Hi,
I am looking for a system to make the use of WebCore applications safe and try not to give users and competitors the possibility of being able to analyze and use data and services (xdata) fraudulently when using the browser.
There should be some functionality blocked in the browser to ensure greater security.
I'm thinking of using an FMX client, to be distributed only to authorized users and therefore with protections on the Desktop; this client should have a TTMSFNCWebBrowser component for using the Webapplication, also using the bridge with Javascript to allow local functionality (prints and scans).
The question is therefore: is it possible to block features such as the browser developer tool or the inspection of page content in TTMSFNCWebBrowser?
If this were possible, with the addition of the HTTPS channel, the user could not do harm and security would be increased.
Anyone have experience on this?
(Problems that we didn't have with the VCL, of course...)
You can disable the console with
TMSFNCWebBrowser1.EnableShowDebugConsole := False;
Hi Pieter,
thanks, but with F12 I see Devtools...
Did you put the code in the OnInitialized event? The browser is only available if that event was triggered, it's a bit confusing, but the browser initialization is asynchronous
Infact, now in OnInitialized event it works.
Good starting point :-)
But, attention, if I open a link in a new window then in that windows all is again visible (F12, inspect, etc..). Please try with TMS site, click on "Tms Training Days".
There is a way for this?
Thanks
It should be possible to capture the window with the OnNewWindowRequested event. (it's protected in TTMSFNCWebBrowser). If you are targeting Windows only, you can use TTMSFNCEdgeWebBrowser where this is published. You can open the link in the browser itself intstead of a new window or block the window with Params.Handled := True;
type
TTMSFNCWebBrowserOpen = class(TTMSFNCWebBrowser);
procedure TForm1.DoNewWindowRequested(Sender: TObject;
var Params: TTMSFNCWebBrowserNewWindowRequestedParams);
begin
Params.Handled := True;
end;
procedure TForm1.FormCreate(Sender: TObject);
begin
TTMSFNCWebBrowserOpen(TMSFNCWebBrowser1).OnNewWindowRequested := DoNewWindowRequested;
end;
Okay, Pieter, I'll try.
But do the same principles also apply to the WEB version?
(I can't find the WEB component, does it have to be installed separately?).
Thank you!
It works,
I want to create a protected client for some projects where security is important, and which can interact with the web application also for direct printing and document scanning, without having to upload/download files by users (using a small Xdata server in localhost within the client application itself). I think that with this TTMSFNCWebBrowse (multi-platform, so also LInux, Android/Ios) and HTTPS there should be a certain degree of protection from snoops.
Or is it a useless job? Is there any advice on this?
Thank you
Hi,
WEB does not have a separate browser component, because you are inside a WEB environment so technically it's not required to have a TTMSFNCWebBrowser. We have a wrapper around the controls but it's a DIV with some dynamic JavaScript execution.
It's unclear. You can disable a lot of interaction functionality such as context-menu, keyboard hotkeys and developer console, but the APIs are based on Microsoft Edge, so eventually you are tied to Microsoft and the WebView2 API in terms of security. The same applies to Android, Linux and iOS they all use native embedded webbrowser. TTMSFNCWebBrowser is basically a shell exposing certain functionality. We know that embedded browsers are not accepted by some cloud services such as Google for OAuth. They either write their own SDK or you need to redirect to a browser application running on your operating system.