Website talking to client application? - delphi

I'm working on a desktop application in Delphi 2007 and on a website where content data for this application is maintained. To view this website, the user is basically restricted to Internet Explorer 7 or higher. (Not going to support the rest.)
What I am looking for is a way to add a link to the website which would tell my already-running application to select a certain record by an ID that's passed to it from the website.
That sounds easy but it's a bit more complex than this. In the application, the user selects a dossier for a customer of the user. In this list he can find a list of products. His customer -who sits next to the user- just searches on the website and selects a product to be added. (Or the user selects one for him.)
Second Life seems to be able to do this by supporting a new protocol for the web browser. Thus, the link secondlife://gingivere/240/72/ would kick you to some place in Second Life. (Unless you haven't installed Second Life, in which case it doesn't do much.) Basically, I want to implement something similar in my application!
(Must support Windows 2000, 2003, XP, Vista and newer versions of Windows.)
Oh, I'm using Borland/Codegear/Embarcadero Delphi 2007 and the application is a simple WIN32 application. (I also have Visual Studio 2008 available but would prefer to not use this.)

See Registering an Application to a URL Protocol.

I would poll a webservice from the client application rather that try to make a connection from the server to the browser.

RTC Real Thin Client and remote functions are perfect for this.

Me, I'd forget the browser compatibility issues (how do you think you will stop IE8 being used?) and use the PBear browser component direct. Using this you can intercept your links easily, and thus spot whatever reference you wish. In my app, I have things like "act://actHelp" and I spot the link type as 'act' and then search for an action with the name "actHelp". If available, I execute it. You can also pre-parse the HTML code to look for these links, and insert an image of the icon that the action uses, thus matching your UI and ensuring it is kept up to date.
Go integrated, and forget external browser issues.

Related

Alternative to custom protocols (URI schemes)

I have been extensively using a custom protocol on all our internal apps to open any type of document (CAD, CAM, PDF, etc.), to open File Explorer and select a specific file, and to run other applications.
Years ago I defined one myprotocol protocol that executes C:\Windows\System32\wscript.exe passing the name of my VBScript and whatever argument each request has. The first argument passed to the script describe the type of action (OpenDocument, ShowFileInFileExplorer, ExportBOM, etc.), the following arguments are passed to the action.
Everything worked well until last year, when wscript.exe stopped working (see here for details). I fixed that problem by copying it to wscript2.exe. Creating a copy is now a step in the standard configuration of all our computers and using wscript2.exe is now the official configuration of our custom protocol. (Our anti-virus customer support couldn't find anything that interacts with wscript.exe).
Today, after building a new computer, we found out that:
Firefox doesn't see wscript2.exe. If I click on a custom protocol link, then click on the browse button and open the folder, I only see a small subset of .exe files, which includes wscript.exe, but doesn't include wscript2.exe (I don't know how recent this problem is because I don't personally use FireFox).
Firefox sees wscript.exe, but it still doesn't work (same behavior as described in my previous post linked above)
Chrome works with wscript2.exe, but now it always asks for confirmation. According to this article this seems to be the new approach, and things could change again soon. Clicking on a confirmation box every time is a big no-no with my users. This would slow down many workflows that require quickly clicking hundreds of links on a page and, for example, look at a CAD application zooming to one geometry in a large drawing.
I already fixed one problem last year, I am dealing with another one now, and reading that article scares me and makes me think that more problems will arise soon.
So here is the question: is there an alternative to using custom protocols?
I am not working on a web app for public consumption. My custom protocol requires the VBScript file, the applications that the script uses and tons of network shared folders. They are only used in our internal network and the computers that use them are manually configured.
First of all, that's super risky even if it's on internal network only. Unless computers/users/browsers are locked out of internet, it is possible that someone guesses or finds out your protocol's name, sends link to someone in your company and causes a lot of trouble (possibly loss too).
Anyway...
Since you are controlling software on all of the computers, you could add a mini-server on every machine, listening to localhost only, that simply calls your script. Then define host like secret.myprotocol to point to that server, e.g., localhost:1234.
Just to lessen potential problems a bit, local server would use HTTPS only, with proper certificate, HSTS and HPKP set to a very long time (since you control software, you can refresh those when needed). The last two, just in case someone tries to setup the same domain and, for whatever reason, host override doesn't work and user ends up calling a hostile server.
So, links would have to change from myprotocol://whatever to https://secret.myprotocol/whatever.
It does introduce new attack surface ("mini-server"), but should be easy enough to implement, to minimize size of that surface :). "Mini-server" does not even have to be real www server, a simple script that can listen on socket and call wscript.exe would do (unless you need to pass more info to it).
Real server has more code that can have bugs in it, but also allows to add more things, for example a "pass through" page, that shows info "Opening document X in 3 seconds..." and a "cancel" button.
It could also require session login of some kind (just to be sure it's user who requests action, and not something else).
The title of this blog post says it all: Browser Architecture: Web-to-App Communication Overview.
It describes a list of Web-to-App Communication techniques and links to dedicated posts for some of them.
The first in the list is Application Protocols, which I have been using for years already, and it started to crumble in the last year or so (hence my question).
The fifth is Local Web Server, which is the one described by ahwayakchih.
UPDATE (this update follows the update on the blog post above mentioned)
Apparently I wasn't the only one thinking that this change in behavior was a regression, so a workaround has been issued: the old behavior (showing a checkbox that allows to remember the answer) can be restored by adding these keys to the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
"ExternalProtocolDialogShowAlwaysOpenCheckbox"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"ExternalProtocolDialogShowAlwaysOpenCheckbox"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium]
"ExternalProtocolDialogShowAlwaysOpenCheckbox"=dword:00000001

