Is it possible to make a launcher for a website that opens a file installed on your computer published by the website, like a button?
For example, the user can install "blahblah.exe" onto their computer by downloading the installer from the website, and there could be a "Click here to launch blahblah.exe" button on your website, and when you click it, it opens blahblah.exe which was installed previously.
Is it possible?
Can you imagine the potential security and privacy issues this would have if it was possible?
Thankfully, it is not possible, not by default.
With browser plugins this is possible, but you need to install these.
Of course it's possible, but not without either
an exploit for a vulnerability in the user's browser (or other component)
a plugin for a browser that specifically allows that kind of things.
So, in general no.
Special cases are for example:
iTunes which registers an URI handler (so iTunes can launch when you click a special link)
Some other software that includes a launcher as a browser plugin (Skype, iirc)
In both cases something has to be done by the user before it's possible (and that's how it should be, ideally).
Short answer: No, this is not possible.
Longer answer: You could do something with a browser extension, but of course you have to
Write one
Get the user to install it
This isn't allowed due to massive security risks. There are plenty of things you can do to an operating system just by running commands, so any malicious page you visit could potentially wipe your entire disk, steal your data or anything else someone might want to do.
It is like giving a robber the key to your front door. Here you go, feel free to start up any random program.
No it is not possible with a standard security settings on the browser. There are ways to do it with ActiveX in IE, but that requires very relaxed settings.
Or you can install some sort of plug-in that can listen for an event and do it.
Related
We are currently looking at porting a enterprise silverlight application over to html5. The major roadblock that we have hit is the ability to open files from the user's local disk. Currently they have a document library which just links to files on their computer that they can open from within the app and view or print out. All that I read is that you can only access the local sandbox of the web app with the html5 file api's. We want to load these files from code.
Does anyone know of any workarounds to this?
Thanks
There is no way for html5 to access local file without user selection. But FSO: FileSystemObject works for IE and MAYBE could be regarded as a work around. But still there are some requirements to meet.
It is possible to use chrome's filesystem API to access files on a users local filesytem. So you'd have to be willing to make this a chrome only application.
Using java you can create a "Signed" applet which has access to the local filesystem. (if the applet is signed you can request filesystm permissions)
then there is a tutorial for accessing methods of your java code directly from javascript here: http://docs.oracle.com/javase/tutorial/deployment/applet/invokingAppletMethodsFromJavaScript.html
you should be able to perform something similar from silverlight.
There is no workaround in pure HTML5/Javascript. You need the use of plugins, such as Java or Silverlight (maybe you shouldn't port it after all). As for workarounds, HTML5 gives you an easy way drag and drop multiple files that you could transfer on the server and then display back to your users. Another workaround would be to install a custom agent (a software with only a tray icon) that would send the information about the current user "document library" to server and then again, you could display it back to the user.
Note: I've heard somewhere that browsers will eventually stop supporting plugins. http://www.howtogeek.com/179213/why-browser-plug-ins-are-going-away-and-whats-replacing-them/
Ya, I agree with Markain. However, if you were to limit your audience solely to chrome users, I daresay, you would most likely use some of your users. If Huazhihao is right, then your number of leaving customers should decrease but users who regularly use firefox won't be happy. Overall, I think that this will not work. Otherwise, there would be too many websites that trashed your hard driver (or at least wherever you have the rights to edit/delete files). I think it would be best if your product was setup to synchronize the file whenever an internet connection was detected and a change was made to the file. That way the user would not need to visit the website whenever the file was uploaded. If this is some kind of an error file, then it would be most beneficial if you were to make a link in the application that when clicked, would upload the file to the website and the website were to do whatever was necessary. If this is a purely online thing, then I don't see what business you would have looking through other peoples' files =-). Hope I helped!
I created a small JavaScript application for which I reused some (quite large) JavaScript resources that I downloaded from the internet.
My application runs in the browser like other interactive web applications but works entirely offline.
However, I intend to enter some private information in the application which it shall visualize. Since I cannot ultimately trust the JavaScript pieces that I downloaded, I wonder if there is a JavaScript option to make sure that no data is downloaded and, in particular, uploaded to the web.
Note that I am aware that I can cutoff the local internet connection or perhaps change browser settings or use an application firewall, but this would not be a solution that suits my needs. You may assume that the isolation of a browser instance is save, that is no other, possibly malicious, web sites can access my offline JavaScript application or the user data I enter. If there is a secure way to (automatically) review the code of the downloaded resources (e.g. because communication is possible only via a few dedicated JavaScript commands that I can search for) that would be an acceptable solution too.
You should take a look at the Content Security Policy (CSP) (see here and here). This basically blocks every connection from your browser to any other hosts, unless explicitely allowed. Be aware that not all browsers support CSP, which leads to potential security problems.
Reviewing the library code might be difficult because there are many ways to mask such code pieces.
Find it yourself by watching your browser's network activity while your application is in action.
There are more than enough tools to do this. Also, if you know how to use netstat command line tool, it is readily shipped with windows.
Here is one cool chrome extension which watches the traffic of the current tab.
https://chrome.google.com/webstore/detail/http-trace/idladlllljmbcnfninpljlkaoklggknp
And, here is another extension which can modify the selected traffic.
https://chrome.google.com/webstore/detail/tamper-chrome-extension/hifhgpdkfodlpnlmlnmhchnkepplebkb?hl=en
You can set the filters and modify all requests/responses happening in your page.
