I am developing a content management system in asp.net where the users of the system will use it to submit their work as well as open their previous/unfinished work (writing) in Microsoft Word 2003. Now the problem is if I use C# System.Diagnostics library it works perfectly if the system is deployed on local server (i.e the PC on which I am developing) but I think if I deploy it on another PC and run it on a client PC using LAN connection it will launch word on PC acting as server instead of client although I haven't tried this but this is what I doubt, is there any way I can launch word on client machine using Javascript but without using ActiveX as it restrict the user to use IE only while our users choose their own browser ?
Thanks.
Not possible. Browser scripting cannot interact with the client machine, period, unless you have some plugins installed that would allow it.
Microsoft, and its ActiveX, are an exception, where they break the rules so they can improve integration with their operating system. Many people think it's another of Microsoft's blunders, since it is often viewed as a big security risk.
Nope, and for good reason too. Could you imagine if any website were allowed to run executables on client computers...?
Related
I do not want to allow Web Debuggers such as Charles Proxy, Fiddler, Wireshark, etc while using my Node JS application. I'm not fully sure what's the best way to do this. Is there a way to detect when a new program is launched in node, and then check if it's a web debugger?
I just don't want people intercepting requests sent from the node app.
I have tried getting all running processes on user's computer, and if any are a web debuggers, close my app, but this requires checking the running processes every couple seconds.
There is no effective way for you to do this. There are more debugging tools than you could imagine to check for, and there are ways that they could be hidden beyond your ability to detect (like running them on another computer, or running your application inside a virtual machine). Besides, your application is written in an interpreted language -- any user savvy enough to use a debugging tool could just as easily open up your application and remove the code that was supposed to disable their tools.
You haven't gone into much detail about why you're trying to do this, but the fact that you're asking is a sign that your application may be structured incorrectly. If your application is communicating with a server, any access controls (e.g. on what information the client has access to, or on what operations it can perform) should be implemented on the server -- the fact that the client can "see" what is going to and from the server should not compromise the security of your system.
That is impossible! Browser is a software, just like Charles Proxy, Fiddler, Wireshark, etc ...
In our web application, we using a Java applet to invoke MS.Word application by jacob jar e.g. Word to open, edit, and when it saves automatically it uploaded to the server.
Google Chrome will no longer support NPAPI, so soon we can not run our applet in Chrome anymore.
So, any suggestions for an alternative for the Java applet. We want to make the same experience for the user, just like before.
We have the same problem. With Webstart is not longer possible to do that communication. We are going to use Websockets between webstart application and browser. Our first attempt is to start a websockets server in the webstart and make browser connect to localhosts. If this is not possible for security limitations in the browsers then we are going to do it through the webserver, browser and webstart application connecting to the webserver and exchanging messages.
I can see 2 distinct possibilities.
Create a standalone application that "wraps" your web application using a technology such as electron. You can then do your browser to desktop integration as you like. This will require an install on the client.
Launch a webstart application (or it could really be any installation that happens on the client). It will need to start a webserver, or connect to a webserver and communicate via http.
I'm saddened by the loss of the Applet. It is a technology not easily replaced. And another methods seem somewhat like 'workarounds'. There is no easy, cross-browser way to break out of the browser sandbox and access the system.
For myself, the loss of the Applet has simply meant that automating some of these processes has become too difficult and it is just better to find an alternative way of achieving a similar end result.
A small note: If you are starting a local webserver, be mindful of security. It can be accessed by other processes on the system. Wouldn't it be fun to open word on anyone's system by sending a request to a port!
I want to be able to create an offline program that can use the browser as GUI. I'm not particularly good at GUI programming in general, and overall it seems that using HTML and CSS to structure a GUI would be the easiest.
Cross browser method is preferred, but I will most likely use Google Chrome
I need to be able to open an external program, possibly with command line arguments
Javascript seems like the best language for this, however as far as I know it isn't possible to launch programs with it.
This is on Windows 7.
That's a good idea and is done by a several popular softwares.
The best way is to make your offline program run a web server that the browser will be able to access.
ie: Your program starts a web server on localhost:5555 and then you'll be able to request http://localhost:5555/users in Javascript, from your browser.
Another approach could be using a UI framework like AngularJS + local storage. I'm working on an app right now that will be used online (connected to the web), online locally (connected to a local server that is not connected to the web), and offline.
You could build a single-page web app and let Angular manage all the "urls".
