Good reasons for not letting the browser launch local applications - security
I know this might be a no-brainer, but please read on.
I also know it's generally not considered a good idea, maybe the worst, to let a browser run and interact with local apps, even in an intranet context.
We use Citrix for home-office, and people really like it. Now, they would like the same kind of environment at work, a nice page where every important application/document/folder is nicely arranged and classified in an orderly fashion. These folks are not particularly tech savvy; I don't even consider thinking that they could understand the difference between remote delivered applications and local ones.
So, I've been asked if it's possible. Of course, it is, with IE's good ol' ActiveX controls. And I even made a working prototype (that's where it hurts).
But now, I doubt. Isn't it madness to allow such 'dangerous' ActiveX controls, even in the 'local intranet' zone? People will use the same browser to surf the web, can I fully trust IE? Isn't there a risk that Microsoft would just disable those controls in future updates/versions? What if a website, or any kind of malware, just put another site on the trust list? With that extent of control, you could as well uninstall every protection and just run amok 'till you got hanged by the IT dept.
I'm about to confront my superiors with the fact that, even if they saw it is doable, it would be a very bad thing. So I'm desperately in need of good and strong arguments, because "let's don't" won't do it.
Of course, if there is nothing to be scared of, that'll be nice too. But I strongly doubt that.
We use Citrix for home-office, and people really like it. Now, they would like the same kind of environment at work, a nice page where every important application/document/folder is nicely arranged and classified in an orderly fashion
I haven't used Citrix very many times, but what's it got to do with executing local applications? I don't see how "People like Citrix" and "browser executing local applications" relate at all?
If the people are accessing your Citrix server from home, and want the same experience in the office, then buy a cheap PC, and run the exact same Citrix software they run on their home computers. Put this computer in the corner and tell them to go use it. They'll be overjoyed.
Isn't it madness to allow such 'dangerous' ActiveX controls, even in the 'local intranet' zone ? People will use the same browser to surf the web, can I fully trust IE ?
Put it this way. IE has built-in support for AX controls. It uses it's security mechanisms to prevent them from running unless in a trusted site. By default, no sites are trusted at all.
If you use IE at all then you're putting yourself at the mercy of these security mechanisms. Whether or not you tell it to trust the local intranet is beside the point, and isn't going to affect the operation of any other zones.
The good old security holes that require you to reboot your computer every few weeks when MS issues a patch will continue to exist and cause problems, regardless of whether you allow ActiveX in your local intranet.
Isn't there a risk that Microsoft would just disable those controls in future updates / versions ?
Since XP-SP2, Microsoft has been making it increasingly difficult to use ActiveX controls. I don't know how many scary looking warning messages and "This might destroy your computer" dialogs you have to click through these days to get them to run, but it's quite a few. This will only get worse over time.
Microsoft is walking a fine line. On one hand, they regularly send ActiveX killbits with Windows Update to remove/disable applications that have been misbehaving. On the other hand, the latest version of Sharepoint 2007 (can't speak for earlier versions) allows for Office documents to be opened by clicking a link in the browser, and edited in the local application. When the edit is finished, the changes are transmitted back to the server and the webpage (generally) is refreshed. This is only an IE thing, as Firefox will throw up an error message.
I can see the logic behind it, though. Until Microsoft gets all of their apps 'in the cloud', there are cases that need to bridge the gap between the old client-side apps and a more web-centric business environment. While there is likely a non-web workaround, more and more information workers have come to expect that a large portion of their work will be done in a browser. Anything that makes the integration with the desktop easier is not going to be opposed by anyone except the sysadmins.
The standard citrix homepage (or how we use it) is a simple web page with program icons. Click on it, and the application get's delivered to you. People want the same thing, at work, with their applications/folders/documents. And because I'm a web developer, and they asked me, I do it with a web page... Perhaps I should pass the whole thing over to the VB guy..
Ahh... I know of 2 ways to accomplish this:
You can embed internet explorer into an application, and hook into it and intercept certain kinds of URL's and so on
I saw this done a few years ago - a telephony application embedded internet explorer in itself, and loaded some specially formatted webpages.
In the webpage there was this:
Call John Smith
Normally this would be a broken URL, but when the user clicked on this link, the application containing the embedded IE got notified, and proceeded to execute it's own custom code to dial the number from the URL.
You could get your VB guy to write an application which basically just wraps IE, and has handlers for executing applications. You could then code normal webpages with links to just open applications, and the VB app would launch them. This allows you to write your own security stuff (like, only launch applications in a preset list, or so on) into the VB app, and because VB is launching them, not IE, none of the IE security issues will be involved.
