locked
Windows foundation URI security problem RRS feed

  • Question

  • The Windows.Foundation.URI class documentation gives the following as a sample URI:

    ftp://user:password@ftp.microsoft.com:8080/path/bin/file.asp?q=query#fragment

    However when I try to create a similar URI in my code (see below where user, password, server, and port are replaced with the appropriate actual values)

    var serverLocation = "http://user:password@server:port/sagex/api?c=TVRecSchdUtils:GetLiveTileData";
    var notifications = Windows.UI.Notifications;
    var polledUri = new Windows.Foundation.Uri(serverLocation);
    var recurrence = notifications.PeriodicUpdateRecurrence.halfHour;
    var tileUpdater = notifications.TileUpdateManager.createTileUpdaterForApplication();
    tileUpdater.startPeriodicUpdate(polledUri, recurrence);

    I get a "WinRTError: A security problem occurred.\r\n\n   at Anonymous function (ms-appx://e009ac4f-6617-4981-bf6e-fed6c4ba19c0/js/default.js:31:17)\n   at dispatchOne (ms-appx://microsoft.winjs.1.0/js/base.js:6987:25)\n   at dispatchEvent (ms-appx://microsoft.winjs.1.0/js/base.js:6986:21)\n   at drainQueue (ms-appx://microsoft.winjs.1.0/js/base.js:7038:9)\n   at queueEvent (ms-appx://microsoft.winjs.1.0/js/base.js:7057:13)\n   at Anonymous function (ms-appx://microsoft.winjs.1.0/js/base.js:7110:13)\n   at CompletePromise_then (ms-appx://microsoft.winjs.1.0/js/base.js:1790:21)\n   at activatedHandler (ms-appx://microsoft.winjs.1.0/js/base.js:7109:9)"

    on the var polledURI = new Windows.Foundation.URI(serverLocation) line.

    If I remove user:password from the URL, then the security problem goes away but my app doesn't retrieve any notifications for Live Tile Updates since the server requires that the user first log in with a valid username and password.

    Does anyone have any ideas as to what is causing this problem or how I can fix it? Thanks.

    <object height="0" id="plugin0" style="position:absolute;z-index:1000;" type="application/x-dgnria" width="0"><param name="tabId" value="ff-tab-7" /><param name="counter" value="131" /></object>
    Wednesday, September 5, 2012 2:10 PM

Answers

  • Jerry,

    You cannot pass credentials using that class so we can take that off the plate completely.  As I indicated, including the username and password embedded in the URI is not a legal syntax for the HTTP protocol.  If you wish to alter the server to take username and password as query parameters you can certainly do that!

    There are different ways to update live tiles, you can use push notifications for example.  What documentation are you referring to?  How exactly are you using this class today and what other alternatives have you looked at?

    Also,  Just FYI... did you know that we block all localhost traffic so hosting a webserver on the same box as the application will fail and not pass store certification.  Also, you cannot ship an app that has outside dependency requirements that do not ship in the app package so if you intend to submit this app to the store, ensure it runs fine without any other dependencies (like this web server) or it will not be allowed in the store.

    -Jeff


    Jeff Sanders (MSFT)

    Thursday, September 6, 2012 7:22 PM
    Moderator
  • That is correct!

    Jeff Sanders (MSFT)

    • Marked as answer by Jerry001 Friday, September 7, 2012 12:51 PM
    Friday, September 7, 2012 12:45 PM
    Moderator

All replies

  • That is not valid http:// syntax.

    If you entered that same string in Internet Explorer what happens?

    -Jeff


    Jeff Sanders (MSFT)

    Wednesday, September 5, 2012 3:37 PM
    Moderator
  • It runs fine in Firefox but fails in Internet Explorer with a report that the website can't be found.

    Is there a way that I can make the call to a website in a Win 8 "Modern/Metro" app to initiate periodic live tile updates that allows me to pass the website the required username and password in the call, i.e. something akin to the WinJS.xhr function which allows for providing the username and password in addition to the URL?

    <object height="0" id="plugin0" style="position:absolute;z-index:1000;" type="application/x-dgnria" width="0"><param name="tabId" value="ff-tab-0" /><param name="counter" value="3" /></object>
    • Edited by Jerry001 Wednesday, September 5, 2012 7:33 PM
    Wednesday, September 5, 2012 7:30 PM
  • Jerry,

    If you can pass the username and password in clear text, there is no point in having a username and password!  Anyone sniffing traffic can detect and use that password.

    The HTTP protocol requires a 401 challenge response format.  You can use basic authentication with that and provide a username and password but the syntax you have specified is only valid for the FTP protocol.

    Who is hosting this website?  Contact them and ask them if they support something more secure than basic or digest authentication and in a valid RFC compliant format.  That server is extremely unsecure!

