technical - Dave's Blog


Edge browser & JavaScript UWP app security model comparison

Nov 29, 2:21

There are two main differences in terms of security between a JavaScript UWP app and the Edge browser:

Process Model

A JavaScript UWP app has one process (technically not true with background tasks and other edge cases but ignoring that for the moment) that runs in the corresponding appcontainer defined by the app's appx manifest. This one process is where edgehtml is loaded and is rendering HTML, talking to the network, and executing script. Specifically, the UWP main UI thread is the one where your script is running and calling into WinRT.

In the Edge browser there is a browser process running in the same appcontainer defined by its appx manifest, but there are also tab processes. These tab processes are running in restricted app containers that have fewer appx capabilities. The browser process has XAML loaded and coordinates between tabs and handles some (non-WinRT) brokering from the tab processes. The tab processes load edgehtml and that is where they render HTML, talk to the network and execute script.

There is no way to configure the JavaScript UWP app's process model but using WebViews you can approximate it. You can create out of process WebViews and to some extent configure their capabilities, although not to the same extent as the browser. The WebView processes in this case are similar to the browser's tab processes. See the MSWebViewProcess object for configuring out of process WebView creation. I also implemented out of proc WebView tabs in my JSBrowser fork.


The ApplicationContentUriRules (ACUR) section of the appx manifest lets an application define what URIs are considered app code. See a previous post for the list of ACUR effects.

Notably app code is able to access WinRT APIs. Because of this, DOM security restrictions are loosended to match what is possible with WinRT.

Privileged DOM APIs like geolocation, camera, mic etc require a user prompt in the browser before use. App code does not show the same browser prompt. There still may be an OS prompt – the same prompt that applies to any UWP app, but that’s usually per app not per origin.

App code also gets to use XMLHttpRequest or fetch to access cross origin content. Because UWP apps have separate state, cross origin here might not mean much to an attacker unless your app also has the user login to Facebook or some other interesting cross origin target.

PermalinkCommentsedge javascript security uwp web-security wwa

Win10 PWA Terminology

May 31, 8:26

Folks familiar with JavaScript UWP apps in Win10 have often been confused by what PWAs in Win10 actually are. TLDR: PWAs in Win10 are simply JavaScript UWP apps. The main difference between these JS UWP Apps and our non-PWA JS UWP apps are our target end developer audience, and how we get Win10 PWAs into the Microsoft Store. See this Win10 blog post on PWAs on Win10 for related info.

Web App

On the web a subset of web sites are web apps. These are web sites that have app like behavior - that is a user might call it an app like Outlook, Maps or Gmail. And they may also have a W3C app manifest.

A subset of web apps are progressive web apps. Progressive web apps are web apps that have a W3C app manifest and a service worker. Various OSes are beginning to support PWAs as first class apps on their platform. This is true for Win10 as well in which PWAs are run as a WWA.

Windows Web App

In Win10 a WWA (Windows Web App) is an unofficial term for a JavaScript UWP app. These are UWP apps so they have an AppxManifest.xml, they are packaged in an Appx package, they run in an App Container, they use WinRT APIs, and are installed via the Microsoft Store. Specific to WWAs though, is that the AppxManifest.xml specifies a StartPage attribute identifying some HTML content to be used as the app. When the app is activated the OS will create a WWAHost.exe process that hosts the HTML content using the EdgeHtml rendering engine.

Packaged vs Hosted Web App

Within that we have a notion of a packaged web app and an HWA (hosted web app). There's no real technical distinction for the end developer between these two. The only real difference is whether the StartPage identifies remote HTML content on the web (HWA), or packaged HTML content from the app's appx package (packaged web app). An end developer may create an app that is a mix of these as well, with HTML content in the package and HTML content from the web. These terms are more like ends on a continuum and identifying two different developer scenarios since the underlying technical aspect is pretty much identical.

