SteveSandersonMS / WebWindow

.NET Core library to open native OS windows containing web UI on Windows, Mac, and Linux. Experimental.
Apache License 2.0
1.98k stars 214 forks source link

Run Browser Engine with --disable-web-security #15

Open iqmeta opened 5 years ago

iqmeta commented 5 years ago

Hi,

config.SchemeHandlers.Add("app", (string url, out string contentType) => works only on header script.

config.SchemeHandlers.Add("myOwnHandler", (string url, out string contentType) => is not processed by a href="" or iframe or xhr call.

Ajax call might work with "disable-web-security".

index.html:34 Access to XMLHttpRequest at 'app-pdf://test/me.pdf' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome-extension, edge, https.

config.SchemeHandlers.Add("ftp", (string url, out string contentType) => works, but not in iframe =>

Subresource requests using legacy protocols (like ftp:) are blocked. Please deliver web-accessible resources over modern protocols like HTTPS. See https://www.chromestatus.com/feature/5709390967472128 for details.

Any other cool idea how to call a handler to read a in memory generated pdf file? (actually do not want to base64 over js window call, better file read over handler)

Also pressing F12 or Shortcut Keys resolve here in Exceptions. May add also an overwriteable KeyDown Handler to hook into certain keys.

Kind regards. Otto.

SteveSandersonMS commented 5 years ago

Sorry, I can't really tell what is being asked here. Can you simplify your question/request?

iqmeta commented 5 years ago

Hi, okay let's try it with code ;-)

On C# Side another Scheme "pdf" Handler was added:

static void Main(string[] args)
        {
            var window = new WebWindow("App", config =>
            {
                config.SchemeHandlers.Add("app", (string url, out string contentType) =>
                {
                    contentType = "text/javascript";
                    return new MemoryStream(Encoding.UTF8.GetBytes("alert('super')"));
                });
                config.SchemeHandlers.Add("pdf", (string url, out string contentType) =>
                {
                    contentType = "application/pdf";
                    string base64 = "JVBERi0xLjIgCjkgMCBvYmoKPDwKPj4Kc3RyZWFtCkJULyA5IFRmKFRlc3QpJyBFVAplbmRzdHJlYW0KZW5kb2JqCjQgMCBvYmoKPDwKL1R5cGUgL1BhZ2UKL1BhcmVudCA1IDAgUgovQ29udGVudHMgOSAwIFIKPj4KZW5kb2JqCjUgMCBvYmoKPDwKL0tpZHMgWzQgMCBSIF0KL0NvdW50IDEKL1R5cGUgL1BhZ2VzCi9NZWRpYUJveCBbIDAgMCA5OSA5IF0KPj4KZW5kb2JqCjMgMCBvYmoKPDwKL1BhZ2VzIDUgMCBSCi9UeXBlIC9DYXRhbG9nCj4+CmVuZG9iagp0cmFpbGVyCjw8Ci9Sb290IDMgMCBSCj4+CiUlRU9G";
                    return new MemoryStream(Convert.FromBase64String(base64));
                });
            });

Now on HTML, this works:

<head>
    <meta charset="utf-8">
    <script src="app://something.js"></script>
</head>

but this does not work:

<body>
    <iframe src="pdf://test.pdf" id="pdf"></iframe>
    <a href="pdf://test.pdf" target="_blank">pdf</a>

also xhr to get the file might with xhr is blocked by browser:

var xhr = new XMLHttpRequest();
            xhr.open('GET', 'pdf//test.pdf');
            xhr.onreadystatechange = function () {
                var DONE = 4; // readyState 4 means the request is done.
                var OK = 200; // status 200 is a successful return.
                if (xhr.readyState === DONE) {
                    if (xhr.status === OK) {
                        console.log(xhr.responseText); // 'This is the returned text.'
                    } else {
                        console.log('Error: ' + xhr.status); // An error occurred during the request.
                    }
                }
            };
index.html:55 Access to XMLHttpRequest at 'file:///C:/data/downloads/WebWindow/testassets/HelloWorldApp/bin/Debug/netcoreapp3.0/wwwroot/pdf//test.pdf'
from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome-extension, edge, https.

Like in post before I was able to get the Test PDF with "file" or "ftp" as SchemeHandler. But this breaks, WebWindow behaviour or has downsides, like Subresource requests using legacy protocols (like ftp:) are blocked, to show it in iframe.

So I guess xhr might work with allowing more security, like on Chromium (CEF, Electron) there Security Paramaters (eg. cmd --disable-web-security, config) to allow own custom handler calls.

The goal is not to save the PDF to filesystem, in-memory only would be pretty cool, fast and the basis to generate stuff on the fly.

And of course no xhr - justopen a file with own SchemaHandler like <a href="pdf://test.pdf" target="_blank">pdf</a> or in iframe for preview, print, etc.

Super nice an simple.

Cheers. Otto.

jrothenberg commented 5 years ago

I think as a possible more general feature request it might be useful if there was a way to configure settings for various browser security features?

For example, it would be nice if it was possible to get the real file path from an <input type="file" /> element like you can in Electron, so maybe there should be a setting that would enable the respective platform-specific settings like "enable-file-access-from-file-uris" for webkitgtk?

In a lot of cases it's probably easier to just use native functionality since WebWindow makes it so easy, but in this case wrapping different native file choosers for each platform would be more complicated.

valerysntx commented 5 years ago

also xhr to get the file might with xhr is blocked by browser:

missing colon in url scheme xhr.open('GET', 'pdf://test.pdf');