Is there a way from JS , we can detect how many and which browsers are installed on user's machine.Any pointers would be helpful.
Thanks!
No, there is no way to examine what software is installed on a given user's machine via a browser page using standard web-safe techniques.
To do so would require the ability to look outside the browser's sandbox and this opens up all sorts of security vulnerabilities which is why it is not allowed in the browser.
The usual work-around is to request that the user download an executable program that is built for their platform (Mac, Windows, etc...), run it and have it report back to you. But, this is an onerous step that many users will not do or will fail to do and many systems will attempt to warn/block because of the potential security isssues. It cannot be done automatically without significant user intervention.
you can't, unless you inject in a program to run in the user's machine, and do a system search and send back the data, which is the very definition of virus and trojan.
Let's say I've got a website that works better if a client has installed and logged into a desktop application. I'd like to be able to do 2 things:
Alter the website if they haven't installed the app (to make it easy for them to find a link to the installer)
If they've installed the app on a couple of machines, determine which machine they are browsing from
I'd like something that works on Windows and OSX, on any of the major browsers. Linux is a bonus.
A few thoughts:
Websites can detect if you've got Flash installed. How does that work and could it be used for both of my goals?
Could I just let the client serve HTTP on localhost and do some javascript requests to fetch a local ID? I know google desktop search did something like this at one point. Is this a standard practice?
Thanks!
You can register a protocol from your desktop application (see this). This can be used, for example, to open your desktop application with arbitrary data from the website. You could then have your desktop app send a HTTP request to your webserver, telling it what machine you are on.
You can have a browser plugin (activex for IE or Netscape plugin for the rest of the browsers) that can communicate with the application. When the webpage is loaded, it can try to instantiate the plugin and if it succeeded, it can use it as a proxy to the application. If it fails, then either the app is not installed or the plugin was explictly disabled by the user. Either way, your website should degrade its functionality accordingly.
Update: Forgot to answer your questions:
Flash does it exactly this way. Flash is a browser plugin that is created by the web pages.
You can have a machine ID generated at the application/plugin install time and your plugin can pass that machine ID to the webpage when it is created.
On the topic of using local webserver:
I would stay away from having a local webserver, mainly because of security considerations. It takes quite a lot of work to make sure your local webserver is locked down sufficiently and there are no XSS vulnerabilities that other malicious websites can exploit to make it do stuff on their behalf.
Plus, having a webserver means that either it has to run as a system-wide process, or if it runs as the user, you can have the website interact with only one user's instance of the application, even though multiple users can be logged on and running it at the same time.
Google Desktop Search suffered from both the XSS security vulnerability (though they fixed it) and the limitation of only one user being able to use it on a machine (I don't know if they fixed this one yet, though chances are they did).
Websites can detect if you've got Flash installed.
Actually, I believe a browser can detect if you have the Flash plugin for the browser installed, and webpages can offer "installed" and "uninstalled" option that the browser can choose.
Otherwise, you are asking for a means, by putting some code in a webpage, of being able to analyze a user's home computer, and report what it learned to you website.
Can you say Major Security Hole?
If you can pick a development environment for the desktop app, then check out AIR from Adobe. It lets you develop desktop applications using either html/javascript, Flash, or Flex.
It has API calls you can use from a browser based flash app to see if the desktop based AIR app is installed, what version, etc. You can even launch it and pass parameters from the web app to the desktop app.
http://www.rogue-development.com/blog2/2008/03/interacting-with-an-air-app-from-a-browser-based-app/
Websites can detect if you've got Flash installed. How does that work and could it be used for both of my goals?
it's quite a bit simple, your browser tries to render some additional files, with some specific formats such as flash .swf and I the browser doesn't find installation, then will be start downloading, or you will get the option to download that program.
Flash also uses AC_RunActiveContent.js please take a look at this js, people usually put this on their webpages
if (AC_FL_RunContent == 0) {
alert("This page requires AC_RunActiveContent.js.");
} else {
AC_FL_RunContent( 'codebase','http://download.macromedia.com/pub/shockwave cabs/flash swflash.cab#version=8,0,0,0','width','981','height','635','id','build5','align','middle','src','build5','quality','high','bgcolor','#ffffff','name','build5','allowscriptaccess','sameDomain','allowfullscreen','false','pluginspage','http://www.macromedia.com/go/getflashplayer','movie','build5' ); //end AC code
}