www.webdeveloper.com
Results 1 to 12 of 12

Thread: Can I use Named Shared Memory in Javascript

  1. #1
    Join Date
    Mar 2010
    Posts
    6

    Can I use Named Shared Memory in Javascript

    I need a web page to communicate with an exe on a Windows PC. The web page is hosted via https (customer requirement!!!), but the client exe exposes an http interface via localhost.

    If the webpage targets the http interface on the client, the browser gives a warning that the web page is trying to load unsecure content that compromises the security of the entire webpage.

    We have tried a few ways to get around this :
    - use stunnel to create an https interface for the client exe. This works, but requires signing of stunnel to show that it is trusted.

    - use an Active X component launched from the web page (but resides on the client PC) to act as a proxy between the web page and the client exe. The web page would then call methods in the Active X component, and it would pass the commands to the client exe via http. This has similar problems which require signing and showing the Active X component is safe to interact with the web page.

    - As a third and best solution (IF POSSIBLE), I would like to use named shared memory. The client would create a shared memory space, and the web page would hook into this same space. Then they could pass structures between them without Active X or http.

    It is clear to me how I could do this if both apps were in c++. Microsoft gives a good explanation here: http://msdn.microsoft.com/en-us/libr...8VS.85%29.aspx.

    But is it possible to hook into this shared memory space from Javascript? Can create the shared memory space in the client c++ exe and then access it from the webpage using javascript? And if it is possible does anyone know HOW to do it???

    I really appreciate any help on this! Thank you.

  2. #2
    Join Date
    Aug 2010
    Location
    Baltimore, Maryland, United States
    Posts
    138
    JavaScript cannot access arbitrary addresses in memory.

  3. #3
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    but the client exe exposes an http interface via localhost.
    I apologize. I didn't read the whole post--but this caught my interest immediately.

    If you're EXE is listening to a port on localhost, you should be able to interact with it as if it's a web server. You're EXE will have to be coded to handle HTTP requesta and responses, of course. And your JavaScript will NOT be directly accessing memory ... But, this doesn't prevent you from gaining a great deal of control over the localhost through the EXE in an AXAXy fashion.

    You may not be able to use the XMLHttpRequest object. But, you could create <script> tags on the fly--adding parameters into querystring. Just make sure your EXE knows how to accept the HTTP requests and take its parameters and method calls as GET variables.

    Make sense?

  4. #4
    Join Date
    Mar 2010
    Posts
    6
    To svidgen:
    This makes sense but does not give me what I am looking for. The client has a webserver interface that the web page interacts with (I am using jsonp for this). But the webpage runs in https and the client webserver is http. This is why I get the warnings.

    I wanted to know about using the shared memory as a way of bypassing the signing/trusted issues that come with using Active X or stunnel as an https proxy.

    But if Ofekmeister's response is correct, javascript cannot access arbitrary memory addresses.

  5. #5
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    So ... the only real problem is that the local process isn't listening for an HTTPS connection? Or ... am I totally missing it?

  6. #6
    Join Date
    Mar 2010
    Posts
    6
    To svidgen:

    You would be correct in this. Unfortunately, I do not have the code for this local process. It belongs to another division of our company and they refuse to give it up, nor add an https interface. So it looks like I will have to write a proxy process that exposes an https interface and communicates with the local process via http.

    Thank you for your help.

  7. #7
    Join Date
    Jul 2008
    Location
    urbana, il
    Posts
    2,787
    if i remember correctly, you can add stylesheets from http: sources from an https: page (and vice versa) without a warning.

    if you split it up and url encode your data, you can actually transfer data using css.
    Code:
    .data#01 {background-image: url('http:this&#37;20is%hidden%20data');}
    .data#02 {background-image: url('http:more%hidden%20data');}
    css rules han be harvested via the dom; the CSSRules collection in IE, just "rules" everywhere else.
    you grab the ruleText, chop off the fake css, and unescape it.
    if you don't need old IE support, you can use :before and {content: "unescaped hidden data from css";} to simplify and improve readability.

    this was a simple hack i used back in the day to inject todo items and user-style css from a file:// folder store into my https-based student webspace.
    to be fair, i can't remember if also changed any settings, but i don't think i did. once setup, i know i could get the data without a hitch.

    is it hacky? yes, but so is tunneling and proxies, and my little old solution is free to implement if you can make it work for your use pattern.
    Last edited by rnd me; 10-15-2010 at 03:47 AM.

