Security Considerations of the Fabasphere Client Web Browser Integration

The Fabasphere Client runs as a local process on the workstation in the context of the user currently logged on and may share the user session with a web browser.

Once a user creates a session in the web browser client, the session cookie issued to the user is passed to the Fabasphere Client. To securely pass this information, the Fabasphere web browser extension (Microsoft Edge, Mozilla Firefox and Google Chrome) is used.

Microsoft Edge, Mozilla Firefox and Google Chrome

The web browser extension uses the WebExtension API and the native messaging protocol to communicate with the Fabasphere Client. This communication is restricted to scripts of the *.fabasoft.com domain. This is enforced by the Fabasphere Client by validating the source URL. The source URL cannot be manipulated by a script (security mechanism of the web browser extension technology). The native messaging host may only be used by the Fabasphere web browser extension by default configuration.

Apple Safari

The Fabasphere Browser App Extension uses the macOS Framework API to communicate with the Fabasphere Client. In detail a ContentScript (on page), an extension handler (native extension background process) and local socket communication with the Fabasphere UI process is used. This communication is restricted to scripts of the *.fabasoft.com domain. This is enforced by the Fabasphere Client by validating the source URL. The source URL cannot be manipulated by a script (security mechanism of the Safari App Extension technology).

Fabasphere Client

The Fabasphere Client validates a cookie received from the web browser (expected format, size and parameters) and stores the current value in the cookie store. After the local checks, the cookie is sent to the server, where the authenticity and session information is validated (the expiration of the cookie and the IP address are validated). If the cookie is valid, the Fabasphere Client stores the value in the in-memory cookie store of the http client and uses it for further requests.

If the user has not yet been authenticated via the web browser, the Fabasphere Client starts a hosted browser and initiates the login process (see above).

Once the Fabasphere Client is successfully authenticated it uses the trusted communication (see above) to share the session cookie on the login page of new browser sessions. There the web browser extension sends the cookie to the server for validation, and if successful, the user is logged on.

Communication Security

The communication with the Fabasphere Client is only possible if the respective application was signed with a digital signature certificate and the issuer of this certificate is known to the Fabasphere Client.

Configure the Allowed Domains

The usage of the Fabasphere Client can be restricted to certain domains. If not configured, *.fabasoft.com is allowed by default. If this policy is configured, *.fabasoft.com will not be allowed by default, so if required, it needs to be added to the list of allowed domains. You can configure the allowed domains with the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Fabasoft\NativeClient\Cloud
"VALIDDOMAINS"="<domain>(:<port>)"

Note: The value of VALIDDOMAINS can consist of a list of domains, separated by semicolons, commas or spaces. Subdomains can be defined by the appropriate name or * as wildcard and you can also restrict to specific ports (e.g., 443, 80).

Example: *.example.com; example.com; *.example:443; sub.example:8080

macOS and Ubuntu

The allowed domains can be configured by writing the value to a file at the following path:

~/.fsc/users/<system user name>/Software/Fabasoft/WebClient/ConfigValues/Cloud/VALIDDOMAINS

Note: The file content must not contain a trailing line break.