I'm not talking about browser exploits. I'm talking about real applications used in real companies, like Ijji and Nexon.
Basically, from their websites you can click a "Start Game" button, which will launch an executable located at c:\ijji\english or c\nexon[gamename] respectively. These applications are real desktop applications, meaning that they can take advantage of the filesystem, direct3d, and OS [in the form of executing other applications]. The applications can also be launched through command line [as opposed to going to the game host's website].
I figured this would be possible if the application created an ActiveX object to call for the creation of a new process. However, the websites are able to launch applications from multiple browsers other than Internet Explorer, including chrome, which, to my knowledge, does not implement ActiveX.
Obviously the people developing these applications use their own means to do this.
From looking at the services list as well as currently running applications list, I have no indication that they're running something like "gameLaunchingServer.exe" which listens to some obscure port for an incoming connection [to be accessed using iframe - HTTP Protocol] and responds by launching an application...
I'm stumped, and this is sort of stuck in my mind. Obviously, they're not using some random browser exploit, otherwise people at http://www.[insertMaliciousWebsiteHere].com would have jumped on the opportunity already to install random crap. Regardless, it seems pretty cool, and I wanted to know how it worked.
Just curious, hehe.
I believe what they're doing is setting up their own protocol handler on install - when a browser is asked to access an address with a protocol that it doesn't know how to handle (for instance, a steam:// address), it looks at all the installed protocol handlers to find a match.
So you can register your application as a myApplication:// protocol handler, and then your web page can link to a myApplication:// address and launch your application.
I didn't quite find the button you are talking about, but I'm thinking it works only after you installed the application once, isn't it?
In that case, the application probably created its own protocol, just as skype, msn and a bunch of clients.
Having a protocol is the easiest way (and very easy indeed to implement - a simple registry key).
Another way which is used is an extension or plugin.
I thought they were run through plug-ins or like applets.
For example, MS SilverLight
Related
I want to launch a new instance of MS Word from my client web browser. Like the way Sharepoint does. How can I do that? I don't want to host the Office file in my browser. I want to edit them in the application itself. People keep saying it is not possible. So how SharePoint does that?
I'm looking for a cross-platform manner.
If a website would be able to launch a process of choice with parameters of choice on the client machine, this would be a massive security breach - basically "game over". If you do not believe this, think e.g. of the process cmd.exe and the parameters /c del /s /y C:\*.*
Sharepoint uses the fact, that it is not "just another website", but part of the trusted network infrastructure, integrated with the windows client and Internet Explorer. Reproducing this in a cross-platform manner is not only extremly technically difficult, but also simply prohibited wherever US patent law is of any importance.
I think I found an answer to this question. By implementing external protocol handler in modern browsers, you can achieve the task of the question. Read more:
External Protocol Handlers and Modern Browsers
https://weblogs.asp.net/morteza/How-to-run-a-desktop-application-from-a-web-page
https://www.codeproject.com/Articles/332206/Custom-URL-Protocol-for-Invoking-Application
I need to do server side web scraping/navigation, including sites with JavaScript, and I need a solution that would work on a hosting plan - I dont have my own server.
I came across python/pyside/pyqt4 - this would work perfectly/allow me to navigate sites like a headless browser. However I don't know if this would be possible to install on a remote server/host...
If you need a headless browser, you should check out PhantomJS, and in particular PyPhantomJS, the Python implementation. These might work in a shared hosting context - it really depends on the host. See the build instructions for different platforms - you'd likely need to ask your hosting provider to install.
If you can get this running, you might be interested in checking out pjscrape (disclaimer: this is my project). It's a command-line tool using PhantomJS to allow scraping using JavaScript and jQuery in a full browser context.
In my web page, I have to start a desktop application on the client's computer if it's installed. Any idea how I can do this?
If the application is MS Office or Adobe Reader, I know how to start them, but the application I want to start is a custom application. You can not find it on the internet.
How can I open the application?
Basically it's not possible to achieve unless an application registers a protocol that will trigger it. If it does that all you need to do is to provide a link using this protocol
yourcustomapp://some.parameters
Another way the 3rd party app can integrate with the browser is if it hooks to it as a plugin. This is how flash apps work etc.
If the app you are trying to launch does not support something like that it's going to be close to impossible to achieve what you want.
The browser sandbox prohibits you from executing local resources, for good reason - to thwart a website destroying your box with malicious code. I've been researching the same functionality.
The only solution I've found is to build an extension in Mozilla Firefox which can launch your app. Extensions live outside the sandbox so they can execute local resources. See this page for how to do that. You may be able to do it cross-browser using crossrider, though I haven't had success with that yet.