Win10 PWA

Win10 PWAs are simply HWAs that specify a StartPage of a URI for a PWA on the web. These are still JavaScript UWP apps with all the same behavior and abilities as other UWP apps. We have two ways of getting PWAs into the Microsoft Store as Win10 PWAs. The first is PWA Builder which is a tool that helps PWA end developers create and submit to the Microsoft Store a Win10 PWA appx package. The second is a crawler that runs over the web looking for PWAs which we convert and submit to the Store using an automated PWA Builder-like tool to create a Win10 PWA from PWAs on the web (see Welcoming PWAs to Win10 for more info). In both cases the conversion involves examining the PWAs W3C app manifest and producing a corresponding AppxManifest.xml. Not all features supported by AppxManifest.xml are also available in the W3c app manifest. But the result of PWA Builder can be a working starting point for end developers who can then update the AppxManifest.xml as they like to support features like share targets or others not available in W3C app manifests.

PermalinkCommentsJS pwa uwp web

Multiple Windows in Win10 JavaScript UWP apps

Mar 10, 1:47

Win10 Changes

In Win8.1 JavaScript UWP apps we supported multiple windows using MSApp DOM APIs. In Win10 we use and window and a new MSApp API getViewId and the previous MSApp APIs are gone:

Win10 Win8.1
Create new window MSApp.createNewView
New window object window MSAppView
viewId MSApp.getViewId(window) MSAppView.viewId

WinRT viewId

We use and window for creating new windows, but then to interact with WinRT APIs we add the MSApp.getViewId API. It takes a window object as a parameter and returns a viewId number that can be used with the various Windows.UI.ViewManagement.ApplicationViewSwitcher APIs.

Delaying Visibility

Views in WinRT normally start hidden and the end developer uses something like TryShowAsStandaloneAsync to display the view once it is fully prepared. In the web world, shows a window immediately and the end user can watch as content is loaded and rendered. To have your new windows act like views in WinRT and not display immediately we have added a option. For example
let newWindow ="", null, "msHideView=yes");

Primary Window Differences

The primary window that is initially opened by the OS acts differently than the secondary windows that it opens:

Primary Secondary Allowed Disallowed
window.close Close app Close window
Navigation restrictions ACUR only No restrictions

The restriction on secondary windows such that they cannot open secondary windows could change in the future depending on feedback.

Same Origin Communication Restrictions

Lastly, there is a very difficult technical issue preventing us from properly supporting synchronous, same-origin, cross-window, script calls. That is, when you open a window that's same origin, script in one window is allowed to directly call functions in the other window and some of these calls will fail. postMessage calls work just fine and is the recommended way to do things if that's possible for you. Otherwise we continue to work on improving this.


Tweet from David Risney

2016 Nov 3, 3:59
@FakeUnicode Spaces are technically not allowed in a URI so the only reasonable representation is percent encoded.

Tweet from David Risney

2016 Sep 8, 11:22
@thejohnjansen @k_seks right, diff goals like with Pluto. Casual communication vs technical communication

Cdb/Windbg Commands for Runtime Patching

2016 Feb 8, 1:47

You can use conditional breakpoints and debugging commands in windbg and cdb that together can amount to effectively patching a binary at runtime. This can be useful if you have symbols but you can't easily rebuild the binary. Or if the patch is small and the binary requires a great deal of time to rebuild.

Skipping code

If you want to skip a chunk of code you can set a breakpoint at the start address of the code to skip and set the breakpoint's command to change the instruction pointer register to point to the address at the end of the code to skip and go. Voila you're skipping over that code now. For example:

bp 0x6dd6879b "r @eip=0x6dd687c3 ; g"

Changing parameters

You may want to modify parameters or variables and this is simple of course. In the following example a conditional breakpoint ANDs out a bit from dwFlags. Now when we run its as if no one is passing in that flag.

bp wiwi!RelativeCrack "?? dwFlags &= 0xFDFFFFFF;g"

Slightly more difficult is to modify string values. If the new string length is the same size or smaller than the previous, you may be able to modify the string value in place. But if the string is longer or the string memory isn't writable, you'll need a new chunk of memory into which to write your new string. You can use .dvalloc to allocate some memory and ezu to write a string into the newly allocated memory. In the following example I then overwrite the register containing the parameter I want to modify:

.dvalloc 100
ezu 000002a9`d4eb0000 "mfcore.dll"
r rcx = 000002a9`d4eb0000

Calling functions

You can also use .call to actually make new calls to methods or functions. Read more about that on the Old New Thing: Stupid debugger tricks: Calling functions and methods. Again, all of this can be used in a breakpoint command to effectively patch a binary.

