One of the applications I’ve been using lately needs to be paid for. So I am once again looking for the possibility of implementing it on TiddlyWiki. This application allows me to group applications on my Windows desktop. But if TiddlyWiki can be implemented to launch applications, then I don’t need other applications.
Maybe js is needed and a specialised plugin might be responsible for that. Has anyone tried a similar operation? Feel free to discuss.
Although I don’t know much about it, seems to me it is a gigantic security no-no to allow an HTML page to start local applications installed in an operating system.
This can be done without JavaScript. On Windows you need to register each application to system, assigning it url protocol. Applications can automatically register themselves with a url protocol. You can run the calculator from a url.
calculator:
You could simply create links in TW.
You can register your own. This is done in the registry. If you don’t feel confident doing this then this option may not be for you.
You can google this to find out how.
Here’s one explanation. It’s old but still seems relevant.
https://stackoverflow.com/questions/7087728/custom-protocol-handler-in-chrome
I also found similar instructions. But this method is still overly complicated. Because the user needs to manually manipulate and maintain the registry. so Which may require software to handle specifically. So So I didn’t consider it further. I found another free desktop organiser whose basically replaces the software I was using before.
file:// Links to exe/batch/cmd files in a wiki running locally (not through an internet browser) such as within TiddlyDesktop can start apps on the local machine.
[[game|file://D:\games\World_of_Tanks_CN\World_of_Tanks_CN\wgc360_api.exe]]
I find simply create a file link works
(At least in a desktop TiddlyWiki app like TidGi-Desktop).
Right.
Also I want to breach that.
Under my control and acceptance.
I want to control my computer from a TW.
Why not?
TBH I think '“to control my computer from TW” should be considered a VALID aim.
Not reduced to nothing by “security” concerns.
TT
Right. That is ASSOCIATION. A file of a TYPE via registry can launch it’'s mother handler.
What I want is to use TW to ARBITRARILY LAUNCH APPS. Why not?
TT
Thats fine, just not in a standard internet browser, because you could be on someone else’s website and they could use the same mechanism to launch code on your computer through the browser. Including the first steps to owning your computer.
TiddlyDesktop, the hta method (antiquated) and TiddlyWiki-app all have their own local browser and you can do this there, because they do not load content from the internet where all the monsters live.
There may be an opportunity to build web associations, local application types to get around this but you need to get a lot working first. and you still may not get it working/safe.
Think about this from a browser vendor’s perspective, though:
TT: I want to control my OS from Tiddlywiki
BV: What’s Tiddlywiki?
TT: Oh it’s awesome! It is so extensible, so useful, with this amazing community…
BV: But what is it?
TT: It’s a single-page wiki, a framework for building you own tools.
BV: So it’s a website?
TT: Well, it’s more a whole series of them, hosted by people all over the world.
BV: Is it under the control of some entity we can blame if it does harm?
TT: No, each user is responsible for their own versions.
BV: Is the source code vetted by well-known security experts?
TT: Well no, but ESR, said, “Given enough eyeballs, all bugs are shallow”.
BV: So you have a community of thousands of open source developers committing to the core?
TT: Thousands, no. Dozens… maybe.
BV: And this can’t run arbitrary code, right?
TT: No, that’s the point. We can build what we like
BV: Well, then, all of the code is core or built directly by you?
TT: Didn’t I mention plugins?
BV: Who vets these plugins before they’re available for use?
TT: That’s the beauty of a decentralized approach. We count on one another.
BV: So let me get this straight. You want to allow arbitrary websites to run any old programs on your computer, with absolutely no security interventions, even though these websites might contain components from random developers?
TT: Sure, but only under my control and acceptance.
BV: OK buddy: take a ticket. Next ticket number is #43,761. Currently serving #7.
This is a great solution.
I’ve also found another easier way to use the Utility plugin, which has a procedure dedicated to handling it.
Bingo!
Therein is the problem.
After chasing through zillions of screeds that finally accept that using your own OS from a browser is okay I get an ‘okay’ but on HOW to do it from a browser is left for a very late tomorrow. That is where most browsers are concreted; over-stubborn. Later never.
But I can easily run a background daemon that would intercept a save of a plain text instructions file from TW and immediately execute it.
Why are browsers so wooden? Why do I have to jump through hoops to do basic interaction with my own OS?
But if you have the ability to create and run such a background daemon, then you already have demonstrated proper authorization to have control over your machine.