You could alternatively build a thick client populated from a web service, and launched from the browser through an extension as mentioned above. This is what I'm doing to get around the sandbox. I'm using local XUL for this.
See my question for additional discussion.
First off - you can't do it using javascript in any sort of a portable mechanism.
If the application is ms office or adobe reader,I know how to startup them
No you don't - you know how to send a document, which the browser associates with these applications and invokes them supplying the name of the local copy of the response. You can't just start the programs.
You just need to do the same for your app - invent a new mime type (the major type would be 'application' and by convention, non-standard minor types are prefixed with 'x-', so you might use application/x-hguser) then associate that mimetype with the relevant program browser side.
i.e: You need to explicitly configure each browser
I already encouter that problem in some complex production environnements.
I do the trick using the following code :
function launch(p_app_path)
{
var oShell = new ActiveXObject("WScript.Shell");
oShell.Run('"' + p_app_path + '"', 1);
}
In IE options > Security > Customize the level > ActiveX controls and plugins > Initialization and script ActiveX controls not marked as safe for scripting, set the value to Ask or Active.
It isn't a security problem when your website is enclosed into a specific security context.
And as they say, it's not worth it to build a gas plant.
JavaScript alone can't do this. (No, not even with MS Office or Adobe Reader.) Thankfully.
There are a number of old ways, including using ActiveX, which may work for your needs. As others have pointed out while typing this, you can customize responses based on the mime type or the protocol, etc.
Any way you look at it, you're going to need control over the end users' browser. If you're in a close environment where you can dictate policy (users must use a specific browser, with a specific configuration), then you're going to need to do that. For an open environment with no control over the end users, you're out of luck.
I'm actually having a lot of success right now with SiteFusion. It's a PHP client/server application framework that serves out XUL/JavaScript applications from a server deamon running in Apache. You access applications from a very thin client in XULRunner, or potentially off a web page using extensions. Clients can execute on any platform, and they're outside of the browser sandbox so you can access local resources such as executables. It'a a fairly elegant solution, their website provides great examples and documentation, and their forum is very responsive. I actually found a minor bug in passing arguments to local executables, posted a question about the forum, and it was fixed by the chief developer in under 15 minutes. Very impressive, overall!
Barring a custom browser-plugin, is there a way to read the Windows registry from a web-page? It sounds like a big security issue but the situation is we have very non-savvy users and we want to have them get some info about their machines for us. Even downloading and running a little app might confuse them, but a web-page that magically gets the info would be fine as they just click a link we send.
Any thoughts on how to do this, or if it's simply impossible, are welcome. Note it is corporate therefore Windows-only and can even be IE-only if needed.
No; you need ActiveX or a plugin.
You can't do it from an ordinary web page.
If it's acceptable to have the user download a file, you can write an HTA -- a standalone web page with access to certain Windows features, including the file system and registry.
One of my clients has Norton 360 installed on his computer, and it's interfering with the javascript in my web pages. Not all JS, just some.
Simple things like
<a href="page.html" onclick="somefunc(); return false;">
don't work. Also using jQuery to attach on onclick event to an a tag doesn't work either:
// doesn't work
$(document).ready(function() {
$("#old_trans_link").click(viewOldTrans);
});
What should I tell my client? What should I tell our users? Is there any way around this madness?
Everyone doing JS heavy pages must run into this. How do they deal with it?
Edit: He also has McAfee installed at the same time.
I've never heard of anti-virus interfering with in-browser JavaScript in that way. My best guess would be that they have their virus scanner running at a very aggressive security level.
The easiest options, in terms of amount of work required to address this issue would be:
Recommend your users lower their security settings
See if they can whitelist your site so the application will work correctly
Recommend a browser other than Internet Explorer, or suggest they install Chrome Frame
Of course, if these are not feasible options, you may have to go with a more simplistic approach to using JavaScript on your page. Instead of requiring JavaScript on the site, use it to enhance the site and make features easier to use.
To do this, you would have to make everything on your site work with JavaScript disabled. Have everything perform POSTs to the server for processing. JavaScript would sit on top of all of this to enhance the experience for users who have JavaScript working. In this scenario, things like anti-virus blocking click events on anchor links would end up with a submission to the server.
Of course, this is a lot more work on your part because it almost requires writing 2 versions of the site. This is an argument that is brought up all the time online, even when developing StackOverflow, as was discussed on their blog.
You're better off telling them to add an exception for your site.
They probably are using some sort of web shield I assume. Try asking them to add an exception to your site
Edit:Adding Link
http://www.symantec.com/norton/360
Under "Advanced Protection"
"Blocks browser, OS, and application threats; protects against infected Web sites"
So I assume there should be a way to add an exception