HadoukenIO Core Versions Save

New Features

• Added window.center API to programmatically move a window to the center of the current screen

Enhancements

• Improved application startup stability when launching consecutive applications in conjunction with the Layouts service
• Improved Scaling support for additional custom settings
• Updated customData type on DefinitelyTyped to be any type, as opposed to a string

Resolved Issues

• Resolved issues where a mini window could appear after a sequence of Maximize -> Minimize -> Maximize -> Restore
• Resolved issue with page content not displaying after a window is restored from minimized state
• Resolved issues relating to disabled frames and incorrect number of requestors
• Resolved issue with duplicate UUIDs on application startup
• Resolved issue with page content not displaying after a window is restored from minimized state
• Resolved issue where a click on a frameless window did not work on Mac
• Resolved issue where window.confirm always returned false
• Resolved some issues related to iframes and the v2 API
• Resolved issue where clearing the cache on startup could lead to Uncaught js exception in main process errors.
• Resolved issue where Channel onDisconnection from the provider (on client disconnection) was not working multi-runtime.
• Resolved issue where bounds-changed and bounds-changing events did not include scaled bounds.

Known Issues

Enhancements

• Runtime upgrade to support Layouts 1.1.0

Resolved

• Resolved issue with page content not displaying after a window is restored from minimized state

At OpenFin, your security is our top priority and we perform continuous security research to ensure the ongoing integrity of OpenFin OS. Recently, we identified a vulnerability that can allow elevated access via a specific error state that can be produced as the OpenFin runtime is loading. In response to this vulnerability, we have produced this patch for our latest stable version of OpenFin 13. As always, we recommend upgrading to the latest versions of OpenFin as they become available. ​ If you have further questions about this vulnerability, we are happy to discuss it in detail with you and your IT security team.

OpenFin 13

OpenFin is Co-Stable with Chromium!
This is the first Major Version of OpenFin to be co-stable with Chromium. Over the last 3 quarters, our engineering teams have been focused on building out architecture to consume Electron and Chromium builds at a much faster pace. With the completion of this work, we have been able to rapidly deliver OpenFin 11 & 12 (Chromium 69) and OF 13 (Chromium 76) in the last few weeks. Moving forward, our schedule is designed to be co-stable with every other version of Chromium (OF 14 - Chromium 78, OF 15 - Chromium 80, etc.). One should expect those major versions effectively once per quarter and very close to the date that the Chrome team moves the same version to stable.

Chromium Enhancements

• AV1 Decoder - a next generation codec developed by the Alliance for Open Media -- improves compression efficiency by 30%
• TLS 1.3 - overhaul of the TLS protocol with a simpler, less error-prone design that improves both efficiency and security
• COLR/CPAL Fonts - are one type of OpenType color fonts. These fonts compose layers of vector outline glyphs and color palette information into the final colored glyph
• WebAssembly Post Message - Extends WebAssembly to support PostMessage of WebAssembly.Module objects to Web Workers. To clarify, this is scoped to just Web Workers (same process, different thread), and not extended to cross-process scenarios (such as cross-origin postMessage, or shared web workers).
• Interoperable File.webkitRelativePath Property - previously returned a value different from other major browsers, now it returns the same value.
• WebRTC Unified Plan SDP - RTCPeerConnections generate and parse SDP according to the standardized format. Exchanging SDP is needed to set up calls in WebRTC. Following the standard is important for cross-browser interoperability.
• Cross-Origin Resource Policy - response header allows http servers to ask the browser to prevent cross-origin or cross-site embedding of the returned resource. It is complementary to the Cross-Origin Read Blocking feature and is especially valuable for resources not covered by CORB (which only protects HTML, XML and JSON).
• CSS Transition Events - The CSS Transitions specification specifies that transition events are sent when a transition is enqueued, starts, ends, or is canceled as transitionrun, transitionstart, transitionend, and transitioncancel respectively.
• WebAssembly Worker Based Threads - The WebAssembly Threads feature allows multiple WebAssembly instances in separate Web Workers to share a single WebAssembly.Memory object. As with SharedArrayBuffers in JavaScript, this allows very fast communication between the Workers. This can be used to offload computation to another thread to keep the main thread and its UI responsive.
• Low latency canvas contexts with desynchronized - The getContext() method now supports a desynchronized option, which provides a low-latency alternative to the now deprecated NaCl/PPAPI solution which used native OpenGL rendering. The new solution uses either 2d or webgl rendering.
• CSS backdrop-filter property - The backdrop-filter CSS property applies one or more filters to the "backdrop" of an element. The "backdrop" basically means all of the painted content that lies behind the element. This allows designers to construct "frosted glass" dialog boxes, video overlays, translucent navigation headers, and more.
• Additional information on the Chromium changes:
  
