wcbzero / phpdesktop

Automatically exported from code.google.com/p/phpdesktop
0 stars 0 forks source link

Custom user agent for IE #55

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
To prevent external browsers from accessing phpdesktop webserver, we may set a 
custom useragent string for the embedded IE. The useragent string would be read 
from the setting.json file. The PHP scripts could check for the useragent 
string and block access if the string is different than "PHPDesktop/1.10" for 
example.

See UrlMkSetSessionOption() on msdn, two options need to be set: 
URLMON_OPTION_USERAGENT and URLMON_OPTION_USERAGENT_REFRESH:

http://msdn.microsoft.com/en-us/library/ms775125%28v=vs.85%29.aspx

See example:

    string ua = "PHPDesktop/1.10";
    UrlMkSetSessionOption(URLMON_OPTION_USERAGENT_REFRESH, null, 0, 0);
    UrlMkSetSessionOption(URLMON_OPTION_USERAGENT, ua, ua.Length, 0);

Solution found on stackoverflow:
http://stackoverflow.com/a/18080830/623622

Original issue reported on code.google.com by czarek.t...@gmail.com on 19 Jan 2014 at 9:32

GoogleCodeExporter commented 9 years ago
Thanks,

Just for clarification though, this would not prevent one from changing the 
Agent string of their browser to that defined in the config file and still 
being able to make a connection to the webserver.

If we want to really prevent webserver/app to talking to external browsers we 
might have to do something like ssl the webserver (self signed ssl cert) and 
then generate a random cgi environment string (available to php scripts) on 
launch and set the same as useragent string of the embedded IE (embedded IE 
must be configured to not throw warning at self signed ssl and proceed 
silently). This way only the PHP scripts and the embedded IE will have access 
to the random string - thus giving us a way to ensure that other useragents can 
be blocked.

Original comment by paripurn...@gmail.com on 19 Jan 2014 at 4:12

GoogleCodeExporter commented 9 years ago
The web server in PHP Desktop is running locally listening on 127.0.0.1, it is 
not accessible from your local network or internet. That ip address is 
accessible only from your computer. Unless you changed it to listen on some 
public ip address. If this is your case, please explain it in details on the 
PHP Desktop Forum what is the reason behind that, and we can figure out 
something.

After a second thought it doesn't make sense to allow for changing useragent 
string when the webserver is running locally.

With IE embedded it is not a good idea to run some internet websites. It was 
explained on the wiki pages that the security for the embedded IE was set very 
low to allow for running any ActiveX or other insecure content. Changing 
useragent may have sense only in cases when browser would navigate to some 
external websites.

Today PHP Desktop Chrome will be released. It's quite easy to change useragent 
there. Also it will be safe to browse internet websites using the embedded 
Chrome.

Original comment by czarek.t...@gmail.com on 19 Jan 2014 at 4:30