Is there a way to use Javascript within a browser environment to detect global keystrokes and mouse movements (i.e. all keystrokes and clicks within and outside the browser)? I understand this might involve browser plugins, but would like advice on specific pieces of technology I can look into.
No, this is not possible and that's a damn good thing. We don't need random websites to act as keyloggers.
Any browser plugin allowing a website to do that would actually be malware or at least open a gaping security hole and thus end up on the plugin blacklists of browser vendors really soon.
Related
I know there are lots of javascript plugins and libraries to allow users to pick emojis for text inputs, but windows and mac already have native emoji pickers (⊞ Win. or CTRL⌘Space), Is there a way for me to open these native emoji pickers when a user clicks in a text field instead of installing plugins in my website?
I already tried emulate button key press, but it didn't work at all.
Short answer is no.
In order to access any OS feature from javascript, you need a corresponding browser API to support.
AFAIK, there isn't an API for that. There's a discussion here which suggests adding <input emoji /> to standard but seems no traction gained.
Edit: Below is my original answer, revised. Comments pointed out I was focusing on the wrong aspect of the question, I totally agree.
However, the OP obviously has some wrong idea about what you can do in javascript to leverage browser ability. So I think it's still worth clarification.
You can't send arbitrary emulated keyboard event from js and hoping the OS will respond. Were it possible, it'd be a severe security issue on browser's part. Imagine open a website and it fires a series of keyboard event to your OS and wipes out your desktop (totally feasible through shortcuts).
You need to understand the runtime env inside the browser is basically isolated from the one of native OS. Whatever OS feature that's accessible to your javascript is totally up for browser vendors to decide. For security reason, they are super careful in making these decisions.
Also, make a distinction on "what browser can do", and "what browser allows you to do in js". Seeing Chrome has an "Emoji & Symbols" context menu item, doesn't necessarily mean it decides to grant you the same ability in js.
To further clarify why the emulated keyboard event is fundamentally different from the native one, I include a graph here. The blue arrow is how emulated keyboard event flows. The farthest place it can reach is the browser's internal event bus. It never got a chance to reach the OS event bus, so no way to notify native emoji picker.
So I'm looking for a work-around the whole blocking off opening local files from the browser. What I'm thinking is, I could have some script that, when it is activated, it initiates a set of keys that activate a shortcut that opens up the specific local file with that shortcut assigned.
I may be crazy, but is this possible?
Unfortunately, I don't think this is possible on the browser-side of things, which is what I'm assuming you're talking about?
The short answer is that browser shortcuts cannot be triggered through JavaScript.
You could try to directly navigate to the file in JavaScript by navigating to a file://..../ path, though I'm almost certain that this is not permitted as it would be a huge security flaw in the browser.
I'm giving a class of high school students a demo of unexpected things a webpage can tell about them from their mobile - even if they're not signed in or anything. So far I have picked a couple of things most people would know about, like:
Device OS
Specific handset (unless you're on iPhone, then it's just iPhone)
Language setting
And a couple of more obscure things:
Carrier (hitting a remote service and returning JSONP since js is IP naive)
Battery level / charge status (I didn't even know you could do this until today)
Can you think of anything else cool / creepy in a similar vein that I can dig out of UA / Navigator / etc? Most of them are running Chrome under Android or iOS (which is lucky, not every browser supports the battery thing). The main event is about mobile safety and phishing so I'd like to stick to mobile phones.
Quick edit: for clarity, I'm building out a site they will go to which will actually demo these features - so unfortunately they need to be implemented, at least in Chrome, vs planned / drafts.
You should mention geographic location. A competent javascript library e.g. MaxMind or Google Analytics can be used to pinpoint to geographical location of users.
From the phishing point of view, which I consider most important, there are several dangerous things:
Phishing
Without add-ons, browsers will not usually warn you if there's one letter different in the address you're visiting. Even though URL scheme forbids zero-width characters and other Unicode nastiness, you still can oversee l (lowercase L), 1 (one), I (upper case I). There are also many unicode characters that look like normal alphabet. Maybe there's some blacklist on unicode characters like greek letters. Check this site to play around. You can try to create some domain name like stackoverflow.com with greek ο.
JavaScript can alter URL after domain name. But I haven't seen hosting that would give users folder names in years. Still, it's creepy to see URL change without reload:
window.history.pushState("object or string", "Title", "/new-url");
Not sure if this applies, but last years HackADay.com revealed a hack where you can change <a> href after mouse button was pressed on link, effectively changing the target URL. But then again, you can also redirect browser using javascript...
Personal data
For this, the first thing I'd do is to check Window and Document on MDN. This is definitely gonna reveal some cool stuff that leaves battery power info just puny attempt to be scary:
Window:
Window.ondevicemotion - does what it suggests. assume you can also Window.addEventListener("devicemotion", ...)
Window.ondevicelight - this one is very creepy but Firefox only
Window.ondeviceorientation - much more widely supported event for device movement. Wanna approximate the path your user walks and draw it on canvas? Or make an application that screams "Put the fuking phone down.*" until they put it on the table?
