Recent changes to SecurityConsiderationshttps://sourceforge.net/p/uisdk/wiki/SecurityConsiderations/Recent changes to SecurityConsiderationsenTue, 16 Jul 2013 23:22:54 -0000SecurityConsiderations modified by <REDACTED>https://sourceforge.net/p/uisdk/wiki/SecurityConsiderations/<div class="markdown_content"><h2 id="security-considerations">Security Considerations</h2> <p>Microsoft has spent many years working to make Internet Explorer a safe browser. As hacker find new vulnerabilities it becomes a never-ending challenge.</p> <p>While the UISDK can be used as an advanced browser, we strongly recommend against this: sites could, in theory, hold scripts that exploit the UISDK and gain access to the very windows API services that Microsoft has worked so hard to block.</p> <p>Instead, use the UISDK to load trusted scripts only -- either scripts packaged and installed alongside the UISDK, or scripts hosted on your own <b>secure</b> web servers.<br /> </p> <p>For maximum security:</p> <ul> <li>Always turn off the browser bar within the application window.</li> <li>Disable the context menu so that users cannot "view source".</li> <li>Install all UISDK scripts and documents locally, unless the UISDK is being used as an install wizard.</li> <li>If being used as an install wizard, the starting URL in the exe resources.</li> <li>Set up the Safe DNS resource file to ensure only your URLs can be reached.</li> <li>Set up your own encryption key within the exe resources.</li> <li>Prevent access to the context menu.</li> <li>Encrypt your scripts and documents with your own key.</li> <li>When you have updated all the exe resources, digitally sign your executable with your own digital signature.</li> </ul> <p>Tracking downloads/installs</p> <p>Tracking Ids, marketing campaign IDs, or activation keys can be "embedded" in your file by:</p> <ul> <li>Sending alternative "download" filename information with the file.</li> <li>Parsing out that information in the client for subsequent operations. </li> <li>This works regardless of browser. see the simplified PHP example below</li> </ul> <pre> $campaignID = $this->getNextCampaignID(); //or get it from the HTTP GET params.. header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename=setup_" . $campaignID . ".exe"); header("Content-Length: " . filesize("./downloads/uisdk.exe")); readfile("./downloads/uisdk.exe"); </pre> </div>Tue, 16 Jul 2013 23:22:54 -0000https://sourceforge.net2789baa427784855cb2663351df08a0ebeaa6f0d