OpenFin

OpenFin Security

Overview

OpenFin is a security first, JavaScript/HTML5 runtime environment built on top of Google’s Chromium project that also incorporates GitHub’s Electron project. OpenFin is not a general purpose web browser. There are no navigation controls, address bars, tabs or other user interface elements that are typical of browsers.

Core Principles

  • Leverage the Chromium security team’s great work
  • Strongly limit vulnerability to Cross-site scripting (XSS)
  • Downloaded code must always run in Chromium sandbox
  • All native applications must be signed
  • Any code that sits on the filesystem must be checksummed/signed and validated prior to loading
  • Not for use as a general purpose web browser
  • Expose full process isolation for application owners to use

Sandbox

The Chromium sandbox is widely regarded as the strongest and most tested security sandbox available. One of the critical challenges in using Electron in a strong security context is that the project disables the Chromium security sandbox to enable key features of their architecture. OpenFin re-enables the security sandbox and fixes/works around the complications that the heightened security environment causes. Please visit Chromium’s Sandbox documentation for further details.

Chromium Security and Fixes

Security

OpenFin is focused on preserving the inherently robust Chromium security model in order to ensure a safe environment for our customers to run in. We add additional layers of security around the already tight environment, like domain whitelisting. Additionally, because OpenFin is not a general purpose browser, our security profile and attack surface are different (smaller) than you would find in a browser. More information on Chromium’s Security approach can be found here.

Fixes

OpenFin is committed to keeping up with the Chromium team, delivering at least 4 major releases each year along with ~8 additional point releases. As we roll Chromium forward, we keep our APIs backward compatible, this minimizes the work needed for application developers to upgrade and leverage better security and performance from newer versions of Chromium.

Typically, the Chromium team fixes issues on the current version and does not back-port them. On a case-by-case basis, we assess if back-porting a fix is required based on technical feasibility and customer feedback on criticality.

Application Identity

OpenFin applications on the InterApplicationMessageBus expose the URL location from which they are loaded as well as the protocol used. This means that one can validate that an application was securely (HTTPS) loaded from a specific domain and thus be sure of its identity. Applications that are running outside of the runtime (native applications) but that are connected to the bus, expose their code signing signatures so that their identity can also be validated.

InterApplication Messaging

Application identity on the InterApplicationMessageBus gives application developers the tools needed to validate that the applications they are interacting with are indeed who they say they are. Additionally, the ability to publish/subscribe within one’s own security realm without having to validate identity on each request allows for increased productivity when interacting with one’s own applications.

Group Policy

OpenFin provides desktop administrators within institutions and application providers the ability to customize the Runtime environment to manage controls to specific application features via Group Policy. These specific OpenFin policies are an extension of the Chromium base Group Policy flags, which are also available to institutions and application providers using OpenFin.

For more information on Group Policy, please visit OpenFin’s Group Policy and Registry Settings page.

Encryption/Signing

All OpenFin binaries and libraries are signed by COMODO RSA CODE CA.. All OpenFin code loaded from the filesystem is checksummed, signed and validated prior to running. Signatures for application assets are exposed via the API for applications to validate.

Security Realms

A security realm is a mechanism used for protecting your running web application from other OpenFin applications on the same machine. It gives you the ability to protect a resource with a defined security constraint and then define the ways that external applications can access the protected resource.

Security realms provide applications providers the following:

FEATURE DESCRIPTION
Isolated Browser Process The browser process is typically a shared resource in a web environment. Security realms further isolate your application from other applications running on the same machine by giving you a dedicated browser process.
Separate Cache Ensures all applications, not in your security realm do not have access to your application's cache.

Configure

To configure a security realm via an application config, application providers add an argument key to the “runtime” election for their application’s config – at the same level as version. (or add this option to your existing arguments key). The realm value can be any string that is valid as a Window’s folder name.

"arguments":"--security-realm=[MYREALMID]",

Example

The realm value can be any string that is valid as a Window's folder name.

 },
    "runtime": {
        "arguments": "--security-realm=[MYREALMID]",
        "version": "beta",
        "forceLatest": true
    },

Multi Runtime Configure

To re-enable multi runtime features while using a security realm, application providers can pass in the ––enable-mesh flag to the runtime arguments. This keeps your app in a separate browser process with its own cache, but allows the use of OpenFin API’s with mesh enabled applications on different runtimes.

"arguments": "--enable-mesh",

Example

},
    "runtime": {
        "arguments": "--security-realm=[MYREALMID] --enable-mesh",
        "version": "beta",
        "forceLatest": true
    },

Have questions? Get in touch with us at support@openfin.co.

OpenFin Security


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.