Chromium Embedded Framework Forum

[abizeau]

Hello,

I have been developping a CEF application in the last month, it works like a charm ! Thanks a lot.

But now, I have some concerns about the security/protection. Currently, my html/css/js are stored on the disk in a hardcoded folder. The thing is, if the user get to this path and changes the script, he could modify some behavior of our code and then by-pass some features, such as call to Web API, login, etc.

So Im wondering, what is the way to protect my application UI ? Should I just put the file online on a server and point directly there instead of file:/// ? Is that the best way ? Does the caching can cause another issue with security ? Is there anything I can do on C++ side ?

I have search around, but I didn't found any topics about this. Im wondering how the big name such as Spotify or Steam are using CEF and protect there UI from edition.

Regards,
Alex

[magreenblatt]

See viewtopic.php?f=10&t=15801

[abizeau]

I read that thread and found few others about different approaches:

Encrypted html/js
Zip archive

And I wondering the following, If I have file on disk (like in a zip, encrypted or any other ways), what approach should I favor to load the data when requesting a file (css, html, js, img) ?

1.a) Should I use a Custom scheme handler where I open zip/decrypt during the ProcessRequest and return the byte in the response ?
or
1.b) Should I use a OnBeforeResourceLoad to decrypt and GetResourceHandler to send the information ?
And if I take the option b), with a zip archive, how can I provide an url to that resource ? file:///blabla/data.zip, how can I get to index.html or any other specific resources ?

Because, I try to see the Pros/cons of using local file (zip, encryption, etc.) vs host the file on web (and maybe disabling caching).

And lets say, I dont want to protect everything (like css and image), but only javascript and html. Should I prefer to use a) or b) ?

[magreenblatt]

You can use CefResourceManager for zip files (password protected or not). It will load the zip when requested for the first time. Here's an example of the required setup: https://bitbucket.org/chromiumembedded/ ... ?at=master. You would use the AddArchiveProvider method.

[abizeau]

That the case If I use a zip archive. But for encrypted files ?

Should I prefer to use a) or b) ?

[magreenblatt]

That the case If I use a zip archive. But for encrypted files ?

Should I prefer to use a) or b) ?

You can still use CefResourceManager, but with a custom Provider. Model it after the AddArchiveProvider implementation.