resource - Dave's Blog


Changing the User Agent string in UWP WebView

2018 Oct 23, 9:32

There's no perfect way to change the user agent string for the UWP WebView (x-ms-webview in HTML, Windows.UI.Xaml.Controls.WebView in XAML, and Windows.Web.UI.Interop.WebViewControl in Win32) but there are two imperfect methods folks end up using.

The first is to call UrlMkSetSessionOption. This is an old public API that allows you to configure various arcane options including one that is the default user agent string for requests running through urlmon. This API is allowed by the Microsoft Store for UWP apps. The change it applies is process wide which has two potential drawbacks. If you want to be able to have different UA strings set for different requests from a WebView that's not really possible with this solution. The other drawback is if you're using out of process WebView, you need to ensure you're calling into UrlMkSetSessionOption in the WebView's process. You'll need to write third party WinRT that calls UrlMkSetSessionOption, create the out of proc WebView, navigate it to some trusted local page, use AddWebAllowedObject or provide that URI WinRT access, and call into your third party WinRT. You'll need to do that for any new WebView process you create.

The second less generally applicable solution is to use NavigateWithHttpRequestMessage and set the User-Agent HTTP header. In this case you get to control the scope of the user agent string changes but has the limitations that not all sub resource downloads will use this user agent string and for navigations you don't initiate you have to manually intercept and re-request being careful to transfer over all POST body state and HTTP headers correctly. That last part is not actually possible for iframes.

PermalinkCommentsuser-agent uwp webview

Tweet from David Risney

2016 Sep 19, 3:04
Playing No Man's Sky collecting resources on an hospitable planet and suddenly notice several creatures approaching. I quickly scan them.

Let's Encrypt Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with

I use for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt

Retweet of ohunt

2015 Sep 16, 1:57
Is your site/app not loading resources in ios9? WebKit now blocks mixed content: You can't load CSS or JS over http from https _ever_.

Retweet of zoltandulac

2015 Mar 4, 5:21
Great resource. I always wondered what was "animatable" via CSS and what wasn't. Now I know. …

A New HTTP Status Code for Legally-restricted Resources

2012 Jun 11, 2:00

451 Unavailable for Legal Reasons: The 451 status code is optional; clients cannot rely upon its use. It is imaginable that certain legal authorities may wish to avoid transparency, and not only forbid access to certain resources, but also disclosure that the restriction exists.

That was fast.

PermalinkCommentshttp internet web 451 law legal rfc ietf censorship technical

Client Side Cross Domain Data YQL Hack

2012 Feb 27, 2:28

One of the more limiting issues of writing client side script in the browser is the same origin limitations of XMLHttpRequest. The latest version of all browsers support a subset of CORS to allow servers to opt-in particular resources for cross-domain access. Since IE8 there's XDomainRequest and in all other browsers (including IE10) there's XHR L2's cross-origin request features. But the vast majority of resources out on the web do not opt-in using CORS headers and so client side only web apps like a podcast player or a feed reader aren't doable.

One hack-y way around this I've found is to use YQL as a CORS proxy. YQL applies the CORS header to all its responses and among its features it allows a caller to request an arbitrary XML, HTML, or JSON resource. So my network helper script first attempts to access a URI directly using XDomainRequest if that exists and XMLHttpRequest otherwise. If that fails it then tries to use XDR or XHR to access the URI via YQL. I wrap my URIs in the following manner, where type is either "html", "xml", or "json":

        yqlRequest = function(uri, method, type, onComplete, onError) {
var yqlUri = "" +
encodeURIComponent("SELECT * FROM " + type + ' where url="' + encodeURIComponent(uri) + '"');

if (type == "html") {
yqlUri += encodeURIComponent(" and xpath='/*'");
else if (type == "json") {
yqlUri += "&callback=&format=json";

This also means I can get JSON data itself without having to go through JSONP.
PermalinkCommentsxhr javascript yql client-side technical yahoo xdr cors

URI Empty Path Segments Matter

2011 Nov 23, 11:00

Shortly after joining the Internet Explorer team I got a bug from a PM on a popular Microsoft web server product that I'll leave unnamed (from now on UWS). The bug said that IE was handling empty path segments incorrectly by not removing them before resolving dotted path segments. For example UWS would do the following:

In step 1 they are given a URI with dotted path segment and an empty path segment. In step 2 they remove the empty path segment, and in step 3 they resolve the dotted path segment. Whereas, given the same initial URI, IE would do the following:
IE simply resolves the dotted path segment against the empty path segment and removes them both. So, how did I resolve this bug? As "By Design" of course!

The URI RFC allows path segments of zero length and does not assign them any special meaning. So generic user agents that intend to work on the web must not treat an empty path segment any different from a path segment with some text in it. In the case above IE is doing the correct thing.

