There was a File System API but shown as deprecated now: https://developer.mozilla.org/en-US/docs/Web/API/Window/requestFileSystem
There is now another, File System Access API: https://developer.mozilla.org/en-US/docs/Web/API/File_System_Access_API
What happened to the old API and why was it discontinued? Should the new File System Access API be stable in all common browsers?
It turned out that File System Access API is not deprecated, it's just not standardised (May 2021); the deprecated one is the function window.requestFileSystem; the same function on Chromium-based browsers is window.webkitRequestFileSystem.
File System API is for creating a virtual drive (temporary or persistent) for each website when using browser-based db (IndexedDB) is not necessary especially for the purpose of storing files.
https://developer.mozilla.org/en-US/docs/Web/API/FileSystem
File System Access API is different, it is for accessing the real file system of the OS. This API is now standardised and available on Chromium-based browsers (May 2021). Firefox has not yet adapted this API.
https://developer.mozilla.org/en-US/docs/Web/API/File_System_Access_API
Status of these APIs: https://developer.mozilla.org/en-US/docs/Web/API
Related
I am trying to do Web-extension to Mozilla, which will use pkcs11 to sign, encrypt or verify document, mail.
I am using this api to comunicate with my eid cards and get slots from them.
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/pkcs11
Is it somehow possible to OpenSession with this slots in WebExtension plugin?
Because this pkcs11 seems like have not supported it yet.
I would like to call some function like C_OpenSession and then C_Login.
Thanks for help
The only purpose of PKCS#11 javascript API in Mozilla nowadays is to register and unregister PKCS#11 libraries available to Firefox. It's even stated in the documentation:
The pkcs11 API enables an extension to enumerate PKCS #11 security modules, and to make them accessible to the browser as sources of keys and certificates.
Firefox uses registered PKCS#11 libraries to access client SSL certificates. AFAIK there is no public javascript API that would allow you to call other PKCS#11 functions (such as C_OpenSession or C_Login) provided by these modules.
There used to be window.crypto.signText API available for easy signature creation but Mozilla killed it in Firefox 33. They didn't see it as a big deal because PKCS#11 signing could be implemented with extension and they provided signTextJS extension as a proof. Sadly Mozilla killed it in Firefox 57 when they migrated to WebExtensions and removed support for XPCOM-based add-ons.
If you want to use PKCS#11 API from Firefox nowadays then you need to use/create extension which will spawn local process and communicate with it via native messaging or you'll need to use/create application which will spawn local web server and communicate with it via web requests or web sockets.
So, till Windows 7 there was a Microsoft ActiveX component: CAPICOM, which one could call from Javascript and then show the contents of the certificate storage on the client's machine. The client then could choose the appropriate certificate and sign some document with the certificate's private key.
That's how the access to the certificate storage looked in Javascript:
var MyStore = new ActiveXObject("CAPICOM.Store");
var oCertificates = new ActiveXObject("CAPICOM.Certificates");
// attempt to open the personal certificate store
MyStore.Open(CAPICOM_CURRENT_USER_STORE, "My", CAPICOM_STORE_OPEN_READ_ONLY);
What’s the alternative to using CAPICOM nowadays? I want the client to be able to sign some piece of text with his private key in the browser and then send the signed text with the public key to the server. Is it still possible?
Maybe I could use Java or Silverlight instead of pure JavaScript? What about PKI.js and similar?
In general, currently is not possible due to lack of support of browsers to Java or silverlight.
Chrome has dropped support to NPAPI plugins. Firefox has announced it will discontinue it in 2017, Edge has no support. Microsoft has deprecated Silverlight and Oracle has also announced the deprecation of the Java browser plug-in. Only old versions of IE could be used.
Javascript cryptographic libraries such as PKI.js, forge or the built-in WebCryptographyApi can be used to perform digital signatures, but they do not have access to the Operative System KeyStore, so you can not access to the installed certificates
Alternatives (Not very encouraging):
Use WebCryptographyApi loading certificates in browser (not for smartcards)
Launch a local application installed on your device and invoke via protocol, using an embedded http server or with chrome messaging api
Wait patiently to Key Discovery Api which will provide with access to the OS keystore to WebCrypto
In fact I've created a .NET ActiveX object and used X509Certificate2UI class and others from the same namespace to show information about the certificates and to sign some data.
Pros: no need to use CAPICOM.
Cons: it's still an ActiveX component and so it's available in Internet Explorer only.
But that was ok for my client so I took this path.
So I'm stuck with this problem:
IE Edge no longer allow applets, activeX, etc. ,
and I have this applet that is used for digital signature,
the idea is to extract the private key from the KEY file in the client side, in that way the private key never leaves the client's computer, that is a requirement for security, it can't be avoid :(
I'm looking for APIs or frameworks, but I can't found a way to solve this,
with jsrsasign the examples uses a PEM file but my users have .CER + .KEY + password, in java I can do it, but I need to do it in javascript or in something on the client side.
and, reading the Web Cryptography API and some examples I found, they generate NEW private and public keys to sign BUT they never READ an existing CERTIFICATE
does anybody have this problem or know a framework I could use?
please heeeelp!
So the answer was to use JSRSASIGN (http://kjur.github.io/jsrsasign/) in the examples posted in github it uses PEM files, I build an example to use CER+ KEY + PASSWORD >> https://github.com/alfredomova/firmaJs-with-jsrsasign-example,
for that specific example i used sparkMD5(https://github.com/satazor/SparkMD5) to calculate the file's hash.
Modern browsers no more supports ActiveX, applets. WebCrypto API generates and uses keys dynamically but does not have capability to access Certificates from Certificate Store.
The accepted answer provided by Alfredo M, who has also asked question, points to JavaScript to handle cryptography in browser which does not talk about accessing local Certificate Store. Recently Certificates are not being generated/issued as pfx (or PEM) files but on Cryptographic device like USB Token or smart card.
Thus we need to use Browser Extensions for modern browsers where application running behind the Browser can access Certificate Store and sign the hash. One such browser extension is provided free by my Company. You just need couple of lines of JavaScript code to call methods provided by any Browser Extension to achieve Digital Signing from modern Browser. If you just want to sign files or eReturns, you don't need any server side component. If you want to sign pdf, you may need pdf component on server side.
You don't necessarily need to force your web app to work in Edge since it no longer support the legacy technologies that your web app is using.
"Use Enterprise Mode with Microsoft Edge to open Internet Explorer 11
for your business’s sites that require IE’s proprietary technologies."
Include your site on the Enterprise Mode Site List so it will open in IE11 automatically:
Once Edge detects that your web app is using propietary technologies, it will tell you to open your site in IE11.
The steps and the details can be found in this blog post by the Microsoft Edge team and check the user experience section of the blog so you'll get the idea of the UX it will bring to your users once implemented:
http://blogs.windows.com/msedgedev/2015/08/26/how-microsoft-edge-and-internet-explorer-11-on-windows-10-work-better-together-in-the-enterprise/
I'm working on a ELB monitoring application that I'd like to build with JS and host directly in S3. I have no experience of JS and I'm struggling to get to grips with CORS.
I have successfully created a build of the SDK for my browser (http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/browser-building.html) which includes ELB API support.
I have integrated Amazon login (http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/browser-configuring-wif.html) with my script and I have attached it to an IAM WebIdentity role.
When I call
elb.describeInstanceHealth(elbRequestParams).on('success', describeInstanceHealthCallback).send();
I get an error in Javascript console
XMLHttpRequest cannot load 'elasticloadbalancing.eu-west-1.amazonaws.com/'. The request was redirected to 'aws.amazon.com/elasticloadbalancing', which is disallowed for cross-origin requests that require preflight.
I can't find any clear documentation that what I'm trying to do won't work, but, I'll admit I'm confused by some of the terms in the documentation and I have no experience of CORS in previous applications to fall back on. I would think the whole JS-SDK for the browser is a bit redundant if the majority of services aren't CORS aware and need to be.
I can get this working by disabling web-security in my Chrome browser, obviously this isn't a good workaround but would indicate to me that CORS is the issue.
Is anyone familiar with this approach, is it a problem that I'm hosting on S3, or, would I have this problem from any server? Should I be configuring my S3 bucket with CORS, or, is it that there's no CORS policy on the 'elasticloadbalancing.eu-west-1.amazonaws.com' endpoint?
Thanks
Andrew
I have successfully created a build of the SDK for my browser (http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/browser-building.html) which includes ELB API support.
The referenced page already provides the first clue towards the lack of CORS support for elasticloadbalancing.eu-west-1.amazonaws.com you correctly suspect to be the cause here:
If you are working with the SDK outside of an environment that
enforces CORS in your browser and want access to the full gamut of
services provided by the AWS SDK for JavaScript, it is possible to
build a custom copy of the SDK locally by cloning the repository and
running the same build tools used to generate the default hosted
version of the SDK.
That is, the main reason for the official AWS SDK for JavaScript in the Browser excluding all but the currently 5 services listed in section Supported Services within Working with Services in the Browser is their lack of CORS support:
It is possible to use the SDK with other services if CORS
security checking is disabled in your environment. In this case, you
can build your own custom version of the SDK. See the Building the
SDK section of the guide for more information on how to create a
custom build of the SDK.
Unfortunately neither Amazon EC2 nor Elastic Load Balancing currently offers CORS support, see e.g. this recent Feature Request (CORS support for EC2 service), where the author rightfully reaches the same conclusion as you did already (while also hinting on Node.js to be another major use case, which supports all available AWS services, see Working with Services in Node.js):
From my point of view if AWS is providing a aws-sdk-js library all AWS services supported by this library should support CORS so that the aws-sdk-js iibrary is not just useable in a node.js environment but also in a browser.
While I agree in principle and would have expected faster turnaround times on this myself, AWS is well known for an agile approach to product development, i.e. start early with a small feature set and improve over time based on customer feedback. Notably the SDK is labeled Developer Preview only, i.e. not even BETA yet and I'd hope this to be addressed in the future accordingly - admittedly this is easily overlooked and a more prominent warning might go a long way in sparing users the time to figure out this limitation by themselves.
Can I use javascript in a Google Chrome packaged app (a.k.a. browser extension) to read a user's local registry key (i.e. stored query url, a.k.a. the search_url key for Google Desktop)? If so, some example code to access this would be much appreciated!
Background / Detail
I am trying to write a browser plugin which opens up the users Google Desktop homepage in their Chrome browser. The url is: http://127.0.0.1:4664/&s={search_url key}
According to the Google Desktop API docs, this can be accomplished by using the HTTP/XML-Based Query API. I'm hoping that there is an HTML5 specification (e.g. File API) which provides a standard procedure to read local files, given the users permission.
In order to do this, I need read access for the local search_url key. Depending on the user's OS, the API doc offers two possible local file locations that contain the search_url key:
Windows
HKEY_CURRENT_USER\Software\Google\Google Desktop\API\search_url
Mac OS X
CFStringRef val = CFPreferencesCopyValue(
CFSTR("search_url"),
CFSTR("com.google.Desktop.WebServer"),
kCFPreferencesCurrentUser,
kCFPreferencesAnyHost);
if (val) {
// act on the value
CFRelease(val);
}
Alternative Approach for Windows OS
Apparently, NPAPI (http://code.google.com/chrome/extensions/npapi.html) allows a Chrome app to run a dll in Windows, but I'm not very familiar with the Windows API or VB and would like to avoid using them, if possible.
Unfortunately you cannot access the Windows Registery unless you do it using NPAPI.