  8. #8
    Join Date
    Mar 2010
    Posts
    6
    To rnd me:

    I really like how your solution sounds, but I am unsure how to implement such a method.

    Do you have a more detailed example you could give me? I really appreciate your help!!!

  9. #9
    Join Date
    Dec 2003
    Location
    Bucharest, ROMANIA
    Posts
    15,428
    Quote Originally Posted by rnd me View Post
    if you split it up and url encode your data, you can actually transfer data using css.
    Sounds more than interesting. Any kind of data? Is there a limit? have you tried to pass JSON objects like through?

  10. #10
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    Interesting -- also sounds like the type of thing that will soon be patched as a security hole if finds widespread use.

  11. #11
    Join Date
    Dec 2003
    Location
    Bucharest, ROMANIA
    Posts
    15,428
    Quote Originally Posted by svidgen View Post
    Interesting -- also sounds like the type of thing that will soon be patched as a security hole if finds widespread use.
    Well, not really, as you need, on the receiver's side, a sort of parser suited perfectly on the data type. Which is hard to be injected... Well, not quite impossible , I have to think about... Not to apply, but to defend against it

  12. #12
    Join Date
    Jul 2008
    Location
    urbana, il
    Posts
    2,787
    actually, font-family is great for list items, but you can use escaped URLs as well.
    i doubt it's a security risk since it takes specialized scripts to unpack the data.

    i found this code from Jan 8th, 2007, and it still works!

    demo.html:
    Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    	<title>css data hacking</title>
      <link href="stylehack.css" type="text/css" rel="stylesheet" media="screen"  />	
    </head>
    <body>
    
      <div class='hack' id="transport" style="display:none">&nbsp;</div>	
      
      
    <script type='text/javascript'>
    window.onload= function (){
    
        alert(getComputedStyle( document.getElementById("transport"), null )["fontFamily"].split("|").join("\n"))
    	
    }
    </script>
    </body>
    </html>

    stylehack.css: (can be @ https)
    Code:
    .hack { font-family:"fake 1", "fake2", "fake3", "fake4", "fake5", "fake 6", "fake7", "fake8", "fake9", "fake10",  "fake 11", "fake12", "fake13", "fake14", "abcdefghijklmnopqrstuvwxyz0561234567890l 1", "reall2", "abcdefghijklmnopqrstuvwxyz01234567890g3", "abcdefghijklmnopqrstuvwxyz01234567890gy4", "abcdefghijklmnopqrstuvwxyz012345675", "abcdefghijklmnopqrstuvwxyz01234567k 6", "abcdefghijklmnopqrstuvwxyz01234567kqq7", "abcdefghijklmnopqrstuvwxyz01234567kqq558", "abcdefghijklmnopqrstuvwxyz01234567kqq5589", "abcdefghijklmnopqrstuvwxyz01234567kqq558d10",  "abcdefghijklmnopqrstuvwxyz01234567kqq558dg 11", "abcdefghijklmnopqrstuvwxyz01234567kqq558dgqqy12", "reall13", "reall14", "reall15", "ariel";  position: absolute; width: 100px; top: 15px; background-color: #606060; background-image:url('his&#37;20specification%20does%20not%20define%20how%20alphabetic%20systems%20wrap%20at%20the%20end%20of%20the%20alphabet.%20For%20instance,%20after%2026%20list%20items,') }
    this is just an ugly proof of concept to show it can work; you should use cross-browser computedStyle fetchers and DOM-based remote css tag adders.
    once it's setup, it works extremely reliably.
    i actually had a server setup to pump RSS feeds out as font-families. by cycling the classname on a hidden element and grabbing the computedStyle, i could fetch a whole feed of real news.
    i would've put this out there sooner if i'd realized it could help anyone...

    cheers!

    PS:
    please let me know if any browsers give you security nags when using this routine.
    Last edited by rnd me; 10-18-2010 at 06:10 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles