The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Developing Universal Windows apps!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
[UWP] ScriptNotify security settings RRS feed

  • Question

  •    Again running into problems porting an application from WPS to UWP. In WPS there was no security restrictions and external.notify could be called from any web page despite of its location (URL). Now it is required to add a list of trusted URLs into the manifest as described on this page https://msdn.microsoft.com/en-us/library/windows/apps/windows.ui.xaml.controls.webview.scriptnotify.aspx. I understand the big idea behind this but it looks like there is a serious miscalculation in the chosen approach.

       I need to be able to inject a javascript code into any web page which in it's turn collects some data and calls external.notify to get the data back to the C# code. Like I said it worked fine in WPS. I cannot add a list of trusted URLs in this case because the script is injected into EVERY web page, I cannot list ALL web pages. I have a way to identify that this was MY injected code which called external.notify, so from security standpoint everything is fine but how can I explain to WebView control that I expect external.notify calles from ANY page because it is originated from my injected javascript code? Is it possible? I see an inefficient workaround to ping my injected code periodically to find out if the task of data collection is done but it is an obvious waste of CPU and extra complication of the code. I hope there is better way to do it.


    Alex

    Sunday, August 14, 2016 9:33 PM

Answers

  • Hi Alex,

    I have found kind a hacking solution for my login scenario - may be this could help you:
    https://www.suchan.cz/2016/01/hacking-uwp-webview-part-2-bypassing-window-external-notify-whitelist/

    Here u can use AddAllowedObject to add a WinRT object globally to the web page and therefore be called by javascript or attached to an event.

    In my solution this is my "back channel" to my app.

    cu, Andi

    • Proposed as answer by duck42 Monday, November 21, 2016 4:26 PM
    • Marked as answer by Alex K M Monday, November 21, 2016 7:01 PM
    Monday, November 21, 2016 8:06 AM

All replies

  • Hi Alex K M,

    In my experience, if you have more than one subdomain, you must use one wildcard for each subdomain. For example, "https://*.microsoft.com" matches with “https://any.microsoft.com”.

    Here, I’m not sure what you want to do by injecting JS code into every page. Maybe, there’s another better way to get it.

    Best Regards,

    Xavier Eoro


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, August 15, 2016 9:14 AM
  •    Wildcard at it is, of course, does not work in my case. It does not allow http://* and this is what I need. I need ALL domains.

    Alex

    Monday, August 15, 2016 7:21 PM
  •    Wildcard at it is, of course, does not work in my case. It does not allow http://* and this is what I need. I need ALL domains.

    Alex


    Hi Alex K M,

    I know that you need all domains. But I think it’s not possible.

    Could you please tell me what did you want to do by injecting JS code into every page?

    What did you want to get from these web pages?

    Best Regards,

    Xavier Eoro


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, August 16, 2016 2:18 AM
  •    Eventually it is going to be a monitor for certain parts of the web pages. A user will select what to monitor and how. To do that we want to inject a javascript, handle a bunch of events like mouseover, mousemove, etc and notify C# code when certain selections are completed. You can think of it as a light weight functionality similar to a browser developer tool when you can interact with the HTML DOM and get back certain information about it when that information is selected or found. Thus, I need notification events to reach C# code from injected script to any page I want to analyze. It is not just a concept. It was already implemented in our WPS application and now we wanted to port it and extend the functionality but it seems impossible.

    Alex

    Tuesday, August 16, 2016 2:30 PM
  •    Eventually it is going to be a monitor for certain parts of the web pages. A user will select what to monitor and how. To do that we want to inject a javascript, handle a bunch of events like mouseover, mousemove, etc and notify C# code when certain selections are completed. You can think of it as a light weight functionality similar to a browser developer tool when you can interact with the HTML DOM and get back certain information about it when that information is selected or found. Thus, I need notification events to reach C# code from injected script to any page I want to analyze. It is not just a concept. It was already implemented in our WPS application and now we wanted to port it and extend the functionality but it seems impossible.

    Alex

    Hi Alex K M,

    >>” Thus, I need notification events to reach C# code from injected script to any page I want to analyze.”

    You could save web page in local folder, then using the WebView.NavigateToLocalStreamUri method to view this local page which has added js code.

    Please read this blog about A Primer on WebView.NavigateToLocalStreamUri for details.

    Best Regards,

    Xavier Eoro



    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, August 17, 2016 10:00 AM
  •    I can give it a try but I really doubt it will work. Just imagine YouTube page, for example, with tons of javascript and hundreds of references. I'm almost sure that after saving the page locally and then navigating to it via NavigateToLocalStreamUri the browser control (WebView) won't be able to correctly request all necessary resources especially if they are referred relatively.

    Alex

    Wednesday, August 17, 2016 6:30 PM
  • @Alex K M,

    It's just my suggestion. This was only possible way I can think of.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Saturday, August 20, 2016 10:00 AM
  • Hi Alex,
    I want to do almost the same.

    We have a client / server application and the UWP app will be a client.
    Our login will be done through a ASP .Net Page on the server location
    and the access token will send back to the app via ScriptNotify.
    The server address could be any address and depends on the customer installation.

    Have you found a solution for this?
    Without this we are not able to build a UWP client app for our server.

    Thank you,
    Andi

     

    Saturday, November 19, 2016 2:41 PM
  •    I've got a couple of firm confirmations that this is not possible. I'm just so frustrated with such limitations. It does not really help anybody it does not protect users or developers it just limits the ability of the platform and as a result the ability to port applications from older platforms or build new ones.

    Alex

    Saturday, November 19, 2016 4:27 PM
  • Hi Alex,

    I have found kind a hacking solution for my login scenario - may be this could help you:
    https://www.suchan.cz/2016/01/hacking-uwp-webview-part-2-bypassing-window-external-notify-whitelist/

    Here u can use AddAllowedObject to add a WinRT object globally to the web page and therefore be called by javascript or attached to an event.

    In my solution this is my "back channel" to my app.

    cu, Andi

    • Proposed as answer by duck42 Monday, November 21, 2016 4:26 PM
    • Marked as answer by Alex K M Monday, November 21, 2016 7:01 PM
    Monday, November 21, 2016 8:06 AM
  •    Absolutely great. Thanks for sharing. That was exactly my point. Why add restrictions to have a list of URLs if those restrictions can be overpassed but with higher effort which is basically a waste of time.

    Alex

    Monday, November 21, 2016 3:52 PM