I'm developing a local JavaScript webapp for demo purposes. The webapp consists of a single HTML page and a few JS files that are included into the app using <script> tags in <head>.
When I run this file (from the local filesystem on windows) on FF or Chromium, everything is as it should be - the app works fine.
When I run it in IE9, there is a "Internet Explorer restricted this page from running scripts or ActiveX controls" and the app fails to load properly. Clicking on "Allow content" does not help that much because the app already is a train wreck.
How when I host a local webserver with
python -m http.server 8888
and point IE to it - everything works fine.
Because this is a corporate setting I am not interested in changing the security settings.
I've dealt with the problem by sending these files to a server, but the questions remains: why does IE treat files from the filesystem (within the same directory even) as some sort of cross-site request or security risk?
PS. Bonus WTF: When opening the page with the developer tools on, everything is ok.
EDIT: In case you're wandering: I did add a closing script tag.
<script type="text/javascript" src="vendor/d3.v3.js"></script>
why does IE treat files from the filesystem [as a] security risk?
Historical Reasons.
When Microsoft came up with the idea of web security Zones, they originally decided that the My Computer Zone, containing the local filesystem, was more trusted than the Internet Zone.
This almost sounds like a sensible thing to do, except that (a) users expect web pages they download not to gain a load of privileges when run from the hard disc, and (b) lots of programs download files from the internet and put them in a predictable place... so if you can persuade them to download an HTML file, you are persauding them to inject privileged script into the My Computer Zone.
The original settings for the My Computer Zone were to allow ActiveX controls to install and run without prompting. This meant that if you could ever get some HTML onto the filesystem, you essentially had an execute-arbitrary-code security vulnerability. There were lots of web exploits that leveraged this as part of their infection mechanism to load malware.
Microsoft feared any change to My Computer Zone security settings would break applications that used the web browser control to render their own HTML content as part of their UI. So instead, the web browser control defaulted to existing settings, and browsers such as IE that used it were invited to enable "Local Machine Lockdown" mode, which would drop the extra privileges My Computer Zone pages got by default. IE turned this on by default.
Unfortunately in a classic over-reaction, "Local Machine Lockdown" was not just the same level of privilege as the Internet Zone would have been, but even more restrictive - blocking JavaScript as well as ActiveX. This broke pages that users had saved to the hard disc, so to work around that IE adds a marker to pages it downloads to allow them to escape the (formerly privileged, now restricted) My Computer Zone and be treated as normal Internet Zone pages.
This is the Mark of the Web and you can include it in your static files to make them behave normally too.
Of course this makes the added restrictiveness of Local Machine Lockdown completely pointless, as any file can opt out.
But then the whole thing is now completely pointless, because since then the default settings of the Local Machine Zone have been changed and now resemble the Internet Zone more closely, not allowing arbitrary ActiveX. So that's a lot of confusing added complexity for no gain whatsoever.
Related
I'm facing a problem with my Chrome on both Ubuntu 15.04 and Windows 10. It's some sort of malware named xnxx-ads.js. This malware opens unwanted tabs and plays advertisement audio on all sorts of pages. For instance, I might have a SO tab open with a speaker icon! playing ad.
The thing that is important to me (as a web application developer) is that how this malware works!? How can some script be loaded on a web page without it being addressed in the source? Is it because of a security hole in Google Chrome?
BTW, my Chrome is: Version 46.0.2490.86 (64-bit) on both operating systems.
[UPDATE]
My Chrome was just updated to Version 47.0.2526.73 (64-bit) and the problem remains.
To get mal-ware inserted into pages, you generally need one of these things:
If it is only on a specific site, it is possible that that site has been compromised and the content comes from the site already infected.
Something in your ISP is compromised and the content comes from your ISP already infected.
Something in your own network (e.g. router) is compromised and the contents arrives on your PC already infected.
A malicious program got itself installed on your computer and it is injecting things into web pages as they arrive on your computer (either by modifying the incoming TCP or by messing with the browser).
A malicious browser extension got itself installed on your computer and it is injecting things into web pages as the browser loads them.
The most likely options are 4 and 5.
You can probably rule out 1, 2 and 3 by checking the site on your phone or tablet while attached to your home network's wifi. If there is no infection on the web pages viewed on the phone or tablet, then it is not likely 1 or 2 or 3.
If you disable all browser extensions in Chrome and the problem still occurs, then you can probably rule out #5. If the problem goes away when you disable all browser extensions, then you probably have a bad browser extension.
In all cases, you should run a good malware detector. When something like this happened to my daughter's computer, Microsoft Defender did not detect it, but when I downloaded and ran the free Malware-Bytes scanner, it did find the problem and removed it.
I've developed interactive content for a client ( VR Objects ) using javascript and Flash (if needed) that they now want to distribute to prospective customers via a flash drive. That makes it local content causing security issues especially with IE. Actually there doesn't seem to be much problem with any browser except IE. True, IE displays the "allow blocked content" button but they fear that is too complicated or scary. And on IE11 in Win 8.1 it still may not work.
The development environment I use has a way around that for testing using an "embedded web server" although all that seems to do is produce a localhost address such as http://localhost:60331/wyj-01xn/output/surfacide_flash.html. Paste that in the URL bar of any browser on the same machine and you are good. Try it on another machine and no go. So I gather the port address and whatever the /wyj-01xn/ is about are machine specific. Another possible problem -- it may not work easily with IE11 on Win8.1, but I don't personally have that setup to test.
QUESTION: Is there a way I can produce this same functionality for my client, distributed along with the content on the flash drive, without the need to install some special software (local web server) on each client computer??? The current workaround is to tell customers they should us any browser except IE. Client isn't happy.
