SecurityConsiderations

Security Considerations

Microsoft has spent many years working to make Internet Explorer a safe browser. As hacker find new vulnerabilities it becomes a never-ending challenge.

While the UISDK can be used as an advanced browser, we strongly recommend against this: sites could, in theory, hold scripts that exploit the UISDK and gain access to the very windows API services that Microsoft has worked so hard to block.

Instead, use the UISDK to load trusted scripts only -- either scripts packaged and installed alongside the UISDK, or scripts hosted on your own secure web servers.

For maximum security:

• Always turn off the browser bar within the application window.
• Disable the context menu so that users cannot "view source".
• Install all UISDK scripts and documents locally, unless the UISDK is being used as an install wizard.
• If being used as an install wizard, the starting URL in the exe resources.
• Set up the Safe DNS resource file to ensure only your URLs can be reached.
• Set up your own encryption key within the exe resources.
• Prevent access to the context menu.
• Encrypt your scripts and documents with your own key.
• When you have updated all the exe resources, digitally sign your executable with your own digital signature.

Tracking downloads/installs

Tracking Ids, marketing campaign IDs, or activation keys can be "embedded" in your file by:

• Sending alternative "download" filename information with the file.
• Parsing out that information in the client for subsequent operations.
• This works regardless of browser. see the simplified PHP example below

    $campaignID = $this->getNextCampaignID(); //or get it from the HTTP GET params.. 
    header("Content-Type: application/octet-stream");
    header("Content-Disposition: attachment; filename=setup_" . $campaignID . ".exe");  
    header("Content-Length: " . filesize("./downloads/uisdk.exe"));         
    readfile("./downloads/uisdk.exe");