I looked around, and the latest reference I saw was from 2008 stating that the standard FileReference browser does not support retrieving the user's file's absolute local path unless it's an AIR app, and indeed there's nothing in the docs suggesting otherwise. The reasoning behind this is apparently some misguided security concern... I get it's not a great idea to let any Flash app know your directory structure, but if the user actually grants your app a file, I think it doesn't invalidate the security model to know just that file's absolute path.
I'm wondering if the state of things has changed at all with Flex 4 and there's a method of getting the local filename of anything. I need it because I'm making an application that when distributed runs locally in 99% of cases, so doing a full file upload just to save it somewhere else on the local machine seems silly. (Plus the standard file uploading method doesn't support SOAP, which is what I'm using for all my other services...) I can always just have the user type in their local path name, but that seems really stupid.
Due to security reasons, in Flash (not AIR) you are not allowed to see the full path of a fileReference File.
It depends on what you are trying to achieve - it's not exactly clear what you're trying to do.
"doing a full file upload just to save it somewhere else on the local machine seems silly"
Since flash player 10 you can save directly to the local filesystem without going through a remote server. You just have to invoke the FileReference.download() function in response to a user guesture like a mouse click or key press (e.g. pressing a save button).
FileReference documentation:
http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/net/FileReference.html#download%28%29
Otherwise, no, you are not able to get the full path to a file as it can be a security risk - even if they do select the file themselves.
For example if I select a file on the desktop of a Windows machine I don't really want some random web application knowing my username:
"C:\Documents and Settings\ [user name] \Desktop\myAwesomeFile.txt"
and from that you can take a guess at the version of windows I'm running.
If you need greater interaction with a user's desktop then you should use AIR - that is it's reason for existing.
Related
My Xamarin forms app required the user to perform a certain amount of configuration before it can be used. Additionally, the app can be run on multiple computers by the same user (There are valid business reasons for doing this.) What I would like to be able to do is backup the configuration of the app to a file that can then be used on another device to automatically configure the app on the new device in exactly the same way. This will prevent the users from re-entering all the configuration information on each device where they wish to run the app.
Something to keep in mind:
It needs to work on all supported Xamarin Forms platforms - UWP, Android, iOS and Mac.
The app itself does not required the device to have a network connection.
The file needs to be savable in a place where the user can access / copy it to another device (i.e. a USB drive, a network share etc.)
What I have tried:
I have tried using the FilePicker plug in but could not get it to save to anywhere outside the application. (A user trying to find the folder here would not be easy.) Saving anyplace else I received an Access Denied error.
I have tried using the System.IO namespace but encountered the same Access Denied error when saving the file to a someplace outside the application.
I guess my last resort would be to display the configuration information in a XF editor control or such or just copy it to the clipboard (if possible) and have the user manually save the data to a file outside of the application. Does anyone have any other suggestions on how this can be handled?
So after trying multiple things and looking at possible solutions, I could not find a way to easily do this. Instead I used the Xamarin Essentials clipboard function and copied the contents of the file into the clipboard. I then display a message to the user telling them to past the clipboard contents into a file. This seemed to be the best I could do for now.
I have a web site (intranet) that allows you to download an executable (currently a .Net Console Application) written in ASP.NET and is using https.
However on many machines I can't run it right away after download - I need to right click on it, go to Properties and click Unblock which makes using this app uncomfortable (users will often have to download this executable and run - every time it is a new one as it is code generated)
Is there any way to make this executable automatically unblocked? Modifying client machine is not an option, but I can do anything with the server.
From the beginning I thought this is impossible as it is a security protection, but Chrome somehow does this. If I take a new PC with IE installed, type Chrome into Bing and install it - I don't have to unblock executable.
So far I've tested this only on W10 Chrome and IE, but I am pretty sure older Windows versions have this problem as well.
The mechanism for showing the untrusted executable dialog is based around alternate Datastreams. The metadata gets added by Windows or the browser when you download something from a network source, thus it is not possible for your file/webserver to influence this behaviour. Windows on the other hand has a ruleset which it uses to apply the flags which can be found in the TrustZone-Settings of your Internet Options.