The second way is with browser plug-ins.
For example, skype comes with a Firefox plug-in, which looks for phone-numbers in web-pages, and attaches special links to them. When you click on these links it invokes skype - you could conceivably do something similar for launching your citrix apps.
You'd then be tied to firefox though. Writing plugins for IE is much harder than for FF, I wouldn't go down that path unless forced to.
Related
Capture my screen via a website
I was wondering if it's possible to capture a screenshot and/or record my computer screen(s) via a website? If it is possible, what languages would I need to learn/code? I already have intermediate knowledge of HTML, CSS, JavaScript, jQuery, and PHP. In other words: I want to have the ability to capture/record my screen (not the website) via using a website (not an application). Thanks!
This is not possible. Web sites are very deliberately given only restricted access to your computer for security reasons. Imagine the havoc that could result if a malicious web site were able to see and capture what was on your screen--banking information, your confidential e-mails, etc. Even if the user had to give permission for this level of access, it would still be way too easy to trick a user into giving that permission.
The closest I could find/think of was http://www.screencast-o-matic.com/screen_recorder, but even then you have to download a launch plugin. I agree with #DLH. This is for your protection. My favorite screen recorder is ScreenPresso - it is always running in background, and repurposed the PrtScn button as its launch key.
Data not showing up in sharepoint list as well as in drop downs
hi i have a problem at my production site, client reported that he is not seeing data in lists of sharepoint, as well drop downs which have years in pages of site appear empty with one user A on machin X having with windows 7. but data and comes up and drop downs are now populated when accessed from machine Y with same user A. i dont knw wht really the problem is. As to development site this issue is not produced, plz help, thnks in advance
From your question, I gather the data does exist and the same user can see the information from one computer but not another. A couple things spring to mind. (I am presuming usage of Internet Explorer since SharePoint 2007 has some rather weird rendering issues with other browsers. Correct me if this is an incorrect assumption.) First, Windows 7 has later versions of IE which can refuse to send network credentials to a server it doesn't think is part of the intranet (corporate network). What makes this especially frustrating is that IE will prompt for network credentials (a result of the challenge from the website) but will not transmit those credentials. Examine the IIS logs to see if this is the case. The requests will be void of credentials using IE but will be present using Firefox (and presumably any other web browser). The fix for this is usually as simple as adding the domain into the Local Intranet zone in Internet Options. If this is not the case, can you confirm the user is using the same credentials? Is this integrated authentication using Active Directory or forms authentication? Are there any differences between the two computers with regards to how they reach the SharePoint site? (Such as one is VPN, the other is directly connected)? Or are they essentially equal but with different browser/OS configurations? Are the lists standard out-of-the-box lists or have they been customized with SharePoint Designer or any other means? Are you injecting JavaScript via a Content Editor Web Part which might not be executing correctly? It would be very helpful to know browser versions used, OS versions used, differences in connectivity to the resource from each machine, type of authentication used, and any other thing you can think to list. I wish you luck in tracking this down!
Windows 7 or xp has nothing to do over here probably it has to do with the browser which he is using to browse the site ask him to chk the internet explorer settings and verify that he has enabled execution of javascript and other related things
Pinned Sites in browsers other than IE 9/Win 7
Is there an equivalent to IE 9's pinned sites feature for other browsers/operating systems? EDIT: Pinned sites are basically mini-applications that live on the Windows Task bar. (They remind me of web-based apps in iPhone.) Once "installed" you get jump lists with different activities you can do in the site. It also supports icon overlays so you can post notifications right on the task bar. I find it to be a really interesting idea, but I wonder if it will catch on if none of the other browsers are willing to support it. http://windows.microsoft.com/en-US/internet-explorer/products/ie-9/features/pinned-sites http://www.beautyoftheweb.com/#/highlights/seamless-with-windows-7
From what I can see, only IE9 can do that deep kind of site pinning for Windows. For Mac, there are a few things I've heard of to put a website/webapp in the doc and receive notifications I think. One tool is called Fluid: http://fluidapp.com/ But I don't know if that has anything like the Dynamic Jump Lists in Pinned Site buttons.
