views:

453

answers:

12

We're developing a site that will only run on the intranet, and computers with access to this intranet will have this executable installed. We can't have any "Would you like to open [filename].exe?" prompts. Click a link and the program begins running.

I realize that giving websites the ability to run executables on the client machine is very, very bad, but management refuses to budge on this.

Machines will have Windows (XP or up) with Firefox 3.

A: 

The only way I could possibly imagine this working is through some sort of ActiveX control which would run your executable, but I don't know how feasible that is with Firefox.

This should be one of those things where -you- should be refusing to budge on it, not management.

TheTXI
It's like my boss says, "I don't pay you to do it, I pay you to do it MY way".
Grant
@Grant: If your boss insists on paying you to do something completely wrong which -will- end up biting him and the company in the rear and not listening to the input of a knowledgeable dev, than you you should consider working someplace where your opinion is more highly regarded.
TheTXI
A: 

I don't even know if that is possible. As mentioned above maybe using an ActiveX control, but then you are going to have problems with browser support and people's security settings. Not to mention the moral implications of you hijacking someone's PC.

Jeremy Reagan
A: 

I recommend you take a look at Adobe Flex / Air, it is designed with this model in mind and the inherent security barn door that it opens.

Simon
A: 

Reminds me of the "when people ask for security holes as features" series Raymond Chen wrote about.

Stefan
A: 

I agree with the rest, I'm pretty sure you can't do this anymore (and especially in Firefox). This is how many of the spyware/adware programs got installed back in the day. You will have to take a stand and just tell management that its impossible.

A: 

An active X control is the easiest way. There is a plugin for firefox that allows you to host active X controls. Or you could just write an NS Plugin to handle this.

CShipley
A: 

This is an old article about web deployment of executables. I know this is possible using Internet Explorer (because of our fragmented development team we still have to support some of this). I don't know about the firefox implications.

Jason Punyon
+1  A: 

Try this java script

function executeCommands(inputparms) { // Instantiate the Shell object and invoke its execute method.

var oShell = new ActiveXObject("Shell.Application");

var commandtoRun = "c:\windows\Notepad.exe";

// Invoke the execute method. oShell.ShellExecute(commandtoRun, commandParms, "", "open", "1"); }

you will have to set the browser security settings accordingly and this would work only in IE.

Rutesh Makhijani
+9  A: 

We're developing a site that will only run on the intranet, and computers with access to this intranet will have this executable installed.

Does this mean the EXE is already installed on the desktop? You just want to launch it from the website?

If so, you can associate the EXE with a MIME Content Type and when the user clicks it, it will launch.

Pick a Content Type and a file extension, for your EXE name, for instance:

CauseChaos.exe
Associated with .chaos file extenstion
Content Type will be: application/chaos

Associate the file extension with your EXE via the EXE install. I show it here, using InnoSetup

[Registry]
Root: HKCR; Subkey: .chaos; ValueType: string; ValueData: CauseChaos; Flags: uninsdeletekey
Root: HKCR; Subkey: CauseChaos; ValueType: string; ValueData: CauseChaos Tool; Flags: uninsdeletekey 
Root: HKCR; Subkey: CauseChaos\DefaultIcon; ValueType: string; ValueData: {app}\CauseChaos.exe,0; Flags: uninsdeletekey
Root: HKCR; Subkey: CauseChaos\shell\open\command; ValueType: string; ValueData: "{app}\CauseChaos.exe ""%1"""; Flags: uninsdeletekey

Associate the MIME content type with the file extension, through the EXE install.

[Registry] (continued...)
Root: HKCR; Subkey: HKCR\Mime\Database\Content Type\application/chaos; ValueType: string; ValueName: Extension; ValueData: .chaos; Flags: uninsdeletevalue
Jason
Any ideas on how I can add MIME types to Firefox? I see that I can edit a currently existing list of MIME types but I haven't found how to add new ones.
Tinister
I added a little bit more, hopefully answers your question.
Jason
Okay so I created a CauseChaos.exe that just launches a new process (Notepad) and exits. I created the InnoSetup script like above. It works with an empty foo.chaos file. Then I create a webpage that changes the response's content type to "application/chaos" and nothing happens. What am I missing?
Tinister
If you double click on foo.chaos, your application launches? If so, you got the second step right... and it sounds like your webpage is not correct.
Jason
Got it, had the add the MIME type to IIS as well. Thanks.
Tinister
A: 

Using a "file:///c:/Program Files/myprogs/myprog.exe" URL in the link used to work for IE. But, I have not tried this in a long time.

I would recommend the MIME type method above or adding a special URI prefix "chaos://myparams" that is handled by that executable.

Chris Nava
A: 

Been there done that. MIME types (accepted answer at the moment I add this) requires a lot of configuring on client and server.This is quite a bit of work, and you end up with temporary files etc.

Our solution was to add our own "Custom URL Protocol Handler". Basically, add URL type x-our-intranet and make your corporate app the URL handler for it. Now any link will start your corporate app, passing "x-our-intrenet:foo" as a command-line argument. All it takes is a client-side registry entry, similar to the MIME types.

MSalters
A: 

I understand completely what you are wanting. All I read on the internet is people mentioning this is a big security breach etc... However, I dont guess they understand why you would want this implemented and I will explain why I need this and am working on a solution to this problem and am getting very close.

I have many different user applications, ex. Call Center, etc... I am currently working on a lockdown desktop that runs in Kiosk mode. All the user will see is a blue screen with some computer information and an IE icon. My goal is to run the Microsoft Office, and some internal Client/Server apps from this page. It works perfectly fine as everything is still there just my users cannot see it. However, I'm having the same issues as you. My network is very secure utilizing MPLS, internal and external managed Routers, Firewalls/ASA's, and plenty of security professionals. Plus, this is strictly INTERNAL only. So, in my opinion its perfectly ok. So, if I come up with some sort of workaround solution for this I will post it.