0

What I want to do seems simple, but I cannot find any reference. I just want to make my Twebbrowser (or any embedded browser or suitable component - for the sake of argument I just use Twebbrowser as an indicator of whatever component I need - the unknown unknowns) the default. The scenario is that when I try to access Dropbox it pops a webpage with the userID/Password, it then pops a webpage with an allow button.

I simply want these webpages to appear in my Twebbrowser and NOT to display an instance of the user default browser (ie. chrome in my case). When I have addressed the two pages I simply want to set the default browser back to whatever it was. Seems simple, but I have no idea how to achieve this. To recap:

  1. I try to access dropbox through a DLL call
  2. If my credentials are saved from the previous session the system just progresses
  3. If my credentials are not saved then Dropbox pops a login webpage (which I want in my Twebbrowser NOT in the user default browser)
  4. I login and dropbox pops an 'allow access' page (again which I want in my twebbrowser NOT in the user default browser)
  5. When I am logged in and allowed to access dropbox I want to re-enable the user's default browser

The point is I am not supplying URLs to the Twebbrowser component, the system is generating the activity quite outside my control and based on whether or not specific conditions are met (and I have no way of knowing whether these have been met, for example there may be a session ID and Key, but these could have expired). I have searched the web and cannot find anything likely. I am no expert, but I would have thought a property like ...Make this default... would be useful. It is probably something really simple, but I cannot figure it out.

Any help would be appreciated.

