In general I am aware that one cannot call system libraries or dll's from javascript in browser. But in many of the application's I see browser starting other processes. For example:
As soon as I open Google Plus, it starts the googletalkplugin.exe (from folder C:\Users\Jatin\AppData\Local\Google\Google Talk Plugin) in the background. (Can be viewed in Resource monitor)
The same with facebook video chat. For the first time, it asks me to install a plugin and later when I start a chat, it starts a process.
On torrent sites, they provide magnet links. Clicking on torrent magnet link, it opens my systems default torrent client.
In a way, the same with flash and applet.
How do browsers trigger another process and communicate with it? Is there any open standard I am missing?
Ultimately I wish to do video, audio recording with screencast. For screen-recording, Java applet looks like the only solution but applet has its own Issues.
The flash player and applets use plugins, which are native applications to the OS, (i.e. (mostly) not JavaScript), they are not extensions but plugins. For Chrome see chrome://plugins/ to see the list of installed plugins.
For writing a browser plugin, refer to How to write a browser plugin?
The torrent link is totally different, they are done by registering an url protocol to handle. In other words, you say to the computer that, from now on, I will run any urls which have protocol of torrent, i.e.: starts with torrent://. See: Uri Scheme
When the browser sees the uri, it knows that is not handling torrent protocol itself, so it delegates that to OS, which knows what to do with it.
If the browser did know how to handle that, it probably would not delegated that to OS. For example: Google Chrome can handle mailto: links just well without registering mailto protocol to be handled by OS.
You can do this by writing a plugin. It's possible to write plugins that work on most popular browsers, using the same C++ code, using a library called Firebreath
Naturally there is no pre-existing standard plugin that allows the page to start any external application, because that would be a massive security hole and no (sane) user would agree to install such a plugin.
You have to write a specific plugin with capabilities carefully limited to what you need, so the user can agree to let you use just those capabilities. Again, think about how another page might exploit those capabilities before going down this route.
Related
tl; dr: Is it possible without installing additional software on the client (e.g. proprietary protocol handlers, browser plugins etc.) to link to a document's WebDAV URL on a web page and have the browser starting the associated application (in my case limited to MS Office or LibreOffice) and having the application reading the document directly from the WebDAV URL? My usage scenario is limited to MS Office documents, but it is important that the solution also works if LibreOffice instead of MS Office is installed on the client as the application configured to handle MS Office documents.
The most obvious solution to simply place a link to the WebDAV URL on the web page does not work. The browser does not realize that it is not a plain HTTP URL and shows its regular 'do you want to download or open this file' behaviour. If I open the document from the browser, the browser still downloads the document to a temporary folder and starts the associated application in such a way that the downloaded document is opened from the temp folder. The relevant difference is that if you edit and save the document, it is only saved back to the temp folder on the client and not saved to the original WebDAV URL as intended.
I find it a little bit strange that I seem to be the only one having this problem, I have at least not found much information or discussion when searching the net.
I few close, but not quite fitting solutions are:
The WebDAV AJAX library from IT Hit. The library offers a JavaScript API to do exactly what I need. If I ignore that the library is quite expensive, it does however require additional software to be installed on the client, which in my case is not acceptable.
Confluence is according to the documentation offering the functionality I request, also without installing additional software on the client, but I have found no details on how it is actually solved technically.
MS Office installs by default protocol handlers, which allows me to use URLs like ms-word:ofe|u|https://my.webdav.server/path/to/doducment.docx on the web page. Some discussions on the internet seem to indicate that LibreOffice is supposed to support these URLs, but my tests show that it is not the case, not even under Windows.
LibreOffice installs (at least under Windows, allegedly not under Linux) a protocol handler for vnd.libreoffice.command. I could alternate between ms-word:ofe|u| and vnd.libreoffice.command and almost achieve what I am looking for, but there is no JavaScript API to query the installed protocol handlers, so I have no way to check which office suite is installed on the client machine and decide which of the two protocol handlers I can use.
Anyone out there with a better suggestion how to achieve this?
I created a small JavaScript application for which I reused some (quite large) JavaScript resources that I downloaded from the internet.
My application runs in the browser like other interactive web applications but works entirely offline.
However, I intend to enter some private information in the application which it shall visualize. Since I cannot ultimately trust the JavaScript pieces that I downloaded, I wonder if there is a JavaScript option to make sure that no data is downloaded and, in particular, uploaded to the web.
