An upcoming behavior change to the security defaults in OpenFin 20 release, targeted for June 2021, may require changes to your configuration.
With targeted release OpenFin 20, we are further tightening our API security stance by changing from a “default allow” paired with a block list to a “default prevent” coupled with an allow list. Any Application using a Secure API need to be allowed in order to use the API. If an application attempts to use a secure API and that usage has not been allowed, the callback for the API returns an error.
Security is OpenFin’s top priority for both Application Providers and desktop owners. We work closely with IT security teams to ensure OpenFin meets rigorous security standards. Through these collaborations we’ve collectively agreed to address a migration path for OpenFin’s APIs with a higher security profile.
OpenFin introduced its initial layer of API security in OpenFin 12, requiring Application Providers to declare usage of a secure API via its application manifest. The upfront affirmation assisted desktop wwners by informing them of an application’s intent to use a secure API. Additionally, desktop owners had the ability to disable an application’s usage of an API via a
permissions configuration in their DOSDOS - "Desktop owner settings" is a file that enables desktop owner to regulate global desktop settings in one easy-to-update, remote JSON file. On Microsoft Windows, the location of this file is specified in the Windows Registry. file.
In OpenFin 16, we tightened API security by adding sensitive web APIs to our secure API designation (audio, video, geo, etc.) and requiring applications to declare intent to use a sensitive web API in their application manifest as well as providing desktop owners the ability to manage an application’s usage of these API’s.
OpenFin 20 is the next step in ensuring applications are secure by default.
Application Providers who upgrade to OpenFin 20 and leverage one or more of our secure APIs (i.e.
Application Providers wishing to upgrade to OpenFin 20 and leveraging a secure API have the following options:
Desktop owner settings management
- Desktop owners can manage an OpenFin DOS file to enable secure API usage. See Desktop Owner Settings for further details.
Global allow list
- OpenFin provide a global allow list for applications we know and trust. Please contact OpenFin to discuss your application being globally allowed.
End-user Click Thru
- In the event neither a DOS file nor global allow listing has been established, OpenFin prompts the application end-user for authorization to use the secure API (similar to the “Ask before accessing” option in Chrome’s privacy and security settings).
Additional details on the specific changes in the Desktop Owner Secure API will be provided prior to the release.
OpenFin 20 (target release) - June 2021
Yes. Secure APIs will continue to work in OpenFin versions 19 and older until we have the larger OpenFin community ready to turn on backwards enforcement. You still need to declare secure API usage in your application manifest, and desktop owners will continue to have the ability to prevent usage if they so choose by disabling those APIs across their desktops.
Please be advised that security features, enhancements and bug fixes from the Chromium, Electron, and OpenFin teams will be applied to future versions of OpenFin.
This communication is to inform you of upcoming changes OpenFin is implementing for Flash.
Chromium is ending support for Flash in Chromium 88, due out in Jan 2021. As a result, OpenFin 18 (built on top of Chromium 87) is the last version of OpenFin on which Flash applications will be able to run. OpenFin 18 is targeting a delivery date of Nov 2020.
Please visit Chromium’s Flash Roadmap for additional information.
Application Providers running Flash content directly on OpenFin.
Harman has taken over ownership of Adobe Air. The OpenFin Adobe Air Adapter is not impacted and should continue to work. This allows you to run Flex/Flash content in Adobe Air while connecting back into the rest of the OpenFin environment on the desktop. The OpenFin Air Adapter will not get further investment (no new API features, etc.) and we will work with you to make sure you have the right support.
Application Providers wishing to Upgrade to OpenFin 19 (Chromium 89) will need to take the necessary steps to migrate any Flash applications / dependencies out of their applications.
Chromium 88 - JAN 2021
OpenFin 18 (Chromium 87) - Nov 2020
Yes. Please be advised that security features, enhancements and bug fixes from the Chromium, Electron and OpenFin teams will be applied to future versions of OpenFin.
This notice is to inform you of changes OpenFin is implementing.
- End-of-Life for the Layouts v1 API which has been replaced by the Platform API. The Platform API includes more advanced layouts capabilities and significantly improves on the Layouts v1 API.
- Final Runtime Version supported is 126.96.36.199
- End of Support Date is May 9, 2021
- Change-of-Life-Cycle for our Notifications and FDC3 APIs which will no longer be managed as Services (the APIs will remain unchanged)
- Service Life-Cycle for both APIs will no longer be supported as of March 1, 2021
- Deprecation of fin.Notifications legacy API which is being replaced by the Notifications API.
- Marked as Deprecated in Runtime Version 17.85.55.*
- End of Support as of March 1, 2021
Application Providers leveraging any of the following OpenFin APIs:
These changes are being made in response to broad customer feedback. A summary of each is below. Please don’t hesitate to contact us if you’d like additional information.
The Layouts v1 API has been replaced with our Platform API (previously known as Layouts API 2.0). This change is being made to:
- Significantly improve performance and maintainability
- Provide default tab support, customization, and complex layout support
- Correctly integrate with standard Operating System functions such as Alt + Tab Preview, Move + Left/Right arrow keys, and z-order
The FDC3 API now ships by default with the Runtime and does not need to be invoked as a Service. This has the following benefits:
- FDC3 API is versioned in tandem with the other OpenFin APIs
- Simplified app upgrade process: FDC3 API changes can be made and tested once as part of upgrading the Runtime version
- Eliminates conflicts from different apps using different versions of the Service
- Eliminates conflicts from compatibility issues between Runtime versions and Service versions
The Notifications Center’s lifecycle will be managed by the Notifications API and will no longer need to be invoked as a Service as of version 1.0 which is scheduled for release in Q4 2020. This change is being made to:
- Avoid visual collisions from multiple versions of Notification Center on the same desktop
- Enable Desktop Owners to control the version of Notification Center for both internal and 3rd- party apps
- Significantly improve end user experience when more than one application is generating notifications
- Provide visual consistency and customization across notifications
- Keep notifications history available to end users
Application Providers should migrate as soon as possible. In all cases, we are here to help and assist teams with their migration plans.
Layouts v1 API
- Migrate to the OpenFin Platform API as part of upgrading to OpenFin 16 and beyond. Instructions are available in the Migrating from Layouts v1 Workspaces tutorial.
- Configure your Application Manifest to add the FDC3 API to your Application and remove the FDC3 Service from your Application Manifest as part of upgrading to OpenFin 17.85.55.* and beyond
- Remove the Notifications Service declaration from your Application Manifest as part of migrating to a version of the OpenFin-Notifications NPM package that supports the new lifecycle management. (Version 1.0+, release date Q4 2020).
- Migrate to the OpenFin Notifications API.
Yes - OpenFin strongly advises all customers to move to the respective alternative approaches as soon as practicable. If continuing to use the Services and the fin.Notification API, be advised that no patches will be applied for any discovered bugs and any Chromium Security patches must be consumed in later versions of OpenFin.
Updated about 1 year ago