tab processes. These tab processes are running in restricted app containers that have fewer appx capabilities. The browser process has XAML loaded and coordinates between tabs and handles some (non-WinRT) brokering from the tab processes. The tab processes load edgehtml and that is where they render HTML, talk to the network and execute script.

There is no way to configure the JavaScript UWP app's process model but using WebViews you can approximate it. You can create out of process WebViews and to some extent configure their capabilities, although not to the same extent as the browser. The WebView processes in this case are similar to the browser's tab processes. See the MSWebViewProcess object for configuring out of process WebView creation. I also implemented out of proc WebView tabs in my JSBrowser fork.

ApplicationContentUriRules

The ApplicationContentUriRules (ACUR) section of the appx manifest lets an application define what URIs are considered app code. See a previous post for the list of ACUR effects.

Notably app code is able to access WinRT APIs. Because of this, DOM security restrictions are loosended to match what is possible with WinRT.

Privileged DOM APIs like geolocation, camera, mic etc require a user prompt in the browser before use. App code does not show the same browser prompt. There still may be an OS prompt – the same prompt that applies to any UWP app, but that’s usually per app not per origin.

App code also gets to use XMLHttpRequest or fetch to access cross origin content. Because UWP apps have separate state, cross origin here might not mean much to an attacker unless your app also has the user login to Facebook or some other interesting cross origin target.

PermalinkCommentsedge javascript security uwp web-security wwa

Windows.Web.UI.Interop.WebViewControl localhost access

2018 Jul 25, 5:34

If you're developing with the new Windows.Web.UI.Interop.WebViewControl you may have noticed you cannot navigate to localhost HTTP servers. This is because the WebViewControl's WebView process is a UWP process. All UWP processes by default cannot use the loopback adapter as a security precaution. For development purposes you can allow localhost access using the checknetisolation command line tool on the WebViewControl's package just as you can for any other UWP app. The command should be the following:

checknetisolation loopbackexempt -a -n=Microsoft.Win32WebViewHost_cw5n1h2txyewy

As a warning checknetisolation is not good on errors. If you attempt to add a package but get its package family name wrong, checknetisolation just says OK:

C:\Users\davris>checknetisolation LoopbackExempt -a -n=Microsoft.BingWeather_4.21.2492.0_x86__8wekyb3d8bbwe
OK.
And if you then list the result of the add with the bad name you'll see the following:
[1] -----------------------------------------------------------------
Name: AppContainer NOT FOUND
SID: S-1-15-...

There's also a UI tool for modifying loopback exemption for packages available on GitHub and also one available with Fiddler.

As an additional note, I mentioned above you can try this for development. Do not do this in shipping products as this turns off the security protection for any consumer of the WebViewControl.

PermalinkCommentschecknetisolation loopback security uwp webview win32webview

Tweet from David Risney

2016 Apr 28, 4:14
Coincidentally YouTuber on hacking dispute res by incl IP from diff large companies in same video http://kotaku.com/game-critic-uses-brilliant-workaround-for-youtubes-copy-1773452452 
PermalinkComments

Retweet of xeni

2016 Jan 25, 1:18
UK film censors forced to watch a 2-day long movie of paint drying cc: @greatdismal http://boingboing.net/2016/01/25/uk-film-censors-forced-to-watc.html … pic.twitter.com/M8LWjiWUXe
PermalinkComments

Tweet from David_Risney

2016 Jan 7, 9:31
Firefox to remove appcache offline support. https://www.fxsitecompat.com/en-US/docs/2016/application-cache-support-will-be-removed/ … https://twitter.com/FxSiteCompat/status/685332720281645056 …
PermalinkComments

Retweet of JustRogDigiTec

2015 Nov 29, 2:58
@JustRogDigiTec A fiddle as well http://jsfiddle.net/xb3gheqb/  in case it clarifies. Note: An older browser may not demo properly
PermalinkComments

Tweet from David_Risney

2015 Nov 18, 8:29
Next up: hacking phones with inaudible sounds that exploit bugs in this software http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/ …
PermalinkComments

Retweet of SavedYouAClick

2015 Nov 10, 10:19
Blah Blah Blah And Some People On Twitter Are Mad About It
PermalinkComments

Retweet of hodgman

2015 Nov 3, 1:37
📷 http://tmblr.co/ZVV4ww1xPc0Gx 
PermalinkComments

Retweet of marypcbuk

2015 Nov 1, 10:45
@SwiftOnSecurity monthly subscription. not being run over as a service
PermalinkComments

Tweet from David_Risney

2015 Oct 12, 9:31
Auto generating clickbait articles via neural network: http://larseidnes.com/2015/10/13/auto-generating-clickbait-with-recurrent-neural-networks/ …. And the result: http://clickotron.com/ 
PermalinkComments

Retweet of krisstraub

2015 Sep 20, 8:34
RT @chainsawsuit: good for what ails ya http://fb.me/7nPENCYPZ  pic.twitter.com/Rm8rLguHXx
PermalinkComments

Retweet of alphabet

2015 Aug 10, 1:50
Well, that was an interesting way to end a Monday...
PermalinkComments

Tweet from David_Risney

2015 Jun 14, 9:53
Fallout4 on XB1 supports PC mods. Due to platform similarity? Possible for PS4? https://twitter.com/Polygon/status/610494038685417472 …
PermalinkComments

RIP CadburdyShe died yesterday. Besides the normal grief its...

2015 Apr 8, 2:43


RIP Cadburdy

She died yesterday. Besides the normal grief its strange being the adult and dealing with a deceased pet.

PermalinkComments

RIP CadburdyShe died yesterday. Besides the normal grief its...

2015 Apr 8, 2:43


RIP Cadburdy

She died yesterday. Besides the normal grief its strange being the adult and dealing with a deceased pet.

PermalinkComments

Tweet from David_Risney

2015 Apr 2, 10:43
Tesla's April fools headline fooled stock trading algorithms causing $1.50 jump: http://www.bloombergview.com/articles/2015-04-02/tesla-stockholders-can-t-take-a-joke …
PermalinkComments

erictanart:I wish there was a #biffs to go to. #backtothefuture...

2015 Feb 28, 2:39


erictanart:

I wish there was a #biffs to go to. #backtothefuture #bttf #matchbookart

PermalinkComments

erictanart:I wish there was a #biffs to go to. #backtothefuture...

2015 Feb 28, 2:39


erictanart:

I wish there was a #biffs to go to. #backtothefuture #bttf #matchbookart

PermalinkComments

Tweet from David_Risney

2015 Feb 16, 5:55
Issues with "be liberal in what you accept": "@manisha72617183: Because JavaScript! pic.twitter.com/CPCg6xxulF"
PermalinkComments
Older Entries Creative Commons License Some rights reserved.