That's the case for generic user agents, however servers may decide that a URI with an empty path segment returns the same resource as a the same URI without that empty path segment. Essentially they can decide to ignore empty path segments. Both IIS and Apache work this way and thus return the same resource for the following URIs:
The issue for UWS is that it removes empty path segments before resolving dotted path segments. It must follow normal URI procedure before applying its own additional rules for empty path segments. Not doing that means they end up violating URI equivalency rules: URIs (A.1) and (B.2) are equivalent but UWS will not return the same resource for them.
PermalinkCommentsuser agent url ie uri technical web browser

"JSON Patch" - Paul Bryan

2011 Nov 17, 1:06

Mime-type for describing the difference between two JSON resources (in JSON using JSON paths)

PermalinkCommentstechnical mime mime-type json ietf

[whatwg] CORS requests for image and video elements

2011 May 23, 4:26Applying CORS to the media elements: "I've added a content attribute to <img>, <video>, and <audio> that makes the image or media resource be fetched with CORS And have the origin of the page if CORS succeeded. The attribute is "cross-origin" and it has two allowed values, "use-credentials" and "anonymous". The latter is the default, so you can just say <img cross-origin src="data.png">."PermalinkCommentscors crossdomain web browser webbrowser html technical

CSS Fonts Module Level 3

2011 May 10, 10:49Interesting standards disagreements showing up in specs: "Some implementers feel a same-origin restriction should be the default for all new resource types while others feel strongly that an opt-in strategy usuable for all resource types would be a better mechanism and that the default should always be to allow cross-origin linking for consistency with existing resource types (e.g. script, images). As such, this section should be considered at risk for removal if the consensus is to use an alternative mechanism."PermalinkCommentsreference web development font specification w3c css3

HTTP framework for time-based access to resource states -- Memento

2011 Apr 30, 4:33"The HTTP-based Memento framework bridges the present and past Web by interlinking current resources with resources that encapsulate their past. It facilitates obtaining representations of prior states of a resource, available from archival resources in Web archives or version resources in content management systems, by leveraging the resource's URI and a preferred datetime. To this end, the framework introduces datetime negotiation (a variation on content negotiation), and new Relation Types for the HTTP Link header aimed at interlinking resources with their archival/version resources. It also introduces various discovery mechanisms that further support briding the present and past Web."PermalinkCommentstechnical rfc reference http header time memento archive

draft-hammer-hostmeta-14 - Web Host Metadata

2011 Apr 17, 12:51"Web-based protocols often require the discovery of host policy or metadata, where "host" is not a single resource but the entity controlling the collection of resources identified by Uniform Resource Identifiers (URI) with a common URI host [RFC3986]."PermalinkCommentshost rfc reference metadata technical

Chapter 16. The Registry - Master-PowerShell | With Dr. Tobias Weltner - – Powershell Scripts, Tips and Resources

2011 Jan 4, 7:25How to take ownership and re-ACL registry keys from a powershell prompt.PermalinkCommentstechnical powershell acl regkey registry windows

The Curious History of Uniform Resource Names - IETF Journal

2010 Jul 1, 10:51"Sometimes it’s hard to judge whether an engineering effort has been successful or not. It can take years for an idea to catch on, to go from being the butt of jokes to becoming an international imperative (IPv6). Uniform Resource Names (URNs), which are part of the Uniform Resource Identifier (URI) family, are conceptually at least as old as IPv6. While not figuring in international directives for deployment, they-and the technology engineered to resolve them-are still going concerns."PermalinkCommentsietf urn uri history technical internet url

RFC 5870 - A Uniform Resource Identifier for Geographic Locations ('geo' URI)

2010 Jun 9, 3:31"A 'geo' URI identifies a physical location in a two- or three-dimensional coordinate reference system in a compact, simple, human-readable, and protocol-independent way."PermalinkCommentstechnical geo uri url ietf rfc standard

Comparison of CORS and UMP - Web Security

2010 May 7, 6:29UMP instead of CORS for cross-domain access control: "...a developer can read only UMP and ignore CORS, yet still create safe code. This code can successfully message with CORS resources that do not require credentials. UMP is therefore a way of messaging with the credential-free subset of CORS resources."PermalinkCommentsw3c security web browser technical

RFC 5843 - Additional Hash Algorithms for HTTP Instance Digests

2010 Apr 21, 6:51Adds SHA 256 & 512 to HTTP instance digest: 'The IANA registry named "Hypertext Transfer Protocol (HTTP) Digest Algorithm Values" defines values for digest algorithms used by Instance Digests in HTTP. Instance Digests in HTTP provide a digest, also known as a checksum or hash, of an entire representation of the current state of a resource. This document adds new values to the registry and updates previous values.'PermalinkCommentshash cryptography http instance-digest sha security technical ietf rfc standard

RFC 5849 - The OAuth 1.0 Protocol

2010 Apr 21, 6:49"OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections."PermalinkCommentsoauth authorization security privacy internet web rfc standard technical

Database - WEBAPPS

2010 Mar 5, 10:21Document explaining the relationship between the various web storage APIs coming out of HTML 5. To summarize:
Web Storage (aka DOM Storage) - simple key/value pairs API.
WebSimple DB API - now called Indexed Database API.
Indexed Database API and Web SQL Database - competing database APIs.
Application Cache - Storage of HTTP resources for offline apps.
DataCache API - A programmatically modifiable Application Cache.PermalinkCommentshtml html5 standard programming technical wiki w3c database storage web
Older Entries Creative Commons License Some rights reserved.