  • Chromium 76
  • Chromium 75
  • Chromium 74
  • Chromium 73
  • Chromium 72
  • Chromium 71
  • Chromium 70

Known Issues

• Layouts Tabs exhibit non-deterministic behavior

API Security

API security is now enabled by default! OpenFin API security allows Desktop Owners and Application Providers to restrict and/or permit specific API calls that are available for an OpenFin Application. Applications can specify these APIs in their manifest that enable or disable features, such as an external application launch or clipboard reading. While these features can be beneficial, OpenFin understands that Desktop Owners may need to restrict certain APIs from running on a desktop computer. API Security allows this by giving the Desktop Owner tools to prevent application developers from implementing features that may be deemed sensitive to an organization. OpenFin 12 and above will require Application Providers to declare usage of specific APIs in the application manifest file and in child window options explicitly. This assists Desktop Owners to recognize API intent upfront. If an API is not permissible by the organization or needs to be enabled for ease of application functionality, the Desktop Owner can create a Desktop Owner settings file to enable or disable the API. Please see the docs for more info.

Enhancements

• Window aspect ratio is now DPI-aware.
• The following Window APIs will return error “Proposed window bounds violate size constraints for uuid: ABC name: ABC” if size constraints would be violated:
  • setBounds
  • resizeBy
  • resizeTo
• Added Window performance-report event that includes performance report, can be used to measure page load speed, this event is available as the Application and System window-performance-report event as well.
• Channel API Docs improvements
• Experimental support for Native Windows with the ExternalWindow API, this API is experimental and therefore not stable and can change.

Resolved

• Resolved an issue that would cause a renderer crash if a child context was closed during navigation
• Resolved an issue where passing name/UUID to setBounds would lead to API Failures
• Resolved an issue where if re-downloading an open file, the file-download-completed event callback did not fire

Known Issues

• Layouts Tabs exhibit non-deterministic behavior

Chromium Enhancements

• Web Authentication API for Chrome - Adds a third credential type, PublicKeyCredential, allowing web applications to create and use strong, crytpographically attested credentials to authenticate users.

• <foreignObject> a stacking context - Allows developers to place HTML content underneath a <foreignObject> without confusion.

• Aria 1.1 - Implemented changes of the Accessible Rich Internet Applications (WAI-ARIA) 1.1 spec.

• Fetch API - Credentials mode default to “same origin”

• “grab” and “grabbing” values for Cursor Property

• Improve Cache Management for Service Worker Scripts - HTTP cache will be ignored when requesting updates to the service worker.

• Keyboard Lock - In fullscreen, API allows apps to receive keys that are normally handled by the system or the browser like Cmd/Alt-Tab, or Esc.

• Page Lifecycle API - Enables system initiated Tab Discarding and CPU Stopping

• Nested Dedicated Workers - allows workers to spawn additional, descendant dedicated workers to distribute tasks without needing time on the main thread.

• CSS Updates - Scroll Snap Points, conic-gradient, logical margin, padding and border properties

• Cookie Store API - exposes HTTP cookies to service workers and offers an asynchronous alternative to document.cookie.

• OffscreenCanvas - new interface that allows canvas rendering contexts (2D and WebGL) to be used in Workers

• A full list of the Chromium changes can be found at the following links:

  • Chromium 67
  • Chromium 68
  • Chromium 69

Enhancements

• Window movement and resize APIs can now be used to move and/or resize a window without moving or resizing the rest of the group. Docs
• Window navigate, navigateBack and navigateForward methods will provide Chromium net errors on failures
• System.getRuntimeInfo now includes the command line argument used to start the Runtime in a 'args' key value pair

Resolved Issues

• Resolved issue where using waitForPageLoad:false combined with saveWindowState:true the window would show briefly in the default location before being restored to the saveWindowState
• Resolved issue where group merges were not being applied
• Resolved issue with renderer crash when closing child windows
• Resolved issue where event listeners were not working inside preload scripts

