Android browser - localhost communication (phone tiny webserver) - javascript

Would it be possible to start on the Android phone background running service which will listen on a certain port for incoming local http connections and communicate with the the built-in web browser (I am not talking about the web view), Opera or Dolphin browser by capturing all such localhost calls - http://localhost:8081/serviceCall?
The goal is to make a tiny webserver running on Android phone, which can deliver the web browser some information, the browser does not have access to. But I am not sure if there are not some security restrictions, etc.
BR
Petr

Is it technically possible? Sure.
Is it wise? Only if you are a security expert or have a large legal defense fund. You will not be just sending data to "the built-in web browser", but to any application that chooses to make HTTP requests.

Related

Find a specific server on the local network

If I have a Node.js app running on a machine on the LAN that runs a web server (Fastify) and it is configured to be accessible to all devices on the LAN, how could I use JavaScript in the browser on another machine to detect that server on the LAN?
Example: On a NAS connected to my router, I run a Docker container that creates a HTTP API at the address 192.168.1.28:3000. I can manually type this into any browser on the LAN and it will access the Docker container. How can I use JavaScript to detect the existence of this server without knowing its address?
You can't.
While there are protocols for announcing the presence of a service on a network, none are supported by JS running in a webpage.
Browser extensions (such as Bonjour Browser and the poorly reviewed Railduino Zeroconf-Lookup) are possible, but since you didn't mention writing a browser extension I'll assume they aren't an option.
There's things like WebRTC but unless your device advertises that you're out of luck.
This is by design.
Can you imagine if an arbitrary web page could scan your local network and report back to some arbitrary server what it discovers?

Turn off the https requirement for https gated web APIs in Chrome and Firefox

Many modern Web APIs are gated by the browser to be HTTPS only. This is good for users but can make developing painful. During development I'd like to be able to turn off that requirement just for testing.
Is there a flag I can set (about:config in firefox, about:flags in chrome) or a command line parameter I can pass in to turn off that requirement so I can test without having to setup https certs and add them to the browser?
Note: I understand the https requirement is dropped for localhost but I'm often hosting on one machine (like a laptop) and testing on another (like an Android device) or a different desktop. I know I can generate a local cert and run a server that supports https. I then have to deal with security warnings on the browsers (invalid cert) and/or add the private certs to all the devices OR I have to register a domain solely for the purpose of getting a valid cert via letsencrypt. For my own dev I'd just like to temporarily turn off that check in the browser if possible. Of course what I actually serve to users will be https but during dev if I could turn off that requirement things would be so much easier.
In my particular case I'm trying to use WebXR so dev happens on my laptop but actual testing happens on an Android device where the page is served from my laptop.
One solution suggested here is to use Chrome's port forwarding
https://developers.google.com/web/tools/chrome-devtools/remote-debugging/local-server
That works for Chrome desktop to Android
On your desktop you tell desktop chrome what site at what port to forward to your android device at another port. That site can be a server on the internet or a server running locally on your desktop. On the android device you can then access that site at http://localhost:<port-you-specified>. https requirements are dropped for locahost host so you can now use the APIs that were restricted otherwise.
Chrome has a developer setting Insecure origins treated as secure in chrome://flags/, this is a text field where you can add a list of origins treated as secure for development purposes. (Via https://github.com/immersive-web/webxr/issues/60)

Getting a mac address from a device via web script or http

Is it possible, considering I have access to all of the end user devices to allow security exceptions, to request the device mac address using any web scripting process running in Apache/IIS/Nginx? PHP? Perl? ASP?
Client devices are running iOS so this won't work http://www.qualitycodes.com/tutorial.php?articleid=19&title=MAC-Address-Using-WMI-on-Internet-Explorer
It must be possible because MDM solutions get it through a Config Profile...
In a word: no.
Actually, using the standard protocols/technologies you mentioned above it is not possible to retrieve the MAC address of the client.
What is possible is using a legacy technique where you install a "native" software on the client machine (e.g. activeX, java applet...).
That software, once installed, can retrieve easily the MAC of the client's device. Thus, it could call your web server with the MAC as an argument.
Nothing of the scenario above is expected to be implemented or is already implemented.

Chrome web notifications without SSL (bypassing Service Worker)

So, is it possible to implement web notifications for Chrome without SSL certificate?
I want to avoid installing SSL on my site and it would be cool if there was a way to send notifications without Service Worker.
You can still use the (old) Notification(title, options) constructor and it’ll work on some (desktop) platforms. But (as I guess you know), it doesn’t work in Chrome for Mobile (Android).
What does work on Chrome for Mobile is the ServiceWorker-based showNotification(title, options) approach. But per the Service Workers spec, you can only use Service Workers in secure contexts (in order to protect users from the risks associated with insecure contexts).
So if you want something that will work for Chrome for Mobile users, then the answer is, No, it’s not possible to use Web Notifications in Chrome for Mobile without Service Workers (and so also, without deploying an SSL certificate for your site).

How to use json proxy to access remote services during development

This is my doubt after going through
How to send headers while using jsonp proxy?
and
How Ajax call is working in mobile app (PhoneGap), but not in PC browser?
As per this we can use json proxy instead of jsonp in mobile but not in desktop browser. This sounds good but my problem is I am using my desktop as develop environment and browser is quickest way to test and debug whatever I am doing but if I use json proxy this won't work because of cross domain issues. Please suggest ways such that I can easily develop and debug application on my desktop itself.
My workstation has Ubuntu OS and I use Chrome browser for testing.
I think for the development purpose you can disable cross domain policy in your browser as given here.
create a short cut for the chrome browser in you desktop
add the following flag to the short cut --disable-web-security
Or
You can setup your dev server to allow cross domain requests as given here or [here]
1.
Add the following header to your response Access-Control-Allow-Origin: *

Categories