About Future .NET

The concept

This demonstration is based on an information exchange between a website and a local Windows application.

To make the communication possible, the local application embeds an HTTP server that binds to a port on the loopback adapter eg.: 127.0.0.1:9696.

Since this web server listens on the loopback address, it doesn't require any permission elevation for opening a firewall port. This means that a standard user can run this application, without any special or Administrator privileges.

The embedded web server cannot be accessed from another machine on the network, thus all requests to it, must be made from the local machine.

A website can communicate with our local application through an XMLHttpRequest (ajax request) sent to 127.0.0.1:9696. The traffic sent to the loopback address is guaranteed not to leave the local machine, thus making this destination trustworthy. The ajax request is only possible, when our embedded web server has CORS enabled.

By correctly implementing the CORS HTTP headers in the application, we can limit the local access to only those websites which are specified in our white-list (different WebSales environments). If other websites try to communicate with our embedded web server, their ajax requests will be automatically blocked by the browser.

The website can be hosted on HTTPS and can still communicate with our local application, not triggering any mixed-content browser warnings.

The local application has access to the same resources the standard user has.

Demo scenario includes

  • Listing of locally installed printers
  • Sending a single copy of a test PDF from remote location directly to the selected user's printer, without using the print dialog.

Supported browsers

The solution has been successfully tested on the latest versions of all major browsers: Edge, Chrome, Firefox and IE.

Application distribution

The application is packed and deployed with the latest Windows Installer technology from Microsoft - MSIX.

In order for the package to be installed on a client machine, it must be signed with a trusted code signing certificate. The signed package can be distributed from a web server or it can be published in the Microsoft Store. For more options, please see MSIX App Distribution. In our case, we install a package hosted on a web server, by simply clicking on a link pointing to the hosted package.

The link contains a special ms-appinstaller web protocol, which activates the package installation immediately. The package is installed on the local machine for the current user without any UAC elevation. After the installation, the application is automatically started and runs in a lightweight app container.

The application is installed in a special Windows folder, which is accessed only by the system. Windows automatically detects if the installed package has been tampered with, and will not start the application in such cases.

The MSIX Windows Installer also provides a very good support for application updates. The installer can be configured to check for updates on every start, or periodically, every few hours. If an update package is available, it can be installed in the background. When the user starts the application next time, he/she will be running the latest version. For critical updates, the installer can also be configured in a way that the system will not start the application, until it installs the latest version automatically. The MSIX app container provides other benefits, among which there is also a clean uninstallation of the application. For more details please see Understanding how packaged desktop apps run on Windows.

Deploying MSIX packages to older systems like Windows 7 is also supported with MSIX Core, but automatic updating is planned for future releases.

Pre-requisites

  • Windows 10 (1809 or later)
  • Sideloading of applications enabled - a system configuration to allow installation of applications from other sources than Microsoft Store (this setting will be enabled by default in Windows 20H1).