Let's say I'm building a "secure" offline HTML5 app which must be run locally in the web browser without needing to download more files from the server. Let's say I connect to the server initially with the web browser over HTTPS (TLS) and download the HTML, JavaScript and CSS required to run locally. I can reasonably assume that the first time I download the files that it is done securely as it is a brand new server that no-one else knows about yet. All the files get stored in the HTML5 Offline Application Cache. Now I have everything I need to run the application locally and shouldn't depend on the server for anything else.
Now every time I run the app, the application will use the HTML5 Offline Web Application Manifest to see if there are any updates from the server for the app to be downloaded. Potentially this could be a problem. If an attacker has now targeted my server and has done a MITM attack on the connection they could alter the application manifest, causing an update to be triggered and therefore make the client download new JavaScript and HTML. This would easily compromise the security of the application as the application relies on the integrity of those files.
What are some possible options to prevent this? Can we do any of these:
1) Completely disable or block updates from the server after all files have been downloaded. Then if the manifest is changed on the server, or the attacker serves up a new manifest, then the client ignores the new manifest and keeps using it's local copy of the files.
2) Detect if the manifest has been changed, or an update event triggered, or the browser is downloading new files. Therefore notify the user that this has occurred. And if it's not expected from the user, then it would indicate an attack. I understand that the there is a 'downloading' or 'updateready' or 'checking' event listed in the spec. Is there a way for the JavaScript to detect that those events have been fired?
3) Store a version value or cryptographic hash of the files inside the browser's local storage. Then on page startup, if the files change unexpectedly, we can throw up an alert to the web browser notifying the user they have been unexpectedly changed.
4) Perhaps use some sort of cache header that forces the browser to cache the files indefinitely. In other words, a kind of hack to make it ignore new manifest files that are sent by the server. This sounds like it could probably work as there are lots of issues that can cause the application not to update even when the manifest file is changed.
Thank you in advance.
Related
Just found that if you have a service worker in your app and you use local overwrite in Chrome dev tools, the view shows a new file but it executes the old file, so you can't use the debugger properly. But anyway it doesn't work at all the file is not updated.
My service worker is only to allow using files in memory (from indexedDB) and the rest of the files just use fetch in Worker (no cache).
I was also trying to use extension resource overwrite but it also doesn't work.
Does anyone know how to change the file locally without modifying an app where the service worker is running?
I'm not sure If I should report this to the Chrome Dev tools team, since this is like a bug or missing an important feature.Just found that if you have a service worker in your app and you use local overwrite in Chrome dev tools, the view shows a new file but it executes the old file, so you can't use the debugger properly. But anyway it doesn't work at all the file is not updated.
My service worker is only to allow using files in memory (from indexedDB) and the rest of the files just use fetch in Worker (no cache).
I was also trying to use extension resource overwrite but it also doesn't work.
Does anyone know how to change the file locally without modifying an app where the service worker is running?
I'm not sure If I should report this to the Chrome Dev tools team, since this is like a bug or missing an important feature.
I have a web application hosted on azure apps that I publish using visual studio. It is a flask app. One of the templates is called searchresult.html. I am making changes to this file that are made when I run locally. When I run it on the server though the changes are absent.
Using the azure console I can see that the changes are present in the file that is stored on the server, but the application continues to deliver the old html.
How can I force azure to see my updated file?
Things I have tried:
Deleting the file directly on the server and re-publishing it
Committing changes to git, even though I knew that would do nothing
Testing it locally (it works)
Restarting the application
Since you said you already check the file has been changed on the Kudu, so it supposed not an issue of deployment. You could disable caching in your browser.
such as in chrome browser, navigate to F11 window and select the Disable cache blanket.
or please try to access your website via incognito model.
In addition, I crashed into similar issue with you in other web app. My previous solution is that enable always on option on the portal and restart my app, it worked.
Just for your reference.Hope it helps you.
In my website I need to record audio from the microphone and then replay it.
I do not need to send those files to the server, they can remain on the client.
Currently I'm successfully using flash for that, but I would like to switch to html5 and getUserMedia().
I'm aware that I normally need SSL for using getUserMedia() (except from localhost use), but I'm wondering if there is some sort of exemption if I don't want the data to be uploaded (and thus there should be no security issues in using it).
There's no exemption. Having one would require running your script in some sort of local sandbox with separate local storage and no networking. Does not exist.
Only Google Chrome enforces this https requirement by the way. Other browsers do not.
Getting a free certificate is easy.
I am working on HTML 5 offline application. When i run that application on visual studio it works fine but when i stop my application then refresh my page it would fire Manifest error event but my application works fine from local cache.
but when the same application i hosted on IIS 7.5 it works fine until i stop the server. When i stop the server than refresh my page it would generate obsolete event and cache is deleted.
Now i m stuck what to do. I also added MIME type .appcache and type text/cache-manifest
My guess would be that because your browser is technically online (the server is down/offline) it is treating the failure to retrieve the manifest as an error.
And as such it is triggering the obsolete event and deleting the current application cache as per the spec (look at the "Dispatched when..." column for the obsolete event)
So, the appcache is probably working -- or if not, this is not the reason -- this is symptom of your testing being flawed.
Btw, I did the exact same thing - it's annoying not being able to test how your application will fair until in a production/external environment. So be prepared to push your app and realise you missed a resource from the manifest! :)
I have successfully created an appcache manifest that is downloading all of the website content. I have checked this through chrome dev and it's all working.
The issue I am having now is that even although the entire website has been cached, I am unable to access the cached pages when offline, unless I had accessed them online.
I am using Apache and accessing the website via an iPad using safari browser.
I have an idea that this may be due to the server not allowing access to cached pages unless they had been accessed online as some kind of security measure.
Any ideas?
if your files are in PHP or ASP this will not work.
It need to be JavaScript or other files that can be run localy like Image, HTML.