NTFS has a neat little feature which allows for a file to have multiple contents, also known as alternate Datastreams. This is an NTFS-only feature, so you won't find it on other partition types. This basically allows you to store more data in your file which is not perse visible to the user and cannot be easily found out by a standard windows user. Windows uses those alternate datastreams to mark the origin of a file, especially when downloaded from the inter- or intranet. The Alternate Datastream which is used for this data is called the "Zone.Identifier" and holds an ID to the zone which the file was copied from. When you decide to trust a file you basically tell Windows to remove that datastream.
Windows uses the concept of different zones to classify those files. Windows knows four zones in Total: Internet, Intranet, Trusted Sites and restricted Sites. You can alter the settings and rules for those in the Internet-Options dialog in the tab "Trust Zone"
Security Remark: Before changing your settings for the trust zones in the company consider the security risks of this thrice. As it will allow any executable from those verified sources to be executed, potentially laying way to malicous executables which can then be started by already infected PCs or Users themselves.
The correct way to resolve that issue is to sign that executable with a trusted and valid code signing certificate which is better to be with EV (Extended Validation). Windows will check the certificate when you run the file and will allow it to run without further actions as it is signed with a trusted cert.
I evaluated JxBrowser a short while ago. The following questions came to mind:
Can I use Java URIs to "reroute" all temporary files from the underlaying Chromium engine through a custom FileSystemProvider like encFs4J?
The reason I want to that is to comply with data privacy laws. Since browsers can not be forced by a web application to clear their cache or store any temporary files in a safe manner, I thought I could use JxBrowser for this. If I can handle all files myself, I can do some crypto magic so that (almost) no one has access to the data besides my application.
There is an API to define the directories via BrowserContextParams.
However, only absolute paths are allowed. URIs are not accepted.
Instead of doing
BrowserContext context = new BrowserContext(new BrowserContextParams("C:\\Chromium\\Data"));
Browser browser1 = new Browser(context);
I would like to do something like
BrowserContext context = new BrowserContext(new BrowserContextParams(new URI("enc+file:///C:/Chromium/Data"));
Browser browser1 = new Browser(context);
Does anyone know of a way to tap into the file handling routines of a process like JxBrowser? Can I somehow add this functionality like a wrapper around it?
I considered using something like VeraCrypt for this. But this is no good in terms of usability since you have to install virtual harddrive drivers. This is overkill for a rather simple issue.
Underlying Chromium engine in JxBrowser does not use Java IO API to access files. There is only a path string to the data directory that is passed to Chromium engine and it decides by itself how to handle all IO operations.
There is a mode in Chromium called incognito. In that mode all the files, including cookies, cache, history are stored in memory, nothing is stored on the hard drive, so once you close the application, all the data will be cleared automatically. If this meets your requirements we could investigate how to enable incognito mode in JxBrowser.
I will accepting Artem's answer to the original question. Incognito / private browser sessions - as long as they do not store anything on hard disk - would be a perfect and simple solution.
Furthermore, I want to share my research on this topic. The following answer is not related to JxBrowser but to any 3rd party applications and libraries which do not support URI path or require additional safeguarding of (temporary) files.
Option 1: RamDisk
needed: kernel mode driver for ram disk
privileges: admin once (to install the driver)
usability: might be seemless, if application can handle ram disk by code (not researched)
Installing a RamdDisk which can "catch" the files. If the ram disk only persists while the application is running, it is already automatically cleaned up. (not researched for feasibility)
With an own ram disk implementation one could perform additional steps.
Option 2: Virtual File System, e.g. VeraCrypt
needed: VeraCrypt, kernel mode driver
privileges: admin once (to install the driver)
usability: user has to mount container manually before using the application
Due to usability issues this was not further researched.
Option 3: embedded SMB server with local share
needed: SMB server implementation (e.g. JVLAN for Java), creating a server and share in code
privileges: user (Ports 1445 can be used under Linux etc.)
usability: seemless for the user, but quite a complicated solution for a simple issue
Steps: start a SMB server by code, add a share and user authentication (optional), mount the share to a local drive (windows) or mount point (linux), use an absolute path to access the files on the locally mounted share. If the application crashes, then the volatile / in-memory key for the "real" file encryption of the SMB server is lost and the files are safe from other eyes.