If you want to write an extension to block requests yourself, check this answer out.
Is there a way to identify and block JS files/events that are not part of your domain?
Like assume, if I'm writing a extension for chrome and I put following code in my JS
$('div').on('click', function(){ alert("yup"); });
is there a way for a website to handle this case?
Edit 1:
After discussion with #Clive, I realized that all extension/application should run in sandbox and should not be able to access events/elements outside the scope.
Case
A chrome extension have a keypress event on input[type=text] and input[type=password]. Now this extension runs in background, so there JS files are always available. Hence if you open facebook and login to your account, this extension will capture data and can send it to its server.
My Case
Two user was getting alert messages multiple times. Initially we thought its a part of our code and checked all JS files. But then realized, both user had same extension and so we diagnosed that extension's JS file and found alert in it. Now we were lucky, no damage was done, but it still posses a possible security threat.
Short answer: No.
Long answer:
Chrome extensions run their code in a separate space from your site's code, so they don't interact at all. The best you could do is prevent DOM edits. Luckily chrome extensions already run in a sandbox and have to explicitly ask for permissions for the domains that they inject code in and those domains are all listed when you install an extension. The only other way for extensions to interact with a page is through the activeTab permission which is a one time allowance on a specific user action. If you are using an extension that you think is malicious, you can always just read the code since JS is naturally open source. It really all boils down to a matter of trust. Installing something is explicitly trusting that thing to not mess up your stuff. This applies to all programs. If you don't trust an extension, then don't install it. A sandbox can only prevent so much while still letting extensions do something.
In general I am aware that one cannot call system libraries or dll's from javascript in browser. But in many of the application's I see browser starting other processes. For example:
As soon as I open Google Plus, it starts the googletalkplugin.exe (from folder C:\Users\Jatin\AppData\Local\Google\Google Talk Plugin) in the background. (Can be viewed in Resource monitor)
The same with facebook video chat. For the first time, it asks me to install a plugin and later when I start a chat, it starts a process.
On torrent sites, they provide magnet links. Clicking on torrent magnet link, it opens my systems default torrent client.
In a way, the same with flash and applet.
How do browsers trigger another process and communicate with it? Is there any open standard I am missing?
Ultimately I wish to do video, audio recording with screencast. For screen-recording, Java applet looks like the only solution but applet has its own Issues.
The flash player and applets use plugins, which are native applications to the OS, (i.e. (mostly) not JavaScript), they are not extensions but plugins. For Chrome see chrome://plugins/ to see the list of installed plugins.
For writing a browser plugin, refer to How to write a browser plugin?
The torrent link is totally different, they are done by registering an url protocol to handle. In other words, you say to the computer that, from now on, I will run any urls which have protocol of torrent, i.e.: starts with torrent://. See: Uri Scheme
When the browser sees the uri, it knows that is not handling torrent protocol itself, so it delegates that to OS, which knows what to do with it.
If the browser did know how to handle that, it probably would not delegated that to OS. For example: Google Chrome can handle mailto: links just well without registering mailto protocol to be handled by OS.
You can do this by writing a plugin. It's possible to write plugins that work on most popular browsers, using the same C++ code, using a library called Firebreath
Naturally there is no pre-existing standard plugin that allows the page to start any external application, because that would be a massive security hole and no (sane) user would agree to install such a plugin.
You have to write a specific plugin with capabilities carefully limited to what you need, so the user can agree to let you use just those capabilities. Again, think about how another page might exploit those capabilities before going down this route.
This has been asked a lot of times already: I need to get the full file path via a web-page. The use case is an application running on the same machine as the browser (i.e. the application starts a local HTTP server and fires up the browser.) File-paths are of course valid and the same for both client/server now. The use case it that the user selects a file and then the server process does some computation on it, and the input files are typically large (read: several GiB in size.)
The easiest thing would be to directly access the path using , but for security reasons, this is disabled. I'm looking now for the least intrusive workaround to this problem. The target browser in question is Chrome. I'm fine if the user has to click "accept" once on some security warning, as long as I can ensure that it won't appear again.
Do I have to write an extension, NSPlugin, can I use some special header magic to mark my page as "local", is there some security setting I can set? The less the client has to do the better, and I would prefer some "click here to allow access ..." solution above everything else. Can I directly install an extension from the server process that would do this (after the user clicks accept?)
Is it possible to do this with a Java applet/Flash? That would be the easiest solution, and clients are guaranteed to have Flash installed (as it is bundled in Chrome...)
You can create Java applet for tasks like this and self-sign it. User will have to allow it to run, but then you will be able to access applet's function that will return file path string via Javascript.
Clearly file io on the client's system is forbidden from JavaScript. If this wasn't the case it would be absolutely trivial to hack every web browser that visits your website.
Battlefiled 3 is controlled though the browser. To do this EA wrote a browser extension for the top three browsers. But that's resource intensive. If you just care about chrome you can use an addon, and for that i suggest using the NPAPI.
And as MOleYArd said, Java is a good solution and probably more common than an extension or addon.