Known Issues

Layouts

• Tab groups cannot be undocked when windows are running on different runtime versions
• Docked/Tabbed windows may get stuck behind other windows when running on different runtime versions
• Resizing the top corner of a tab group can cause docked windows to separate
• Cannot resize the top edges of tab groups
• Windows docked with tab groups have limited vertical resizing
• Window resize constraints may be violated when windows are docked
• Window resize constraints may be violated when tabbing and un-tabbing
• Maximizing a docked window or tab group will cause it to become undocked

Enhancements

• Updated default settings for autoShow to true and waitForPageLoad to false
• UUID uniqueness will be enforced in runtimes greater than 10.66.41.18
• Added a warning message to the console when no licenseKey is included in the app manifest
• Added an options-changed event to window.updateOptions
• Application logs are now on by default
• Added additional functions to definitelyTyped
• Added not-responding and responding events to logging when in diagnostics mode
• Added ability to generate Mac installers
• Introduced a RSS feed to listen for Runtime updates on the OpenFin Versions page

Resolved Issues

• Resolved issue where on window creation the wrong name variable was checked
• Resolved issue with session cookies being deleted when devtools closes
• Resolved issue where changing a window's frame option would cause it not to respect its size constraints
• Resolved issue with Chromium trying to show permission dialog resulting in an unexpected close
• Resolved issue where window options updates were replacing existing options, instead of appending new options
• Resolved issue where attempting to resize a window past its constraints on an api call would cause the window to move
• Resolved an issue where an app with the same UUID but different manifest would result in an error
• Resolved issue where PDF links generated a "Can't load plugin error"
• Resolved issue with webSecurity setting not passed to child windows
• Resolved issue where Restore on Frameless windows after Maximize would move window 10px on Mac OS
• Resolved issue where window sizing jumps when aspectRatio is set to true
• Resolved issue where bounds-changing event not fired when aspectRatio flag is set to true
• Resolved issue where getNativeId was always returning 0 on Mac
• Resolved issue where dragging a window from the title bar icon would not work on Mac
• Resolved an unexpected close event when the runtime encounters a corrupted favicon
• Resolved issue where group merges were not being applied
• Resolved issue where main function callback is not called
• Resolved an issue where will-navigate was not firing correctly
• Resolved an issue where a Profile Error dialog would appear on certain runtime launches
• Resolved an unexpected close event when creating web notifications

Known Issues

Runtime

• Existing OpenFin deployments may experience some issues with cache migrating correctly, as a result of an OpenFin Runtime upgrade. These issues are resolved in OpenFin 9.61.38.40 and greater also requires an OpenFin RVM 4.7. upgrade*.

Layouts

• Tab groups cannot be undocked when windows are running on different runtime versions
• Docked/Tabbed windows may get stuck behind other windows when running on different runtime versions
• Resizing the top corner of a tab group can cause docked windows to separate
• Cannot resize the top edges of tab groups
• Windows docked with tab groups have limited vertical resizing
• Window resize constraints may be violated when windows are docked
• Window resize constraints may be violated when tabbing and un-tabbing
• Maximizing a docked window or tab group will cause it to become undocked

Chromium Enhancements

• CSS Typed OM - CSSOM provides typed stele access for developers, improving performance by removing the need to do excessive parsing of strings.
• Asynchronous Clipboard API - Added an asynchronous Clipboard API based on Promises.
• Autocomplete - Added attribute to <textarea> and <select>.
• Array.prototype.values - Returns a new Array Iterator object that contains the values for each index in the array.
• WebSockets over HTTP/2 - Support for WebSockets over HTTP/2.
• NTLMv2 - Support NTLMv2 authentication.
• Block cross-origin <a download> - To avoid what is essentially user-mediated cross-origin information leakage, Blink will start to ignore the presence of the download attribute on anchor elements with cross origin attributes.
• Async Iteration / Async Generators - Functions and a new iteration protocol to streamline consumption or implementation of streaming data sources.
• Promise.prototype.finally - Used for registering a callback to be invoked when a promise is settled (either fulfilled, or rejected).
• JavaScript module import() - Adds a "function-like" import() module loading syntactic form to JavaScript.
• Performance.timeOrigin - Useful for developers to be able to compare timings of objects with different time origins.
• OpenType variable font - Support for OpenType variable font .
• <data> and <time> elements.
• A full list of the Chromium changes can be found at the following links:
  • Chromium 62
  • Chromium 63
  • Chromium 64
  • Chromium 65
  • Chromium 66

Enhancements

V2 JavaScript API OpenFin is pleased to introduce its promised-based V2 API, representing a huge improvement over the callback-based V1 API. The classes for the V2 API (such as Window, Application, System, etc.) are directly on the fin object instead of nested in fin.desktop like the V1 API. The V2 API was available for use in OpenFin 9 via a flag and with OpenFin 10 the V2 API will be on by default and the JS API docs will now reference the V2 API documentation. The V2 API codebase is open-sourced under the Hadouken Github organization in a repo called js-adapter. V1 API Docs are still available here.

