0

I am working on a system that has a WPF WebBrowser that is displaying dynamically generated HTML. This contains links to files, using file:///servername/filename.ext addresses.

This should have worked in times gone by when this was first developed, but does not seem to behave now.

What I can see:

  • White click on the generated file in the browser of being an HTML file: File is served from about:blank and in the Internet Zone. Clicking a link does nothing.

What I have done:

  • I have added about:blank to the Trusted Zone, and have set the security for the Trusted Zone to Low. Clicking a link still does nothing.
  • Created an HTML file and hosted it on my local IIS. Browse to this file in IE. The file contains a link to a file:/// address. Nothing happens on click.
  • Added http://127.0.0.1 to the Trusted Zone. The above test still fails.
  • Changed the generated HTML to be a link to http://www.google.com. This works.

What I think is happening:

  • The WPF WebBrowser is IE underneath. Did IE have a security update that stopped access to file:/// paths?

What I cannot do due to technical restrictions with deployment:

  • Have the generated HTML and the files linked to served by a web server so everything is within an http(s) environment.

What I can do:

  • Update browser settings
  • Update our code

Update - additional information:

  • The HTML is being displayed on the WPF by binding to a string that contains the HTML (effectively <html><body>Look! Stuff!<br /><a href="file:///foo/whatever.txt">Whatever</a></html>)
  • file:///foo/whatever.txt exists and I have access to it
  • That file is generated by a process on a server and the client is generating the link to the file. This is a historic design, I didn't come up with it, I'm just maintaining it. I can't do massive code overhauls.
  • I cannot install any additional services anywhere
Paul Evans
  • 21
  • 5
  • Has server been to require HTTPS (secure) rather than HTTP (not secure)? – jdweng Jan 20 '22 at 13:52
  • 1
    In the usual use case, rather than my testing, there is no HTTP server. The HTML is provided thus: `` (The view model then does stuff to generate raw HTML to send in via Content) – Paul Evans Jan 20 '22 at 13:55
  • 1
    You have a virtual connection (loopback 127.0.0.1) with a client and server that has to communicate over http. The html is just the format of the data that gets transferred across a connection. – jdweng Jan 20 '22 at 13:59
  • 1
    I have the 127.0.0.1 connection on my dev machine - the clients do not have that. What I am doing in the viewmodel is saying "Hey, display this html code that I am giving you" - no server involved – Paul Evans Jan 20 '22 at 14:09
  • "file://" is equivalent to "http://". To use "file://" the client has to have access to the folder. Check with a FileExplorer and see if user has access to the folder. You can also do same with Notepad just to make sure the file can be opened. For file to work on windows machine the folder has to be shared. So with a FileExplorer you would see the file by typing \\machine_name – jdweng Jan 20 '22 at 14:21
  • Ok - I see where you are coming from, but there's a missing piece of the puzzle here. The initial HTML is coming in as a raw string. I link to a file:// and it does _nothing_ when I click. It disregards the click. If I could not access the file, I would get file not found, or some hint that navigation was happening. I do not get that. – Paul Evans Jan 20 '22 at 14:27

2 Answers2

0

All Browsers have updated to prevent interesting stuff happening on local HTML files. Because you could do interesting stuff in the past it meant interesting exploits could be utilized too.

I've had a recent issue where I created a HTML in code and wanted to display it in CEFSharp (much better than WebBrowser by the way) with a link to CSS and JavaScript Files.

How I fixed it was to run a LocalHost and did this using this code which works really well: An HTTP file server (130 lines of code) in VB.Net

For testing your HTML outside of code you could run this batch file to start your LocalHost:

ECHO OFF
ECHO "Launching Localhost:8080"
py -3 -m http.server
ECHO "Loading HTML.."
start chrome localhost:8000

This batch file assumes you have Python 3+ installed. You can verify this in the Command Prompt with:

python --version
  • Yeah, the problem is that I want to do exciting things with the local files. We do use CEF Sharp in other bits of this, but the scope of the work I am doing probably doesn't extend to "Change the browser in the section" (It is a large system that's been developed over a long time, so we have a few places where the same problem is fixed in different ways) I do not have python on this machine. I cannot create local HTTP servers - this is a hard limit. – Paul Evans Jan 20 '22 at 14:14
  • And as well as creating a local HTTP server, that would need the file server that is being linked to to have the files on an HTTP server as well. Since I can link from the generated HTML to an HTTP server, I can skip the local HTTP server step. – Paul Evans Jan 20 '22 at 14:19
  • I see your predicament @PaulEvans. I don't know where to go from there to be honest but I'll be keeping track of this for future reference and I'll keep the grey matter ticking over –  Jan 20 '22 at 14:36
  • Thanks for the suggestions, it's given me other options to think about - it was certainly easier in the Wild West days of the internet when you could just make things happen. This must still be working on our client machines, or we'd have heard about it, which is making me think there's some setting, or my machine is new enough to have the defaults set to something more secure. I did try the test on my IIS setup in Chrome, and that also forbids the http:// to file :// jump, so I'm not sure if switching to CEFSharp would fix this or just give the same issue – Paul Evans Jan 20 '22 at 14:40
  • Does this work? https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL?force_isolation=true – jdweng Jan 20 '22 at 15:04
0

I've solved this by cheating a little.

I've got the VM to write the HTML out to a file, and then pass the file name to the browser in the view. This means that I am displaying the created content from file:////foo.htm, and that is fine for links to file:///server/bar

Paul Evans
  • 21
  • 5
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jan 25 '22 at 22:05
  • Bad bot. 15characters – Paul Evans Jan 26 '22 at 13:17