Page 1 of 1

the BrowserExecScript action

PostPosted: Thu Jan 01, 2015 3:02 pm
by fkapnist
.
I am using a javascript in the BrowserExecScript action of a WebBrowser object. It calls a Neobook GoSub routine that reads and writes to an INI file. But I get a blocking warning unless I switch off the Enhanced Security checkbox. What are the security risks? Can't Neobook differentiate between an external javascript and one that is embedded in the PUB? Does it do the same with VBasic ExecScripts?

:?:
.

Re: the BrowserExecScript action

PostPosted: Fri Jan 02, 2015 12:01 pm
by Neosoft Support
The only security issue is if the browser object will be visiting websites that are not under your control. If the website had an embedded NeoBook action that did something mischievous (like erase files, etc.). I haven't heard of this happening anywhere, but it is theoretically possible.

From the help file:

When the Enhanced Security option is enabled, NeoBook will not allow potentially dangerous Actions embedded within HTML hyperlinks to be executed. (See Embedding NeoBook Actions Inside an HTML Document.) Prohibited Actions include: Run, ExecuteAddOn, FileCopy, FileDelLine, FileErase, FileInsLine, FileRead, FileWrite, SendKeys, SaveVariables, CreateFolder, RemoveFolder, RegistryRead, RegistryWrite, SendMail, ExtractFile, Suspend, RunNeoBook, ClickMouse and all plug-in based Actions. Disable the Enhanced Security option if you wish to allow the above Actions to be executed. However, if this Web Browser object will have unrestricted access to the Internet, it is highly recommended that you leave the Enhanced Security option enabled.

Re: the BrowserExecScript action

PostPosted: Sat Jan 03, 2015 8:40 am
by fkapnist
The only security issue is if the browser object will be visiting websites that are not under your control. If the website had an embedded NeoBook action that did something mischievous (like erase files, etc.). I haven't heard of this happening anywhere, but it is theoretically possible.


There are only three special external methods:

nbSetVar
nbGetVar
nbExecAction


Anyone who knows them can try a brute force attack with various script combinations. However, if the pub author had the ability to rename them with unique IDs , we could have reasonable security without blocking our own scripts..

Just a thought....

:?:
.

Re: the BrowserExecScript action

PostPosted: Mon Jan 05, 2015 11:48 am
by Neosoft Support
Anyone who knows them can try a brute force attack with various script combinations. However, if the pub author had the ability to rename them with unique IDs , we could have reasonable security without blocking our own scripts.


That's an interesting idea. We'll have to give that some thought.