PermalinkCommentscdb debug technical windbg

Retweet of ericlaw

2016 Jan 21, 10:22
Madlibs for the 21st Century …

Tweet from David_Risney

2015 Mar 29, 10:53
Any more technical details on the GitHub DDOS beyond this  for the curious?

Retweet of __apf__

2015 Feb 11, 7:44
want to live the experience of a non-technical user? watch someone narrate what they think an ssl warning is: …

Live coding in VR with the Oculus Rift, Firefox WebVR,...

2014 Oct 6, 2:45

Live coding in VR with the Oculus Rift, Firefox WebVR, JavaScript and Three.js

“I built a live-coding web app for the Oculus Rift where you code in JavaScript using Three.js and watch the world change around you in real-time.”

PermalinkCommentsvideo programming javascript 3d vr oculus-rift technical

Why do Nigerian Scammers Say They are from Nigeria? - Microsoft Research

2014 Aug 26, 3:53

Mass mailing Internet scams intentionally use poor spelling, grammar etc to filter down to target ignorant audience .

PermalinkCommentstechnical security statistics

Fish vs Fish in Street Fighter II

2014 Aug 20, 6:22

Fish vs Fish in Street Fighter II - Computer vision translates the location of two fish in an aquarium into SF2 moves.

PermalinkCommentstechnical humor video-game street-fighter fish

The Secret Life of SIM Cards - DEFCON 21 - simhacks

2014 Aug 16, 1:07

A DEFCON talk “The Secret Life of SIM Cards” that covers running apps on your SIM card. Surprisingly they run a subset of Java and execute semi-independent of the Phone’s OS.

PermalinkCommentstechnical phone sim-card security java

Detect login with CSP - When Security Generates Insecurity

2014 Jul 8, 1:13

An interesting way to use the report-uri feature of CSP to detect if a user is logged into Google, Facebook etc.

PermalinkCommentstechnical security csp web

On exploiting security issues in botnet C&C...

2014 Jun 23, 4:26

On exploiting security issues in botnet C&C software:

Hackers “are learning that it’s not so easy to write secure code,” Toro says. “Most of us in the business of securing our applications and systems know that bulletproofing software is an extremely expensive and exhaustive undertaking. Malware creators who have to look to their own defences would have to slow down the production of new attacks.”

FYI, if you want to know what it looks like when you hack a hacker, look no further than the seminal 1995 film Hackers.

PermalinkCommentstechnical security

Netflix API : Retiring the Netflix Public API

2014 Jun 15, 3:02

First they came for our RSS feeds and I said nothing…

PermalinkCommentstechnical Netflix web api api

Netflix responds to Verizon’s cease & desist letter....

2014 Jun 10, 2:54

Netflix responds to Verizon’s cease & desist letter. Somehow I doubt that Verizon will bite on your offer to work together to increase network transparency Netflix. Nice suggestion though.

PermalinkCommentstechnical net-neutrality Verizon Netflix net

U.S. Marshals Seize Cops’ Spying Records to Keep Them From the ACLU | Threat Level | WIRED

2014 Jun 4, 6:08

"A routine request in Florida for records detailing the use of a surveillance tool known as stingray turned extraordinary Tuesday when the U.S. Marshals Service seized the documents before local police could release them."

Also what about the part where the PD reveals that its been using the stingray a bunch without telling any court and blames that on the manufacturer’s NDA.

PermalinkCommentstechnical law security phone

JS NICE: Statistical renaming, Type inference and Deobfuscation

2014 Jun 3, 9:36

JS NICE | Software Reliability Lab in ETH

JS NICE has indexed over 10,000 JavaScript projects from GitHub and then probabilistically infers newly suggested names and types for all of the local variables and function parameters of new JS.

PermalinkCommentstechnical javascript js coding

gitfiti - github contributions pane pixel art

2014 Jun 2, 8:07

gitfiti - abusing github commit history for the lulz

A script that abuses github submissions to draw pixel art in your github contributions pane.

PermalinkCommentstechnical humor github pixel art
Older Entries Creative Commons License Some rights reserved.