Hadouken is an open-source platform for creating web applications with native desktop experience. Hadouken is the base project used to build OpenFin OS, a desktop operating layer used by 45+ major banks, buy-side and vendors to deploy hundreds of apps to over 400 financial firms.
customData
type on DefinitelyTyped to be any type, as opposed to a stringwindow.confirm
always returned falseAt OpenFin, your security is our top priority and we perform continuous security research to ensure the ongoing integrity of OpenFin OS. Recently, we identified a vulnerability that can allow elevated access via a specific error state that can be produced as the OpenFin runtime is loading. In response to this vulnerability, we have produced this patch for our latest stable version of OpenFin 13. As always, we recommend upgrading to the latest versions of OpenFin as they become available. If you have further questions about this vulnerability, we are happy to discuss it in detail with you and your IT security team.
OpenFin is Co-Stable with Chromium!
This is the first Major Version of OpenFin to be co-stable with Chromium. Over the last 3 quarters, our engineering teams have been focused on building out architecture to consume Electron and Chromium builds at a much faster pace. With the completion of this work, we have been able to rapidly deliver OpenFin 11 & 12 (Chromium 69) and OF 13 (Chromium 76) in the last few weeks. Moving forward, our schedule is designed to be co-stable with every other version of Chromium (OF 14 - Chromium 78, OF 15 - Chromium 80, etc.). One should expect those major versions effectively once per quarter and very close to the date that the Chrome team moves the same version to stable.
API security is now enabled by default! OpenFin API security allows Desktop Owners and Application Providers to restrict and/or permit specific API calls that are available for an OpenFin Application. Applications can specify these APIs in their manifest that enable or disable features, such as an external application launch or clipboard reading. While these features can be beneficial, OpenFin understands that Desktop Owners may need to restrict certain APIs from running on a desktop computer. API Security allows this by giving the Desktop Owner tools to prevent application developers from implementing features that may be deemed sensitive to an organization. OpenFin 12 and above will require Application Providers to declare usage of specific APIs in the application manifest file and in child window options explicitly. This assists Desktop Owners to recognize API intent upfront. If an API is not permissible by the organization or needs to be enabled for ease of application functionality, the Desktop Owner can create a Desktop Owner settings file to enable or disable the API. Please see the docs for more info.
Web Authentication API for Chrome - Adds a third credential type, PublicKeyCredential, allowing web applications to create and use strong, crytpographically attested credentials to authenticate users.
<foreignObject> a stacking context - Allows developers to place HTML content underneath a <foreignObject> without confusion.
Aria 1.1 - Implemented changes of the Accessible Rich Internet Applications (WAI-ARIA) 1.1 spec.
Fetch API - Credentials mode default to “same origin”
“grab” and “grabbing” values for Cursor Property
Improve Cache Management for Service Worker Scripts - HTTP cache will be ignored when requesting updates to the service worker.
Keyboard Lock - In fullscreen, API allows apps to receive keys that are normally handled by the system or the browser like Cmd/Alt-Tab, or Esc.
Page Lifecycle API - Enables system initiated Tab Discarding and CPU Stopping
Nested Dedicated Workers - allows workers to spawn additional, descendant dedicated workers to distribute tasks without needing time on the main thread.
CSS Updates - Scroll Snap Points, conic-gradient, logical margin, padding and border properties
Cookie Store API - exposes HTTP cookies to service workers and offers an asynchronous alternative to document.cookie.
OffscreenCanvas - new interface that allows canvas rendering contexts (2D and WebGL) to be used in Workers
A full list of the Chromium changes can be found at the following links:
waitForPageLoad:false
combined with saveWindowState:true
the window would show briefly in the default location before being restored to the saveWindowState
Layouts
autoShow
to true
and waitForPageLoad
to false
licenseKey
is included in the app manifestoptions-changed
event to window.updateOptions
not-responding
and responding
events to logging when in diagnostics modewebSecurity
setting not passed to child windowsaspectRatio
is set to true
bounds-changing
event not fired when aspectRatio
flag is set to true
getNativeId
was always returning 0 on Macwill-navigate
was not firing correctlyRuntime
Layouts
<textarea>
and <select>
.<a download>
- To avoid what is essentially user-mediated cross-origin information leakage, Blink will start to ignore the presence of the download attribute on anchor elements with cross origin attributes.<data>
and <time>
elements.V2 JavaScript API
OpenFin is pleased to introduce its promised-based V2 API, representing a huge improvement over the callback-based V1 API. The classes for the V2 API (such as Window
, Application
, System
, etc.) are directly on the fin
object instead of nested in fin.desktop
like the V1 API. The V2 API was available for use in OpenFin 9 via a flag and with OpenFin 10 the V2 API will be on by default and the JS API docs will now reference the V2 API documentation. The V2 API codebase is open-sourced under the Hadouken Github organization in a repo called js-adapter.
V1 API Docs are still available here.
window.close
in a multi-runtime environment where the success callback was not being invoked when the app was in another runtimefin.desktop.Frame.getCurrent()
returned main frame for an iframeautofillPopupView
Runtime
Layouts
aspectRatio
flag is set to true
aspectRatio
is set to true
Notice: OpenFin 9 Security Patch | Zero-Day “Use-After-Free” Vulnerability
OpenFin has addressed the potential Zero-Day “Use-After-Free” vulnerability discovered and fixed by the Chrome team. The vulnerability impacts prior versions of Chromium which are included in prior versions of OpenFin. The fix can be consumed by upgrading your applications to 9.61.38.41
OF recommends upgrading your applications to use the most recent Stable release - OpenFin Runtime 9.61.38.41. As recommended, always run with the Chromium Sandbox enabled.
Win7 32-bit machines
“Use-After-Free” exploits can be used to compromise a program/process and run arbitrary code. Processes running in the Chrome Security Sandbox have limited access to an end user's system.
A second vulnerability was discovered in Microsoft Windows allowing a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape.
When both vulnerabilities are exploited together, untrusted and web-delivered JavaScript can compromise the browser, escape the security sandbox, and access an end user's system unchecked.
The Chrome security team strongly believes the Windows’ vulnerability only exists on Windows 7. At this time, Windows 7 32-bit is the only environment where active exploitation of both the Chrome and Microsoft Windows vulnerabilities was observed.
Chrome Release Note Chromium PR (Auth Required) Google Security Blog Dangling Pointer