Page 2 of 2

Re: Web Browser from scratch

Posted: Mon Mar 11, 2013 11:56 am
by tappatekie
Falco Girgis wrote:This is an insanely ambitious undertaking... I wish you luck!
tappatekie wrote:I have tried using glOrtho(0,Width,Height,0,0,1); but did'nt work at all as well as a few other things that I found online.
That is how you do it. As qp mentioned, you are setting it up correctly, but then you're loading an identity matrix while still on the GL_PROJECTION matrix, which is basically erasing your glOrtho() call.
Thanks. The OGL code (for web browser) needs a rewrite to be and look cleaner as well as actually working the way I want it to. :)
P.s I don't mean I'm writing my own graphics library like GL, I meant, re-writing the current OpenGL IRenderer object I have in C#.
dandymcgee wrote:You might find this informative/useful: http://www.matrix44.net/cms/notes/openg ... -in-opengl

What you're trying to do is convert view coordinates to world coordinates. Googling something along those lines should give you plenty of information.
Thank you!

Re: Web Browser from scratch

Posted: Thu Mar 21, 2013 7:56 pm
by tappatekie
Little update, I've finished the windows system to work with Linux, Mac and Windows. At the moment, it only supports MS Windows since it's the system i'm most familiar with. At the moment, for other platforms, the code falls back on System.Windows.Forms which Mono has a complete library of so it covers those two other platforms.

I'm now working on a design for the Web Browser itself, it won't be using the default window for the operating system but a completely new window design.

Re: Web Browser from scratch (Update: Linux!)

Posted: Sun Mar 31, 2013 7:57 am
by tappatekie
Now supporting linux :)

Image

Re: Web Browser from scratch Update

Posted: Tue Apr 09, 2013 6:49 am
by tappatekie
Hey guys, quick update on the progress of the web browser. Recently I have been developing an application subsystem for the browser, it will allow you to download any executable file to the hardrive and "install" it as an app for the browser without going through any App Store equivalent system to do so, which in my opinion makes everything more simpler and opens the doors for any developer to develop for the browser platform.

When an application is loading, the browser verifies it and gives it the security permissions assigned by the user, if the app contains a reference to a library that is not either the SDK or mscorlib, it does not load it.
The security permissions are deturmined by whatever the user has put in place. E.G with default permissions and the application writes to "C:/myfile.txt", it emulates the directory so it translates as writing to a file in "webbrowser/apps/[appname]/data/myfile.txt" unless of course the user gives it the permission to do otherwise.

Security? Well, in order for an application to be registered (at runtime everytime the browser starts), your application must ONLY reference to the given SDK library and not referencing to any .Net framework libraries (by using the library overrider I posted here: viewtopic.php?f=6&t=8486). Simply put, it forces you to use only the SDK or libraries/apps that are registered on the browser already.
As well as that limitation, it still allows for exploits such as

Code: Select all

//equivalent of System.IO.File.Delete("veryimportantfile");
typeof(string).Assembly.GetType("System.IO.File").GetMethod("Delete").Invoke(null, new object[] { "veryimportantfile" });
So, to prevent this exploit (as well as using object.GetType()) the browser decompiles every function in your library and looks for the IL op code "ldtoken", "call" and "callvirt", once it comes across these operations, it verifies the return type of each function or the type of object in the operand.
As well as this, the browser also checks your references. It looks for any other references other than the SDK library or the mscorlib library. If you reference to these libraries, it simply won't register.
(Btw when I mean register, I also mean, if verification fails, the browser will not load the assembly.

It's slow I know, but I think it's worth it to give the users the satisfaction that an application they are running with the browser is not performing malicious actions on your computer in the background.


If anyone knows any possible ways around this, please say.
Also, writing and reading to memory to hack the registration process is completely out of the question since it limits of [DllImport("")] or whatever the equivalent is for that language so it stops you from accessing the kernel functions WriteMemory and ReadMemory

Re: Web Browser from scratch Update

Posted: Tue Apr 09, 2013 9:44 am
by dandymcgee
tappatekie wrote:E.G with default permissions and the application writes to "C:/myfile.txt", it emulates the directory so it translates as writing to a file in "webbrowser/apps/[appname]/data/myfile.txt" unless of course the user gives it the permission to do otherwise.
What if the application writes to "C:/../../../../../../Windows/notepad.exe"?

Re: Web Browser from scratch Update

Posted: Tue Apr 09, 2013 9:48 am
by tappatekie
dandymcgee wrote:
tappatekie wrote:E.G with default permissions and the application writes to "C:/myfile.txt", it emulates the directory so it translates as writing to a file in "webbrowser/apps/[appname]/data/myfile.txt" unless of course the user gives it the permission to do otherwise.
What if the application writes to "C:/../../../../../../Windows/notepad.exe"?
I'm aware people can do ../../../ or .../ but that won't work because of a very simple fix:

Code: Select all

//absolute path of were the applications virtual drive is
string appPath = new DirectoryInfo("./apps/appname/data").FullName;
//the absolute path of the path in question
string absolutePath = new FileInfo(path).FullName;
//the absolute path in question must start with the absolute path of the virtual drive.
if(!absolutePath.ToLower().StartsWith(appPath.ToLower()) { 
    //it's invalid! so trim all "../" until we hit a alphabetical/numerical character so "../../hack" becomes "hack"
}
But the C:/../ is an easy one, it gets the absolute path you originally passed so it becomes C:/Windows/notepad.exe (since C:/../ links to the same directory before because it can't go back). Then it converts this to webbrowser/apps/[appname]/data/Windows/explorer.exe. Where C:/ is the virtual root directory from the browser :) if this file doesn't exist, it's the programmers fault that the app crashes (not the browser and if you don't have an exception handler)
However, if you do the same with D:/ E:/ etc... it will throw since the browser won't be able to get a relative directory from it and a legitimate program will not require this anyway. (I'm actually thinking about creating virtual drives to rectify this error)

As I pointed out, I control everything the user passes to system functions. There is no way anyone can exploit it since the browser forces you to have functions that call the SDK and nothing else. (at the IL level)
Edit: ^^ no one can exploit, that i'm aware of. But it's pretty hard to get around it

To put it simply, I'm emulating the C drive...

Re: Web Browser from scratch

Posted: Fri Apr 12, 2013 11:28 pm
by MarauderIIC
./apps/appname/data/../../../ would still work.

Re: Web Browser from scratch

Posted: Sat Apr 13, 2013 6:11 pm
by tappatekie
MarauderIIC wrote:./apps/appname/data/../../../ would still work.
Would'nt ;) I've just tried it and it doesn't work :)
It just assumes ur accessing "./apps/appname/data/apps/appname/data" :)