Articles in this section

See more

API Security: Configuring a Manifest file

Connor Mccafferty
  • Updated
Follow

 

Overview

OpenFin API security allows Desktop Owners and Application Providers to restrict and/or permit what API calls are available for an OpenFin Application. Applications must specify APIs in their manifest that enable or disable features such as an external application launch or clipboard reading. While these features can be beneficial, OpenFin understands that Desktop Owners may need to restrict certain APIs from running on a desktop computer. API Security allows this by giving the Desktop Owner tools to prevent application developers from implementing features that may be deemed sensitive to an organization.

OpenFin 12 and above requires Application Providers to declare usage of specific APIs in the application manifest file and in child window options explicitly.

Configuring a manifest file

To configure the manifest file, set a permissions object for startup_app and list the APIs under the System object. To enable or disable the API, set it to true or false. 

{
    "startup_app": {
        "name": "OpenfinPOC",
        "url": "http://localhost:5555/index.html",
        "uuid": "OpenfinPOC",
        "applicationIcon": "http://localhost:5555/favicon.ico",
        "autoShow": true,
        "saveWindowState": true,
        "permissions": {
            "ExternalWindow": {
              	"wrap": true
            },
            "System": {
                "getAllExternalWindows": true,
                "launchExternalProcess": true,
                "readRegistryValue": false,
                "terminateExternalProcess": true,
                "downloadAsset": true
            }
        }
    },
    "runtime": {
        "arguments": "",
        "version": "12.69.43.21"
    },
    "shortcut": {
        "company": "OpenFin",
        "description": "Openfin POC",
        "icon": "http://localhost:5555/favicon.ico",
        "name": "Openfin POC"
    }
}

IMPORTANT: To use these features within child windows or views permissions must also be explicitly included in the Window options / View options upon creation, e.g.:

async function createWindow() {
  const winOption = {
    name: "child",
    defaultWidth: 300,
    defaultHeight: 300,
    url:
      "https://cdn.openfin.co/docs/javascript/stable/tutorial-Window.create.html",
    frame: true,
    autoShow: true,
    permissions: {
      ExternalWindow: {
        wrap: true,
      },
      System: {
        getAllExternalWindows: true,
        launchExternalProcess: true,
        readRegistryValue: false,
        terminateExternalProcess: true,
        downloadAsset: true,
      },
    },
  };
  return await fin.Window.create(winOption);
}

createWindow().then(() => console.log('Window is created')).catch(err => console.log(err));
let windowIdentity;
if (fin.me.isWindow) {
    windowIdentity = fin.me.identity;
} else if (fin.me.isView) {
    windowIdentity = (await fin.me.getCurrentWindow()).identity;
} else {
    throw new Error('Not running in a platform View or Window');
}

const platform = fin.Platform.getCurrentSync();

platform.createView({
    name: 'test_view',
    url: 'https://example.com',
    permissions: {
      ExternalWindow: {
        wrap: true,
      },
      System: {
        getAllExternalWindows: true,
        launchExternalProcess: true,
        readRegistryValue: false,
        terminateExternalProcess: true,
        downloadAsset: true,
      },
    },
}, windowIdentity).then(console.log);

 

References

https://developers.openfin.co/docs/api-security

 

Related articles

Comments

0 comments

Please sign in to leave a comment.