This option also has more potential, like clearing files once they got read, controling the access to third party apps and many more - even freakier - ideas.
Before I attempt to program the following function myself, I wonder if something already exists.
What I would like to do is click an edit link on my website for a given document, and have that document launch in the native editor on my local machine (via a temporary file mechanism).
When I save the document in the native editor, the document is HTTP PUT back to the website. This can be accomplished by watching the file for writes, or watching the editor process for exit.
This way I can more easily edit documents on the web (instead of going through the download / edit / upload cycle).
My design would work as follows:
Register .webedit files on the local machine.
When a .webedit file is downloaded, launch webedit.exe with the file.
The file contains a URL (http://server/document) which is checked against a security database to ensure we're only opening allowed URLs.
The URL is downloaded to a temporary location.
The temporary file is launched in the native editor.
The file is watched for changes, and uploaded (HTTP PUT) on change detection (or when the editor is closed, if it's not a single-instance multiple-document editor).
Lots of FTP / SCP GUIs have this type of functionality, but I have not been able to find it for the web in general, or a shared library that allows you to plug in to this function.
Has anyone seen a program that does this?
SharePoint works like this.
It's great for managing shared documents in corporate environments.
Users can even checkout/checkin documents & the features are very extensible..you can customize pretty much anything if you know how.
Edit:
Since you're on Linux..i've heard that Alfreco is a great alternative.
I've never used it, but I know a couple organizations using it instead of SharePoint.
It integrates with Microsoft Office as well.
Also, it will definitely be cheaper.
I have a Flex app that does a a fair amount of network traffic, it uses ExternalInterface to make some javascript calls (for SCORM), it loads XML files, images, video, audio and it has a series of modules that it could be loading at some point...
So the problem is - we now have a requirement where the user needs to run this content locally on a machine that is not connected to the internet (which means they can't connect to Adobe's site to change their security settings.) As you can imagine, when the user doubles clicks on the html page to launch this thing, they are greeted with a security warning that the swf is trying to communicate with another domain other than the one it's in. We can't wrap it in an exe or an AIR app so I unless there is some way to tweak some obscure security settings we may be hosed. Any idea's?
What you are trying to do is exactly the problem solved by AIR. You should really give it a try, it's not that hard to pick up. If you really really can't use AIR (you didn't specify why, so I assume it's just because you don't want to have to learn a new system), then modifying the security config file will solve the problem.
Basically what you need to do is create a 'trust' file in the "Global FlashPlayerTrust" directory. This can be done by your installer (which installs all the javascript, SWF, html, etc files onto the local machine). You should create the directory if it does not exist. The directory for each OS is:
Windows - %WINDIR%\System32\Macromed\Flash\FlashPlayerTrust
Mac - /Library/Application Support/Macromedia/FlashPlayerTrust
Linux - /etc/adobe/FlashPlayerTrust
Next, you need to create the trust file. You can name it anything, so pick a unique name that would be unlikely to conflict with others. Something like CompanyName.cfg. It's a text file, with one path per line. You can trust either one SWF at a time, or an entire directory. Example:
C:\Program Files\MyCompany\CoolApp
C:\Program Files\MyCompany\OtherApp\Main.swf
To test that it's working, inside your flash movie you can check System.security.sandboxType (ActionScript 1 or 2), or Security.sandboxType (ActionScript 3). It should have the value of "localTrusted"
I hesitate to say "you can't do it", but in my experience, there's no way to do what you're describing. Anyone, if I'm wrong, I'd love to know the trick.
Sorry that I haven't actually tried this to see if it works or not ... but ...
Page 20 (and/or 26) of this document may be of help. The document is referenced here. In a nutshell it describes directories which contain cfg files which in turn contain lists of locations on disk which should be regarded as trusted. An installer for the application would then be responsible for creating appropriate .cfg files in the desired location (global or for the installing user).
The short answer is that if your swf is compiled with use-network to true, it isn't going to work.
Is it possible to compile a version with use-network to false? Or is it running on an Intranet that is closed off from the Internet and still communicating with the LMS?
It is possible. Please chek that the swfs you are calling from the main swf have the "Access local files only" property enabled or not.
Did you try to specify the authorized domain with:
System.security.allowDomain("www.yourdomain.com");