Note that I am aware that I can cutoff the local internet connection or perhaps change browser settings or use an application firewall, but this would not be a solution that suits my needs. You may assume that the isolation of a browser instance is save, that is no other, possibly malicious, web sites can access my offline JavaScript application or the user data I enter. If there is a secure way to (automatically) review the code of the downloaded resources (e.g. because communication is possible only via a few dedicated JavaScript commands that I can search for) that would be an acceptable solution too.
You should take a look at the Content Security Policy (CSP) (see here and here). This basically blocks every connection from your browser to any other hosts, unless explicitely allowed. Be aware that not all browsers support CSP, which leads to potential security problems.
Reviewing the library code might be difficult because there are many ways to mask such code pieces.
Find it yourself by watching your browser's network activity while your application is in action.
There are more than enough tools to do this. Also, if you know how to use netstat command line tool, it is readily shipped with windows.
Here is one cool chrome extension which watches the traffic of the current tab.
https://chrome.google.com/webstore/detail/http-trace/idladlllljmbcnfninpljlkaoklggknp
And, here is another extension which can modify the selected traffic.
https://chrome.google.com/webstore/detail/tamper-chrome-extension/hifhgpdkfodlpnlmlnmhchnkepplebkb?hl=en
You can set the filters and modify all requests/responses happening in your page.
If you want to write an extension to block requests yourself, check this answer out.
I want to open any custom application say VLC Player or any other installed application in the system through HTML page. I have tried WScript.shell technique but no luck.
You can't do this in general. There's no way to open any arbitrary application from a webpage. Here are some scenarios where it's still possible. One possibility: some programs have protocol handlers associated with them, and those can be launched through a link or via javascript (e.g. window.location = "someprotocol:path?argument=value"). I don't think VLC (to use your example) is among them, however.
There might be a more useful solution if you limit yourself to a particular browser/OS.
I am trying to accomplish the following:
I want a button on my website that will open a windows program on the users computer. So for example, someone clicks "Remote Desktop" on my website, and it will open mstsc.exe on the machine.
Is this possible with any language?
The way you could do this is via an URI scheme. For that to work though, your application itself needs to have an URI scheme attached to it. Examples include mailto: (opens your email client - can also be a web client such as gmail), irc: (opens Internet Relay Chat client) and an example of a truly custom URI scheme (it isn't listed in the official list) is Github's Desktop application, which uses the URI scheme github-windows:. Again, for this to work, the app itself needs to have this built into itself.
I assume you didn't make this mstsc.exe "Remote Desktop" yourself, it is impossible to start this application in any way whatsoever using just your browser. If that would indeed be possible, it would be a massive security hole. It would mean you could simply run any program (or uninstall file) you'd like.
Note: If you did indeed make the application yourself, I suggest asking another question on this site, but making it specifically about registering custom URI schemes to your application, and also specifying what language your application is written in.
Is it possible to make a launcher for a website that opens a file installed on your computer published by the website, like a button?
For example, the user can install "blahblah.exe" onto their computer by downloading the installer from the website, and there could be a "Click here to launch blahblah.exe" button on your website, and when you click it, it opens blahblah.exe which was installed previously.
Is it possible?
Can you imagine the potential security and privacy issues this would have if it was possible?
Thankfully, it is not possible, not by default.
With browser plugins this is possible, but you need to install these.
Of course it's possible, but not without either
an exploit for a vulnerability in the user's browser (or other component)
a plugin for a browser that specifically allows that kind of things.
So, in general no.
Special cases are for example:
iTunes which registers an URI handler (so iTunes can launch when you click a special link)
Some other software that includes a launcher as a browser plugin (Skype, iirc)
In both cases something has to be done by the user before it's possible (and that's how it should be, ideally).
Short answer: No, this is not possible.
Longer answer: You could do something with a browser extension, but of course you have to
Write one
Get the user to install it
This isn't allowed due to massive security risks. There are plenty of things you can do to an operating system just by running commands, so any malicious page you visit could potentially wipe your entire disk, steal your data or anything else someone might want to do.
It is like giving a robber the key to your front door. Here you go, feel free to start up any random program.
No it is not possible with a standard security settings on the browser. There are ways to do it with ActiveX in IE, but that requires very relaxed settings.
Or you can install some sort of plug-in that can listen for an event and do it.