Application Protocols represent a compelling attack vector because they’re the most reliable and cross-browser compatible way to escape a browser’s sandbox, and they work in many contexts (Office apps, some PDFs handlers, some chat/messaging clients, etc). Some protocol handlers are broadly used, while others are only used for particular workflows which may not be relevantContinue reading “Defense Techniques: Blocking Protocol Handlers”
Tag Archives: WebToApp
Adding Protocol Schemes to Chromium
Previously, I’ve written a lot about Application Protocols, which are a simple and popular common mechanism for browsers to send a short string of data out to an external application for handling. For instance, mailto is a common example of a scheme treated as an Application Protocol; if you invoke mailto:someone@somewhere.com, the browser will convertContinue reading “Adding Protocol Schemes to Chromium”
Debug Native Messaging
Prelude Last month, an Enterprise customer reached out to report that a 3rd-party browser extension they use wasn’t working properly. Investigation of the extension revealed that the browser extension relied upon a NativeMessaging Host (NMH) companion that runs outside of the browser’s sandbox. In reviewing a Process Monitor log provided by the customer, the SupportContinue reading “Debug Native Messaging”
Web-to-App Communication: The Native Messaging API
Note: This post is part of a series about Web-to-App Communication techniques. One of the most powerful mechanisms for Web-to-App and App-To-Web communication is to use an extension that utilizes the NativeMessaging API. The NativeMessaging API allows an extension running inside the browser to exchange messages with a native-code “Host” executable running outside of the browserContinue reading “Web-to-App Communication: The Native Messaging API”
Bypassing AppProtocol Prompts
Starting in Microsoft Edge 77 (and Chrome 77), the prompt shown when launching an AppProtocol from the browser was changed to remove the “Always allow” checkbox. That change was made, in large part, because this prompt is the only thing standing between every arbitrary site on the Internet (loaded inside your browser’s sandbox) and aContinue reading “Bypassing AppProtocol Prompts”
App-to-Web Communication: Launching Web Apps
In recent posts, I’ve explored mechanisms to communicate from web content to local (native) apps, and I explained how web apps can use the HTML5 registerProtocolHandler API to allow launching them from either local apps or other websites. In today’s post, we’ll explore how local apps can launch web apps in the browser. It’s Simple…Continue reading “App-to-Web Communication: Launching Web Apps”
AppOrWeb-to-WebApp Communication: Custom Scheme Handlers
I’ve previously written about Web-to-App communication via Application Protocols. App Protocols allow web content to invoke a native application outside of the browser. WebApp advocates (like me!) want to continue to close the native/browser gaps that prevent web applications from becoming full-fledged replacements for native apps. To that end, I’ve recently spent some time lookingContinue reading “AppOrWeb-to-WebApp Communication: Custom Scheme Handlers”
Web-to-App Communication: DirectInvoke
Note: This post is part of a series about Web-to-App Communication techniques. Background Typically, if you want your website to send a document to a client application, you simply send the file as a download. Your server indicates that a file should be treated as a download in one of a few simple ways: Specifying aContinue reading “Web-to-App Communication: DirectInvoke”
Web-to-App Communication: App Protocols
Note: This post is part of a series about Web-to-App Communication techniques.Last updated: March 26, 2024 Just over eight years ago, I wrote my last blog post about App Protocols, a class of URL schemes that typically1 open another program on your computer instead of returning data to the web browser. A valid scheme name isContinue reading “Web-to-App Communication: App Protocols”
Browser Architecture: Web-to-App Communication Overview
This is an introduction/summary post which will link to individual articles about browser mechanisms for communicating directly between web content and native apps on the local computer (and vice-versa). This series aims to provide, for each mechanism, information about: Application Protocols Read my Blog post. tl;dr: Apps can register url protocol schemes (e.g. myapp://mydata). Browsers willContinue reading “Browser Architecture: Web-to-App Communication Overview”
text/plain 