How do can I create web pages on the fly from an iOS app?

Context/Background: I have an iOS app with a Firebase backend. Each user on the app has a couple of public stories or journals. I am working on the v2 of the app and one of the main features of v2 is to give users the ability to publish their stories as static webpages by a click of a button. The goal is to have a journal for a user with a username "johnhouse", for example, be available at www.the-app-domain.com/johnhouse.
Question: How do can I create web pages on the fly from an iOS app? Im not sure where to start. Which online services should I look at?
I thought of spinning up a server and hosting www.the-app-domain.com on it, getting the app to ssh into the server and creating a directory called "johnhouse" (from the example above) inside the website's root directory and then pasting an index.html file inside it, But this doesn't only sound like a bad idea, it also sounds complicated as hell If I were to generate the html files on the app, how would I get them to the server? how would I get them into the right location?
There are a great many ways you might implement this behavior but I'll suggest one.
Consider what this product might look like if the app had no knowledge of how these static pages were published. All the app needs to be able to do is allow users to set which of their stories are published or not and to inform those users of the url at which their published stories will be available.
There may be real advantages to removing the app from your page-creation process.
If you find that you need to make change to the formatting of your pages you can do so without requiring an app update and you can choose if you want to rebuild every page or just have changes apply to new pages. This might be important if you discover that your pages don't render well on some devices or are not indexed the way you would like by search engines.
If you need to change where your pages are hosted you can do so (and provide redirects from the old location) without needing everyone to update to a new app version.
If you need to add moderation or curation of the content you publish you can do so more easily than if clients (your app) have direct control of your site content. This may be important when someone starts publishing SEO spam links to your site, or registers the username admin or login, or publishes a story containing malicious javascript, or publishes content which gets you a copyright infringement notice.
You don't need to give clients direct access to your web server which could allow them to edit each other's content or overwrite your site with their own malicious content.
Since you're already using Firebase take a look at how you might run your own web server as another client of this backend. One which looks for "published" stories (however you identify those in your data model) and generates appropriate pages for them. Depending on the tools you elect to use these could be dynamically generated pages (client side js or a web app) or static pages build by some backend process periodically or whenever stories change and added to a web server. Without any idea what server side tools would be most appropriate for you it's hard to know what specifically to suggest here.

