Headless browser integrated into frontend of website? - javascript

So I don't have any practical experience with headless browsers just yet.
Is it generally possible to have a headless browser run within the frontend javascript of a website?
If so, wouldn't that be a way to bypass cross origin policy? I mean at that point it's no security issue anyway, as it would be a freshly created browser, right?
Thank you!

While you can port parts of a browser to JavaScript, e.g. using emscripten, you are still restricted to the APIs offered by the browser itself. There are no APIs to open raw TCP connections, so you will not be able to bypass the same-origin policy.

Related

DNS-SD on client-side javascript

Is it possible to discover services using DNS-SD on client side using some JS library (so to discover services on client's local network)? I found a lot of libraries on npmjs.com, but they all work on Node.js, not on client-side JS.
DNS is (historically) a UDP-based protocol. Browsers traditionally sandbox the networking capabilities and allow to send only HTTP or HTTPS (i.e. TCP) requests from JavaScript code. So, the short answer is No.
However, if you truly need this feature, you could look into the DNS-over-HTTPS technology which got some traction recently. Alternatively, you can try searching for ways of sending UDP packets from the browser. I don't have much knowledge in that domain but WebAssembly or WebRTC potentially may have something implemented already.
Checkout the sample app in the Chrome Web Store.
mDNS browser
This is a non-trivial sample which uses the UDP multicast support in Chrome Packaged Apps to browse mDNS servers. mDNS protocol is usually used for home appliance devices, like the Apple's Bonjour. Read more about the mDNS protocol at this Wikipedia's article
See the source code at https://github.com/GoogleChrome/chrome-app-samples/tree/master/mdns-browser

Is it possible to write a web server running in a modern browser such as Chrome, Firefox, IE, Safari?

In the Substratum Initial Coin Offering (ICO), the White Paper talks about solving problems of the current Internet, by allowing hosts to become web hosts.
Based on reading of the White Paper, the team looks like they're intending to write Javascript that runs on any modern browser (IE, Safari, Chrome, Firefox) on any platform (Windows, Linux, etc) to turn it into a web server.
As the White Paper is very general, I'm not sure if the team's Javascript is also having some form of access to uPnP technology that tells the nearest router to forward port 80 into the (supposed) web browser that's running on the web server.
Does anyone familiar with current web browsers know if browsers are capable of:
Providing access to uPnP that can tell routers to do port forwarding?
Running a web server using Javascript?
Thank you. (I'm familiar with general programming, just not capabilities of current web browsers. Please limit responses to capabilities of web browsers)
There are some JavaScript libraries such as nohost that use Service Workers to mimic a file server on the client-side. This is apparently possible because service workers are able to send custom responses to HTTP requests.
It might also be possible to run a server in a browser in an x86 emulator in JavaScript, though I don't know if this has been done yet.

How can I bypass CORS security in a browser?

I have a Javascript application running in a browser, and I want to access some data sitting in a server that can't enable CORS.
It's not a testing application, is meant for the end-user, even if a little techy one.
I considered:
PHP Proxy: Not appropriate. Server on the other side make decision about IP geolocation.
Java/SilverLight: Unfortunately my #1 target is Chrome
JSON: Not available
What are my options?
Please notice that I'm not trying to make any malicious application: if the user need to approve or allow me to make this request is totally fine.
You are trying to do exactly what the Same Origin Policy is designed to prevent (and what CORS is designed to allow the server to permit).
Your options are:
Find a way to work with whomever controls the server
Get the users to download and install software which isn't subject to the Same Origin Policy (such as a stand-alone application or a browser extension).
You need to ask your users to install chrome extension to overcome CORS. I used to use it while developing ionic apps and testing on chrome
https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en
https://chrome.google.com/webstore/detail/cors-toggle/omcncfnpmcabckcddookmnajignpffnh?hl=en

Automating a users web application

I want to help users change privacy settings in a third party web application.
My first thought was loading the web application in an iframe and interacting with it via JavaScript. But the same-origin policy would prohibit that.
To avoid the same-origin restriction I could use a web proxy, but I doubt many users would trust logging in.
I could build a browser extension, but that makes it more cumbersome to use and harder to support all browsers.
Any suggestions?
You can use OAuth redirect mechanism to support your use case.

Using javascript to open a shell

Is there a reliable crossbrowser way to open up a shell using javascript (e.g. explorer.exe)?
This is not possible as it would be a (gaping) security risk.
No, that is not possible for security reasons. Accessing client machine is the problme here !
If you have access to the client machine, and the client machines are all Windows XP or later, there actually is a way by defining a custom protocol as described in this SO question (Mozillazone article here).
That way, you can create links like my_custom_protocol://helloworld.txt that cause an explorer window to be opened in Windows.
This potentially opens a (however remote) security hole, as connecting a custom protocol to explorer.exe could be used to send arbitrary parameters to that executable. Make sure you are aware of the security implications; depending on your situation, it might work for you, though.

Categories

Resources