Also, there's like million methods to get various screen properties. Some of those were exploited to guess OS version, as different OS's have different menu bars taking different screen portion.
Document:
document.referrer - Wanna track your users?
You can detect presence of ad-blocking addons by creating elements like:
<div id="advertisment"
class="ad advertisment ads banner"
style="pointer-events: none;position: absolute; opacity: 0;">NOTHING
</div>
Then fetch .getBoundingClientRect() and assert non-zero dimensions.
You can detect when document is being inspected by firebug. (or you could in past, when firebug actually added elements in DOM to highlight nodes). These elements are invisible in Firebug but fire DOM mutation events.
If user confirms, sound and video can be recorded.
I once created a script that was able to stream all DOM mutations on server allowing me to watch other user using web-site real-time. But I didn't finish it to production state unfortunately. But this is how I found about the firebug issue.
There are other tricks to check if debug tools are running. These are usually various hacks, try to google something.
Ever wondered if your users have CORS enabled localhost HTTP server running? I mean, isn't it worth a try?
WebWorkers allow you to spawn threads on client machine. You could use this for distributed processing or just to burn their battery. As it doesn't affect GUI thread directly, they won't notice until it's too late. Also this sounds like a great way to generate hask cracks and crack certificates.
You can alter copied text, possibly adding cross-site script hacks into it. Good trick is to offset your script with a shitload of spaces, so that it's not seen in typical text editor without text-wrap.
Using Desktop notification, you can pretend you're an antivirus, windows update...
What about any of these...
You can profile their interests base off search history.
Frequency they visit and from what locations.
Build a profile of what time in the day they visit.
Time spent on site
What pages they spend most amount of time on.
Profile based of hot area's on page clicks or where mouse curer is.
You can profile typical user behaviour.
The result of all of this is
- Pushing data personalized marketing i.e what your seeing, is targeted to
you, as an individual (google does this a lot with their ad's)
I am thinking of making a game, but it involves staying in fullscreen mode always. You can only leave full screen mode on entering a password. Pressing Esc or toggling the fullscreen key shouldn't exit full screen mode.
I can't divulge more details, but it involves leaving a person to interact with content of the page until another person who knows the password stops the interaction.
EDIT: I know it is not user friendly, but it is for a special purpose. It is there to leave kids to interact with, and be left alone with. If they escape out of the browser they would be able to tamper with other things on the computer which i dont want them too.
Since you don't need any more answers like "this is not user friendly" i would recommend you to have a look at some add-ons for firefox or chrome. You should have a look at some "Kiosk-Mode" add-ons.
Kiosk-mode is made for use cases where you have a pc in a public place and want to provide internet access. Maybe you can use one of those add-ons and configure it to get what you want.
If not, you should think about writing your own plugin for firefox or chrome in this add-on context you should have control over such things.
This is not plausible. All operating systems allow some sort of emergency application shut-down system. You will not be able to block these abilities.
You can't force the browser to stay in full-screen mode. Nor should you, it's just going to make your users angry.
If you don't mind angry users, you can try a Full-sreen popup . But really, try not to do that.
Fullscreen in a browser is a user setting. You can not possibly control this through html/javascript. The only way to acces and change a person's personal settings is through system calls in languages like C/C++ and C#. You will basically always need a program running on the client's computer to manage that kind of settings.
I am making an html/javascript browser homepage, that could be downloaded to any computer - you simply run the *.html file from your computer and it opens in your default browser; in it you have a compact homepage, with several options - you can make a bookmark list, write notes etc. You can leave it opened as it is just a separate tab.
I'm wondering whether it's possible to use javascript in order to open, for example, windows media player or make it possible for the user to set a default music player. Or even close the previously opened program? Could this be done?
I think it would be best if the user could just set the default programs. Getting the file location is not the problem, is anything else needed?
You can't do this unless you write a browser extension (plugin), for example.
Most web browsers put a lot of work into sandboxing JavaScript so any malicious users can't compromise the system the client's browser is running on, although older browsers are as watertight as sieves. Modern browsers are a lot better, but there are/may be some holes somewhere. All this security means that JavaScript can't (isn't supposed to be able to) access any part of the client's machine.
Any respectable browser will block javascript from accessing anything on the user computer. It is a huge security risk to let a script in a HTML page do something like you want.
Depending on the browser and the configuration, it may be possible, but you absolutely shouldn't try to do it.
You can maybe achieve what you want through a browser extension, but you will have to write it for each different browser your customer are using.
Maybe the best thing to do is write a rich client instead of using HTML/Javascript.
It would be doable if the HTML page were not opened in the browser! The browser makes its best not to allow such things for security purposes.
Not that JavaScript in itself is not able to do this -- the language is used in plenty of other places, see here.
You can do something similar to this using a wrapper like Fluid ( http://fluidapp.com/ ) which encapsulats your page and turns it into a native app (with its own sandbox) There are equivalent programs for other platforms as well as Mac.