Overriding the right-click context menu in web browsers - pros and cons
We are programming a web application (not 'just' a web site, but functionality-wise a real application), and have the following discussion for the next release: our UI designer wants to replace the browser's right-click context menu (showing our own menu where appropriate, or no menu at all) because he wants the web app to be more like our (existing) Windows app our developers (and I) strongly object because this is bad practice, and simply something you do not do in a web application Thus, I'm looking for "more solid" arguments - like best practice guidelines, any statements from reputable sources, coding arguments etc. - for the pros and cons of this issue, which I can hopefully use to resolve it once and for all...
You can't do that reliably anyway. In Firefox, go to Settings, Contents, JavaScript/Advanced (I'm guessing the captions, no English Firefox (; ) to override context menu behaviour and bang, your app doesn't work anymore. My online-banking application did this in their old version, so I couldn't do copy & paste with the mouse. I hated it, so I enabled the protection in Firefox and it worked. Kind of. Their new version doesn't do such bad things anymore. Instead, use a little drop-down arrow where a context menu is needed, that can either be clicked or just hovered over to show the menu. JetBrains' TeamCity web app does that very well.
If your application is to run in an intranet, maybe the UI designer arguments are valid: as long as all of the users of the application are well known and you want to emulate some Windows application, I think it's ok to restrict the right-click or any other input, because it's just the requirements of this application, as it would be to any other app. But if your application is to run in the internet, disabling or replacing right-click is a very bad idea, and these are only some of the arguments I reminded of: First of all, changing the behavior of the user interface is aggressive and annoying -- no one wants to get used to "new controls" just to access your site, and generally people hate to leave their comfort area. I mean, I know what my right click does and I want it to do always the same thing. People can understand the difference between Windows apps and web apps, so there's no need to "emulate Windows app behavior". Not everyone uses Windows :-) Also, this is innefective, sice there are several ways to overwrite this behavior, such as settings in Firefox or even plugins that disable specific javascript instructions, such as this one.
depending on your audience you stand a very good chance your users do not even KNOW there's a right click menu. So please don't make this the only alternative
I personally believe you should leave browser's default behaviors alone... users are used to them, so no need to get them used to your way of doing things. However, if you're building an intranet (instead of a public site), then I'm for tweaking as much as possible to improve usability.
An argument I would use (in quotes for dramatic effect): Lack of consistency & reduced functionality compared to other unhindered web interfaces will lead to a loss of user confidence - which is undesirable to say the least. Of course, if many or most of the web application users are already familiar with or regular users of the Windows app, the UI designer could be on the right track and the consistency with the Windows app could be a winner. That said, in my opinion it's hard to make a custom context-menu within a web page intuitive, and while some users might warm to it, I'm guessing most will probably never use it.
because he wants the web app to be more like our (existing) Windows app I think right-click in a Windows app is a bad idea. In a web browser it's a UI disaster because nobody will be expecting it.
I think it depends on whether you perceive the context-menu as part of the browsers chrome or not. If you do (and I ascribe to this view), then it should be off target, but otherwise it is a good place for adding some usability to your application.
Replacing the browser right-click context menu for specific areas of your GUI from your web application can be quite useful. Doing this just to disable the context menu will annoy your users, who may try to find a way around it. Also, removing or replacing the browser right-click context menu from the entire area of your application will usually be annoying and can make it more difficult to debug. Unfortunately, I cannot offer any more solid arguments, and I'm not exactly taking either side of the argument, but I thought I would share my experience both as a developer of a web application and as a web user.
Is there a way to disable the MSFT IE XML Databinding feature via script?
Question: Is it possible to construct a web page that has a script to turn off XML data-binding in MSIE? The ideal approach would be to code an HTML page and instruct all people in the office to visit the page with a button that says "turn off data-binding". Rationale: The desktop sysadmin is not available at this time and the goal is to create a brain-dead simple way to let people turn this feature off without having to walk them through a bunch of MSIE configuration menus.
I'm assuming you're talking about Microsoft Security Advisory (961051). If you could disable XML data-binding using client-side script, then someone could enable it with client-side script and expose the vulnerability again. So that isn't possible. However, if everyone is running the same version of Windows and the same bitness flavor, then just send them to a page where they can copy and paste this into Start > Run: Regsvr32.exe /u "Program Files\Common Files\System\Ole DB\oledb32.dll" Note that this will protect against current attacks but to comprehensively protect against the vulnerability they recommend applying another workaround. More on that here. And encouraging your employees to go to a website in an E-mail and run something they've been told to run is probably a bad idea as it opens them up to various phishing attacks since most people won't be able to distinguish between an E-mail from their own company IT department and an E-mail sent by a malicious person. More about the available workarounds here. In the end, the best practice would be to push out one of the workarounds as described in the above KB article.