    The normal flow of things when visiting a browser is that you hit the URL, then the server should send a 401 response which the browser will provide a dialog to enter the username and password.  Until the website behaves like that, there is no hope of getting XHR working in this situation.

    -Jeff


    Jeff Sanders (MSFT)

    Thursday, September 6, 2012 1:28 PM
    Moderator
  • The site is a Jetty web server that runs on the user's machine. When security credentials are not provided with the URL, which is the case when the site is more typically accessed using a browser, it responds with an appropriate dialog box to obtain the username and password, performs authentication, and then allows the user access to the site.

    This works fine when I need to access the site when the app is running using WinJS.xhr since this class allows me to pass the server the appropriate username and password.

    What I'm having a problem with is the user I'm creating this app for also want the app to periodically update the app's tile with information from the web server when the app isn't actively running. What I'm trying to find out is how can my app provide the required security credentials to the web server under this circumstance since, unlike the xhr class, the URI class that is used for periodic notifications in all the sample programs I've seen does not appear to provide a way to provide the username and password to the server. When I write the app without the username and password in the url and then invoke periodic notifications using this url, the app runs fine but a dialog box asking for the user's security credentials never appears and the periodic update information is never returned to the tile.

    <object height="0" id="plugin0" style="position:absolute;z-index:1000;" type="application/x-dgnria" width="0"><param name="tabId" value="ff-tab-1" /><param name="counter" value="7" /></object>
    Thursday, September 6, 2012 4:02 PM
  • The WinJS.xhr object definitely supports a username and password.  See the documentation:

    http://msdn.microsoft.com/en-us/library/windows/apps/br229787.aspx

    You could store the username and password in the password vault as well:

    http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.credentials.passwordvault.aspx

    -Jeff


    Jeff Sanders (MSFT)

    Thursday, September 6, 2012 6:35 PM
    Moderator
  • As I've already indicated, I know that WinJS.xhr supports a username and password and am already successfully using that class when my app is running. However, this is not the class that the MSDN documentation uses for periodic updates of a live tile when the application is not running! The MSDN documentation and all the examples I've been able to find on the Internet use Windows.Foundation.Uri when the app is not running. My problem is not with handling the server login when the app is running. The WinJS.xhr class handles that perfectly. My problem is with handling the server login when the app is not running using the Windows.Foundation.Uri class.

    Are you saying the the MSDN documentation is wrong and I should be using WinJS.xhr, and not Windows.Foundation.URI, to setup periodic live tile updates when the app is not running? If not, then how do I handle providing login credentials to the server using Windows.Foundation.URI?
    <object height="0" id="plugin0" style="position:absolute;z-index:1000;" type="application/x-dgnria" width="0"><param name="tabId" value="ff-tab-1" /><param name="counter" value="26" /></object>
    Thursday, September 6, 2012 7:14 PM
  • Jerry,

    You cannot pass credentials using that class so we can take that off the plate completely.  As I indicated, including the username and password embedded in the URI is not a legal syntax for the HTTP protocol.  If you wish to alter the server to take username and password as query parameters you can certainly do that!

    There are different ways to update live tiles, you can use push notifications for example.  What documentation are you referring to?  How exactly are you using this class today and what other alternatives have you looked at?

    Also,  Just FYI... did you know that we block all localhost traffic so hosting a webserver on the same box as the application will fail and not pass store certification.  Also, you cannot ship an app that has outside dependency requirements that do not ship in the app package so if you intend to submit this app to the store, ensure it runs fine without any other dependencies (like this web server) or it will not be allowed in the store.

    -Jeff


    Jeff Sanders (MSFT)

    Thursday, September 6, 2012 7:22 PM
    Moderator
  • Thanks for the information. As a result, it appears that my query is no longer relevant.

    I was attempting to convert the information provided in a Windows Vista/7 sidebar gadget to a Windows 8 app. This gadget, and my attempted Windows 8 app, use the documented api for a commercial windows program to produce plugins that extend and enhance the functionality of this program. These plug ins, at least up until Windows 8, are then offered as downloads to users of the program from a setup page within that program. I understand that things have changed with windows 8 and that an app would have to be provided through the Microsoft store and not through the commercial program. However, if I understand  your response correctly, the sort of app that I'm working on is not possible in Windows 8 since the app, of necessity, only functions in the presence of the commercial program and I cannot distribute the commercial program with my app.

    <object height="0" id="plugin0" style="position:absolute;z-index:1000;" type="application/x-dgnria" width="0"><param name="tabId" value="ff-tab-1" /><param name="counter" value="14" /></object>
    Thursday, September 6, 2012 8:24 PM
  • That is correct!

    Jeff Sanders (MSFT)

    • Marked as answer by Jerry001 Friday, September 7, 2012 12:51 PM
    Friday, September 7, 2012 12:45 PM
    Moderator