Because they have no way to distinguish you from a malicious actor and your OS from that of a naive user tricked into visiting http://evildomain.com.
that is a load bearing “easily” there.
You could also easily fork a browser and remove the security restrictions that irk you so much. Maybe not quite as easily, but it’s possible.
Browsers have to satisfy the security concerns of the average user, and corporate usage, and only after those are satisfied, do the security workarounds of the power users get a consideration.
Given most traditional programs run only their own code, and their own data, or your supplied data, their security concerns are reasonably small and well understood. Browsers run code from arbitrary websites, with data from arbitrary websites. Their security concerns are significantly more complicated.
Do I, as a power user, want arbitrary data running through arbitrary code with access to my OS and filesystem, without a rock solid line of defence? oh hell no.
I find the security of browsers occasionally irksome, but I understand that if they were to give me free reign to handle my own security, the browsers would be handing me a hair trigger loaded missile with a target lock set to my own foot. I dont want that orders of magnitude more than I want the occasional security irk to be lifted, so on balance, I’m quite accepting of browser security and finding workarounds.
TT is actually talking from experience. Timimi had an experimental version that allowed execution of specified code. I think TT may still have that version. Also TT is co-author of Polly, a Powershell tool that runs in the background for saving and archiving, but could conceivably be adapted to launch executables.
I’m thinking Anki, Obsidian, Joplin, Calibre, Audacity (?) … programs that have plugins that probably have access to your drive. There is a bit of trust involved. But of course, none of those have the wide audience that browsers have.
Thanks Mark!
I do. But now it is not workable on recent Firefoxes.
It was very easy to execute apps. directly, instantly from TW with it.
It used Timimi’s early experimental (Firefox only) OS backend to do the launching.
Mark is too kind. I basically assisted on Polly whilst learning Powershell.
Now I can use a Polly derived daemon to execute apps. But not from TW. Just a resident menu.
ah, neat stuff!
Fair - but those are their own programs - so aren’t trying to protect against data and code being provided by an arbitrary website, as well as having the freedom to set their own security policy anyway.
I’d expand that to note that as well as a smaller audience from a user perspective, specialised programs also have a smaller range of data they’re expected to be able to process sanely.
Browsers have to deal with the web (theoretically any part of it, and the entirety of the web is surely one of the largest and variable pools of data in human history, though in practice most modern use is on small set of sites with more newer stuff being not just data, but code that is, for realistic practical uses, unvettable, yet you’re expected to run it.
Overall it is an interesting conundrum - as the browser is increasingly the universal interface for GUI tools, the strong wall between the browser and the OS becomes more frustrating for those who wish to cross it with a click (counterpoint I suppose is that as the browser increasingly becomes the universal GUI, the need to cross that boundary reduces - with powerusers (us?) likely being the last holdouts who would care.
aside - the “browser as universal GUI interface” idea is one I picked up from an article a little while back, which put forward the idea that there are only two interfaces worth coding for these days for “apps”. The terminal, and the browser. It’s simplistic and lacks nuance, but as a first approximation, I find I broadly agreed. (wish I made a note of the article though!)
Right. And not.
It is interesting in these discussions no one can point to the Fearless Browser–an off the shelf Browser that can execute programs. Why not?
Right I could spend time doing a node.js thing to get there. But why can’t I just configure a (some) browser to launch a batch file?
My comment here, now, is more about a kinda taken-for-granted attitude that somehow it’s weird that I (me, myself & I) want to use a browser to control the OS. The argument is that IF browsers could do that it would be a disaster. It probably would be. But I’m only asking IF there is A way (the A. Browser) that could? Not for everyone.
Why is it so distinct an idea now to think a browser is a danger to one’s hard disk IF that is exactly what one is asking to control?
I’m not sure I’m communicating the point well enough yet.
Anyway, basta
That does put a different perspective on it. But I expect that market is among the nichiest of niches.
I wonder if someone knowledgeable about Chrome or Firefox source code could manage to put together a version that bypasses these security restrictions… in any reasonable amount of time. That would probably require there be flags that could be toggled, or entire modules that could be removed. And there would still probably need to be positive work on talking to the OS, although that might need just access to shell commands.
I think much, much more plausible is working with one of the Electron or similar versions with only small changes to the back end of TW apps.
We already know what a launch-from-browser solution would look like. It would involve an extension and a native host “server” (which really means an executable).
Here’s one such extension –