views:

60

answers:

1

I guess there are two parts to this question, one technical and one best practice for security and doing things "right".

I'm working on a little game using C++ / directx but I would like to be able to launch it from a web page by someone clicking on a link on that page.

Ideally I would like the first time they clicked for it to launch an installer downloads and installs the game on their machine, and then the next time to launch an application which updates the game from a web site if it's old and then launches it.

I have no problems with the expected security popups and questions the first time it runs. I want people to be certain what they are installing and understand what they are doing. But it would be nice if once it is installed they could run it with the minimum of fuss.

My question then is what technologies I could use to do this? I'm thinking that it would need a browser plugin and an activex control so that first time you'd install that, and subsequently the control/plugin would be able to launch the game. I'm not sure that under newer browser secuity models that a plugin would have the permissions to be able to run an installer though or silently invoke applications on the client machine even if they are already installed. Is there a more sensible way to achive what I want to achieve?

And I'm worried about the security aspects too. I want this to be convenient for users but I of course want to do it "right".

I know this can be done as I've seen several mmorpg type games that launch in this way from the browser now but it's not entirely clear to me how they've done it.

+1  A: 

You can certainly use an ActiveX control to do your bidding. Just make sure you digitally sign it with a cert/private key issued by a vendor who's root cert is included with the browser to help minimize pop-ups.

I would also sitelock the app to your domain so it can't be repurposed by another other domain. http://www.microsoft.com/downloads/details.aspx?FamilyID=43cd7e1e-5719-45c0-88d9-ec9ea7fefbcb&DisplayLang=en

Finally, make sure you have no cross-site scripting bugs in your web site, as this will nullify sitelock.

and if you're truly care about security I would use HTTPS rather than HTTP to reduce spoofing threats.

Michael Howard-MSFT