You could distribute your webpages along with a portable Nginx server, or wrapped inside a Node-webkit or AppJS package.
I work in phone support for a company that released a new program that stores some data in the users appdata folder.
Our knowledge base has been updated with steps for users to turn on show hidden/system files and then steps users through opening the folders.
As a lot of our software users are not IT 'savvy', it takes a long time walking them through.
With HTML, Javascript or some kind of plug in, is it possible to make a link on a page that will launch a Windows File Explorer window navigated to %localappdata% ?
This way the user will always end up in the right place without all the steps they find difficult.
No, it isn't possible to launch an external program from within a web page.
If you could do it, it would be considered a massive security risk, and would quickly be blocked by the browser makers.
Years ago, there used to be ways to achieve this sort of thing via ActiveX controls, but that is no longer an option, largely due to the security issues it caused.
The only browser that ever supported ActiveX was IE; it doesn't work at all in any of the other browsers, and even IE defaults to block unknown ActiveX controls these days.
In short, you aren't going to be able to do this. Sorry.
I don't believe this is possible with just HTML / javascript because of permission / security
One possibility is to create a ActiveX control to launch Windows Explorer.
Building ActiveX Controls for Internet Explorer
Wikipedia - ActiveX
You could have users download and run a batch file with something like this in it:
%windir%\explorer.exe %LOCALAPPDATA%
You could even configure the batch file to copy files to a more convenient place, like the desktop.
I would like to read the browser's "localstorage" when the browser is off using the OS !
I want to save client data in localstorage and then switch off the browser and the internet and then let an OS program (a windows exe) access and analyse that data and then write new data into that localstorage area so that when the browser restars the new data is in localstorage.
This should be possible because my OS (i.e. windows) can read can delete cookies from the browser "files" ... so presumably once i know the format of the localstorage "file" then the OS is boss of all of its files and so it should be able to alter them !
So: how do i read and write to JavaScript/HTML5/DOM "localstorage" using "client side .exe programs" ?
FAILING THAT: is there any other way that the OS can pass simple data into (and out of) the browser ?
Obviously all of this has both huge potential POWER and huge potential DANGER !
The browser can only become the "virtual OS of the future" if the real OS can interact safely with it !!
Thank You.
Of course an app running locally with the appropriate permissions can access any file on disk. However, the real question is what to do with that file once it's open?
Consider the following:
Each browser (Chrome, Firefox, IE, Opera) is likely to store localstorage data in its own proprietary format. You'd have to reverse engineer those formats.
Since those formats are an implementation detail (not a documented API), they are liable to change. This will break your app and/or corrupt user data.
What happens if you modify those data files while the browser is open (even if the page in question isn't open)? The browsers don't expect their data files to change out from underneath them, so it's likely you'd see strange behavior.
All of this is to say that this is a very bad idea. You're messing with the internals of someone else's application; that's a big no-no.
Have you considered an alternative approach? When I was faced with a similar problem, I simply implemented a very simple HTTP server in my app that was bound to a specific port on 127.0.0.1.
With XHR and the appropriate CORS headers, your browser-based application can communicate with your desktop app in a safe manner.
Here are some other ways:
Embed a web browser control in your application. The web browser control can readily peek into the page, and the page can readily peek into the local storage. The web browser control refers chiefly to Internet Explorer.
You can pass parameters from the web page into an initiated executable (even a batch file) by manipulating the name of the executable. (Use application/bat as Content-Type to invite the OS to run your program when the user downloads it.)
A ClickOnce program initiated from the browser can readily receive data from the webpage.
You can use automation in your program (AutoIt, AutoHotKey) to copy/paste to an from a field on your web page. You can find the window by title as you control the title on the web page side. You can even automate opening a browser, navigating it to a page that dumps the local storage into a text field, and focuses the field.
ActiveX controls (good luck)
I can't speak for similar tricks for OS X or Linux.
I am wondering if there is a way we can achieve this. I heard different things about Silverlight 4, JavaScript or ActiveX control, but I have not seen any demo of code for any of them.
Is there a web component that is available or how can I write one?
We really like to capture a client's USB drive via the Web and read/write data on it. This has to work for any operating system in any web browser.
What about WPF in browser mode? I read that I can host my WPF applications inside browser and sort of like smart client.
Here is a great example of doing this via Silverlight 4, but the author mentions about possibility of accessing USB on Mac via:
Enable executing AppleScript scripts.
This option will let us have the same amount of control on a Mac machine as we do on a Windows machine.
Add an overload to ComAutomationFactory.CreateObject() that calls the “Tell Application” command under the scenes and gets a AppleScript object.
This option would work extremely well for Microsoft Office automation. For any other operating system feature, you’ll have to code the OS access twice.
I did not quite understand it. Has any tried this?
Web browsers are deliberately isolated from the filesystem for security reasons. Only Java (not "Java Script"), Flash or browser plug-ins can accomplish this.
JavaScript cannot directly access your local disk (including a flash drive) for security reasons (would you really want any web site you look at to access, change, or even delete your files?), and ActiveX controls are IE-specific, so you should probably use a Java applet (not JavaScript). While Java's security policy normally does not allow access to local disks, signed applets can with the user's permission.
If you're willing to introduce a dependency on Flash (10), you can use the FileReference class to get access to one file at a time, first for reading using the browse method, then for writing using the save method.
Note that for security reasons, each call to these methods must be triggered as a result of user input (e.g. clicking a button), and each time they are called an OS-specific File Open/Save As dialog box is displayed.
There's a video tutorial which gives some sample code for editing a text file (load + save) directly in Flash, without needing any server-side help. It should be enough to get you started in the right direction.
What about WPF in browser mode...I read that I can host my wpf apps inside browser and sort of like smart client.