Kevin Black
  • 119
  • 1
  • 10
  • 4
    Do not scrape Dropbox that way. Use their own API. Btw,, if you're going to prevent the users from accessing their storage through their installed browser, then you're writing a malware. – TLama Apr 04 '15 at 03:09
  • I had the sense of malware - then it was confirmed when I saw TLama say the same. – Jerry Dodge Apr 04 '15 at 03:22
  • 1
    My DLL uses Dropbox API via REST services. Users have to login and allow access (unless the session keys are stored, see Dropbox). This is done on the initial REST connection, again, no malware. The user then enters their credentials, presses allow access. I simply want this in my Twebbrowser rather than the default browser because it's neater. I'm not preventing users accessing Dropbox through their installed browser, where do you get that and the malware crap from. I'm using Dropbox's published API and authenticating as they require. Please read the post, it seems to me you haven't. – Kevin Black Apr 04 '15 at 07:14
  • 1
    Your proposed solution is the wrong one. You should ask about the problem rather than your misguided solution. – David Heffernan Apr 04 '15 at 07:23
  • I don't understand your comment. Forget dropbox it's irrelevant in the scheme of things, how do I redirect webpages that popup to Twebbrowser? Is that simpler? Stating it's the wrong solution is moderately useless without suggesting the correct one/alternative solution. – Kevin Black Apr 04 '15 at 07:44
  • 1
    Please read your own question again and the SO rules about how to ask. We answer the question you ask and not all other questions you have in mind. You ask us how to solve a problem which should solve another problem. But you are on the wrong way. Go one step back and ask about the initial problem. – Sir Rufo Apr 04 '15 at 08:18
  • Maybe you can get some ideas from here http://delphi.org/2014/07/integrate-cloud-services-with-the-restjson-client/ – Sir Rufo Apr 04 '15 at 08:22
  • And another link that describes why you are on a wrong way [Don't use global state to manage a local problem](http://blogs.msdn.com/b/oldnewthing/archive/2008/12/11/9193695.aspx) – Sir Rufo Apr 04 '15 at 08:30
  • @SirRufo: **Den** Link kenn ich. ;-) – Uli Gerhardt Apr 04 '15 at 08:40
  • @UliGerhardt I know you know :o) – Sir Rufo Apr 04 '15 at 08:45
  • 2
    There cannot be a simple property like "make this default" because controls cannot be default browser, applications can. – Sertac Akyuz Apr 04 '15 at 09:53
  • Like Sertac said, you can only make an application the default browser. The problem is really with the DLL and how it operates. You could use the TMS Cloud controls to access dropbox with the authentication within a TWebbrowser or their default form with a Twebbrowser. – MikeD Apr 04 '15 at 10:32
  • To those with constructive suggestions thank you. Why are you (well some of you) fixating on the throw away line WRT a property. I get it, I only need to be told once in a constructive way. Repeatedly telling me it's not the way to go and pointing me to examples is nugatory (and seems quite condescending). As I said I get it. I do use the REST API and can retrieve results in both comma delimited and JSON format. That's not the issue. As I said forget Dropbox. I just want the popup webpage(s) to popup in my Twebbrowser instead of my default browser. It doesn't matter what's in the browser. – Kevin Black Apr 04 '15 at 10:47
  • @TLama `Use their own API` - on the desktop, authenticating by other means than a browser form is not supported – mjn Apr 04 '15 at 12:37
  • Again, an attempt to override/intercept a secure authentication method to capture username/password through your own browser rather than the browser of the user's choice is screaming out "Malware". I don't understand the end goal of such a thing other than to capture the username and password. – Jerry Dodge Apr 04 '15 at 12:47
  • The core question can be rephrased to "my application (or its users) work with a web service which requires browser-based authentication, such as OAuth - I want to embed the logon form in the application, how can I do this with TWebBrowser or other embeddable browsers?". – mjn Apr 04 '15 at 12:49
  • @JerryDodge embedding the web browser is not intercepting anything, HTTPS communication does not go through the Delphi app (like with a proxy). It is still Internet Explorer. I doubt that Delphi can read the password form the login form. – mjn Apr 04 '15 at 13:06
  • @mjn Indeed, but the form it's embedded on can capture keystrokes... – Jerry Dodge Apr 04 '15 at 13:09
  • @JerryDodge such a huge security hole would not remain unnoticed. Have you actually seen (or written) a password sniffer example application for the embedded browser control? – mjn Apr 04 '15 at 13:14
  • @mjn Actually I just whipped one up in about 10 minutes using a TWebBrowser and a global keyboard hook... It's not the browser that matters, it's the application the browser's embedded in. – Jerry Dodge Apr 04 '15 at 13:38
  • @mjn: actually you CAN read a password field in an embedded browser [and we already had this discussion](http://stackoverflow.com/a/13970551/800214) :) – whosrdaddy Apr 04 '15 at 13:45
  • @whosrdaddy good point :) the same security hole for embedded and external IE if it is true what kobik wrote in the comment: `I can defenetlly access foreign IE DOM from my own application, by the window handle` – mjn Apr 04 '15 at 17:08
  • Telling you that you've asked the question the wrong way, and that your proposed solution is not good, is constructive. But it requires you to have an open mind. Which you seem not to have demonstrated yet. – David Heffernan Apr 05 '15 at 09:24
  • Possibly, I just don't need to be told 50 times..... – Kevin Black Apr 08 '15 at 05:10

1 Answers1

1

You have two options:

  • make your application the default browser
  • modify the Dropbox client so it uses your application instead of the default browser

The first one will have a short life time, because browsers can check if they are still the default browser. If the user launches their regular browser, it can bring up a message saying that they are no longer the default, and ask the user for permission to change this. And theny your application will no longer be the default.

The second one obviously is a very bad idea because to do so, your application would have to modify the Dropbox client application.

Note that the first sentence in the related Dropbox documentation says:

Never handle user login and password information.

Core API best practices, section one: User authorization

Addition: note that the Dropbox authentication uses the default browser for a reason: the browser not only displays a login form, it also allows the user to see the TLS (transport layer security, also known as SSL) certificate. Does TWebbbrowser give direct access to this information, so that the user can be sure your application does not capture and misuse the entered credentials?

mjn
  • 36,362
  • 28
  • 176
  • 378
  • Thanks. Modifying the dropbox client is not an option obviously. As far as the lifespan of what is the default browser, that's not an issue, I need to be the default browser for perhaps 30 seconds. Whether or not certificate validation is an option within Twebbrowser or some other combination of components I don't know. I will need to review and work out how to proceed. Thank you for the constructive advice. – Kevin Black Apr 04 '15 at 11:48
  • TMS Cloudpack does it exactly as required using their TMSAdvDropbox component. – Kevin Black Apr 08 '15 at 05:08