Resolved Issues

• Includes Zero-Day “Use-After-Free” vulnerability fix
• Resolved mouse pointer style for frameless window on Mac
• Resolved issue with window.close in a multi-runtime environment where the success callback was not being invoked when the app was in another runtime
• Resolved issue where fin.desktop.Frame.getCurrent() returned main frame for an iframe
• Resolved issue with widget ownership in autofillPopupView
• Resolved issue with background color not being observed in a snapshot

Known Issues

Runtime

• Existing OpenFin deployments may experience some issues with cache migrating correctly, as a result of an OpenFin Runtime upgrade. These issues are resolved in OpenFin 9.61.38.40 and greater also requires an OpenFin RVM 4.7. upgrade*.
• Restore on Frameless windows after Maximize moves window 10px on Mac OS, will be resolved in 10.66.40.*

Layouts

• Tab groups cannot be undocked when windows are running on different runtime versions
• Docked/Tabbed windows may get stuck behind other windows when running on different runtime versions
• Resizing the top corner of a tab group can cause docked windows to separate
• Cannot resize the top edges of tab groups
• Windows docked with tab groups have limited vertical resizing
• Window resize constraints may be violated when windows are docked
• Window resize constraints may be violated when tabbing and un-tabbing
• Maximizing a docked window or tab group will cause it to become undocked

Resolved Issues

• Resolved issue where bounds-changing event not fired when aspectRatio flag is set to true
• Resolved issue where window sizing jumps when aspectRatio is set to true

Known Issues

• Existing OpenFin deployments may experience some issues with cache migrating correctly, as a result of an OpenFin Runtime upgrade. These issues are resolved in OpenFin 9.61.38.40 and also require an OpenFin RVM 4.7. upgrade* - which will be available in Beta on Jan 14.
• .NET Adapter implementations, using "browser like" navigation, may encounter blank screens
• Connecting to a channel as a client from the same window in which the channel was created results in an error and overwrites the channel provider
• Animating grouped windows is not supported

Notice: OpenFin 9 Security Patch | Zero-Day “Use-After-Free” Vulnerability

OpenFin has addressed the potential Zero-Day “Use-After-Free” vulnerability discovered and fixed by the Chrome team. The vulnerability impacts prior versions of Chromium which are included in prior versions of OpenFin. The fix can be consumed by upgrading your applications to 9.61.38.41

What do you need to do?

OF recommends upgrading your applications to use the most recent Stable release - OpenFin Runtime 9.61.38.41. As recommended, always run with the Chromium Sandbox enabled.

Who may be potentially impacted?

Win7 32-bit machines

What is the vulnerability?

“Use-After-Free” exploits can be used to compromise a program/process and run arbitrary code. Processes running in the Chrome Security Sandbox have limited access to an end user's system.

A second vulnerability was discovered in Microsoft Windows allowing a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape.

When both vulnerabilities are exploited together, untrusted and web-delivered JavaScript can compromise the browser, escape the security sandbox, and access an end user's system unchecked.

The Chrome security team strongly believes the Windows’ vulnerability only exists on Windows 7. At this time, Windows 7 32-bit is the only environment where active exploitation of both the Chrome and Microsoft Windows vulnerabilities was observed.

Chrome Release Note Chromium PR (Auth Required) Google Security Blog Dangling Pointer

Known Issues

• Existing OpenFin deployments may experience some issues with cache migrating correctly, as a result of an OpenFin Runtime upgrade. These issues are resolved in OpenFin 9.61.38.40 and also require an OpenFin RVM 4.7. upgrade* - which will be available in Beta on Jan 14.
• .NET Adapter implementations, using "browser like" navigation, may encounter blank screens
• Connecting to a channel as a client from the same window in which the channel was created results in an error and overwrites the channel provider
• Animating grouped windows is not supported