How to turn off right click and ctrl+c behaviour in ASP .NET MVC WebApplication

I write a web application in ASP .NET MVC which will be used only by authorized users. I will configure machines(PCs, tablets) they will use. I need to protect personal data in webapplication from stealing it. I am obligated by law to prevent those situations.
I already wrote keylogger detecting PrintScreen and sending me info about user to my mail when he uses. I will block unused USB ports, log user actions inside WebApplication and few other things.
But it is not enough I need to void/turn off right mouse button click and ctrl+c combination. It is hard to find information how to do this globally for the site.
Question: How to turn off right click and ctrl+c behaviour in ASP .NET MVC WebApplication
Bad news: You can't. If a user uses their smart phone to take a picture of your data, you can't stop that. Also; turning off Right click or Ctrl+C takes Javascript being enabled. If a user turns off JavaScript, they've defeated your 'protection'.
Without knowing more about the industry or the regulations you're specifically charged with, it's hard to say what you can do technically speaking.
If you can guarantee that users can't turn off JavaScript, can't go to the JavaScript console, can't take pictures of the screen with their phones, and can't write down that information on pen and paper, then we can talk.
There's already a Stack Overflow question out there on how to disable right click in a web application, as well as one for disabling 'Ctrl+C'.

How to save file from web application to user's disk?

I'm working on web application which, among other things, needs to save small file to particular folder on user's hard drive whenever user clicks a button. That file will serve as input for another desktop application so it must be saved in predefined folder and predefined format. "Save as..." and save dialog would be very inconvenient. Also setting that all downloads go to that folder would be troublesome.
Also, changing desktop application is not an option.
In current stage of web browsers and web standards what would be the best approach?
Is it development of custom plug in for browser? Or flash/silverlight? Something else?
First of all this is not doable via http and html.
If this is a controlled environment maybe you could get away with simply providing a customized portable firefox to your users. Of course, all other downloads would go to that folder as well.
Anything thats loaded from a website isn't allowed to access the computers HD, and with good reason.
That aside; Could you give it a new extension and associate a program with it that saves it in the correct place, all the user then needs to do is check 'always do this action' or something to open the file with the program when the button is clicked.
Perhaps a different approach would be to have the desktop application retrieve the file from your web-application when it needs it - is this feasible?
This approach means you need not concern yourself with the sandboxing protection of web browsers that prevent web-applications knowing too much about the clients file-system.

Sticky notes associated with web page - how to?

I have this idea for a project. Associated with any web page, i want to create notes that will be saved locally in a database, the notes will be reloaded automatically from that database the next time i visit the same page.
Creating the note is easy, but i'm looking for how to link the notes to the web page url and how to keep aware of the active web page. Any idea?
(Note: i have come to this searching on the internet: http://webkit.org/demos/sticky-notes/ - this is part of WebKit Open source projects) - this is about what i'm looking for.
Thank.
Browserdependent probably. You'll have to have a plugin for every browser type.
IE might be doable via the COM interface, but that probably would require starting IE via a way you control. So that probably will have to be a plugin too.
For browser independence, there are quite a few challenges in this one. One way would be to implement a proxy server and watch for text/html content....this will work for most of the general cases, but not every case. Handling frames for instance... which resource is the "parent" and which is the "child"? Which one contains the sticky note? I think you would have to inject some client side javascript to keep track of things, and that might break some websites.
protonotes.com is a web service version of this. Not sure how they do it though.
Actually, Daniel H hit the nail on the head mate: http://www.protonotes.com
It does exactly as you want, in fact it gives you two options to store your data, the first is hosted, the second is your own mySQL db - protonotes pipes the data from the tack-on style notes to your own db, if you prefer. This means that you're not the only person who can see the notes - access is granted by a unique 'group' key.
I've just deployed protonotes as our main online review tool for two reasons, we can save our own data, and it lacks some features which I generally label "dubious" anyway.
It's simplicity is great, the only thing I'm aware of that could cause a prob is that it dumps a bunch of stuff in the global namespace - if that's a potential problem for you.
d

Resources