2021 September Release

Security Considerations of the Fabasoft Cloud Client Web Browser IntegrationPermanent link for this heading

The Fabasoft Cloud Client runs as a local process on the workstation in the context of the user currently logged on and may share the user session with a web browser.

Once a user creates a session in the web browser client, the session cookie issued to the user is passed to the Fabasoft Cloud Client. To securely pass this information, the Fabasoft Cloud web browser extension (Microsoft Edge, Mozilla Firefox and Google Chrome) is used.

Microsoft Edge, Mozilla Firefox and Google ChromePermanent link for this heading

The web browser extension uses the WebExtension API and the native messaging protocol to communicate with the Fabasoft Cloud Client. This communication is restricted to scripts of the *.fabasoft.com domain. This is enforced by the Fabasoft Cloud Client by validating the source URL. The source URL cannot be manipulated by a script (security mechanism of the web browser extension technology). The native messaging host may only be used by the Fabasoft Cloud web browser extension by default configuration.

Apple SafariPermanent link for this heading

The Fabasoft Cloud Browser App Extension uses the macOS Framework API to communicate with the Fabasoft Cloud Client. In detail a ContentScript (on page), an extension handler (native extension background process) and local socket communication with the Fabasoft Cloud UI process is used. This communication is restricted to scripts of the *.fabasoft.com domain. This is enforced by the Fabasoft Cloud Client by validating the source URL. The source URL cannot be manipulated by a script (security mechanism of the Safari App Extension technology).

Fabasoft Cloud ClientPermanent link for this heading

The Fabasoft Cloud Client validates a cookie received from the web browser (expected format, size and parameters) and stores the current value in the cookie store. After the local checks, the cookie is sent to the server, where the authenticity and session information is validated (the expiration of the cookie and the IP address are validated). If the cookie is valid, the Fabasoft Cloud Client stores the value in the in-memory cookie store of the http client and uses it for further requests.

If the user has not yet been authenticated via the web browser, the Fabasoft Cloud Client starts a hosted browser and initiates the login process (see above).

Once the Fabasoft Cloud Client is successfully authenticated it uses the trusted communication (see above) to share the session cookie on the login page of new browser sessions. There the web browser extension sends the cookie to the server for validation, and if successful, the user is logged on.

Communication SecurityPermanent link for this heading

The communication with the Fabasoft Cloud Client is only possible if the respective application was signed with a digital signature certificate and the issuer of this certificate is known to the Fabasoft Cloud Client.