I have to create a webrtc application (using JsSIP) where the goal is only to be able to listen to the remote call.
I am searching a way to setup my JsSIP sip stack / sip session to disable the local microphone.
I want to make it that the browser doesn't ask for access to the microphone, as it is not needed.
Thanks.
Currently, it is not possible with JsSip, and to make it clear it is not possible on modern secure browsers.
The problem is not with JsSip but with the browsers, for security reasons browsers don't allow websites to access the microphone without the user permission as hackers can use this to monitor user conversations without their permission.
But I have observed from using JsSip on some browsers, the browser will automatically allow the user after permission has been giving to your site for the first time, ( at least on google chrome).
Solution
If there is a need to allow a smooth transition of audio permission-giving to your website, you should prompt your users to enable their browsers to always allow the permission. This has worked on chrome mobile and Firefox web browsers. Permissions are giving automatically.
I hope this solves your problem. you can contact me for anything with JsSip, ready to help you.
Related
I am about to implement a reception screen view of some data my product holds. This data is not extremely sensitive, but enough so that my customers do not want it just out there on the internet for all to see.
The concept is a smart tv with a built in web browser that displays a webpage hosted by my application. My application requires authentication for all other interaction, but the smart tv does not support authentication. So I would like to secure the page somehow, so it isn't just available for all to see.
The only options I see are:
Security by obscurity. I would really like to avoid this one.
IP Whitelisting. This I could do, but not all my clients have a static IP.
Enter credentials on screen. This is not really feasible and the credentials are lost on reboot. So we cannot do this.
Are there other options I just don't know about.
For lĂmited input devices like TVs where is not easy enter credentials there are some Open Source options like CPA (developed by EBU for Hbbtv Use Cases) than can work for you and you can control the e2e
CPA
Reference Implementation
The autenticacion token can be stored into your SmartTV app until its expiration or client's logout, etc.
There is also
After some research I found that the best option is the OAuth 2.0 Device Authorization Flow.
The gives the user an experience like the one used when setting up Google Chromecast or AppleTV.
https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow
I maintain an application written in C++Builder 2009. Part of it involves using a TWebBrowser control (based on Internet Explorer) to send users to a Google login page in order to obtain an OAuth key. This has worked well for a while, but now Google, bless their hearts, has implemented some kind of security upgrade, and now my users get to a page that says "Couldn't sign you in, this browser or app may not be secure". FYI, I am already setting a Registry key that is supposed to make IE run in version 11 emulation mode.
I do have a couple of workarounds: If the user runs IE first in admin mode, signs on, leaves it up while running my application, we don't get the problem. Second, I can start up the default browser - Chrome, IE, whatever - and send them to the URL for OAuth, then it avoids the error message.
The problem with this solution is that without being able to hook into TWebBrowser events, I don't have any way to automatically retrieve the OAuth key - it is necessary for the user to cut/paste it into my application. I'd like to avoid these clunky solutions.
I should also mention, this problem occurs only for certain Gmail accounts. I have no idea what the difference is between accounts that work and don't work. Any ideas on that?
So, is there any way to configure IE or TWebBrowser so this security issue is bypassed? Or, if I was to update to a modern version of C++Builder and use TWebBrowser (or something else?), would this problem be avoided? Any other ideas to fix this problem?
The latest C++Builder supports Google's Chromium engine, it's probably safe to say it'll be compatible with Google's security upgrades.
Powerful Chromium Based WebView Component To Host Web Content In Your Delphi/C++ Builder FireMonkey Apps
We have a program that runs in IIS with Windows authentication, and which is available to the outside world.
Right now, we provide to every interested party a link to the program, along with guest credentials they then have to type.
Is there a possibility to do away with the credentials? Our internal people should be able to login as usual, but we want to provide a link to get into the guest account without typing any login credentials.
I have tried to add the credentials into the clickable url, but Internet Explorer and Edge browser do not support this, and Mobile Safari throws phishing warnings.
Can this be done universally, that the authentication is done invisibly in the background in all browsers, using some kind of redirect or XHR call with arguments or something like that?
While debugging why my extension doesn't work in Safari (but does for other browsers), noticed that I can send an arbitrary made up HTTP header with XmlHttpRequest in a Safari toolbar extension. But try to do same with header named "Cookie" with same content as before, it doesn't get sent.
So does Safari restrict sending back cookies with requests or you need to follow an alternate process to do so? Seems kind of lame since this blocks functionality of apps that require session state persistence for example. If there's an alternate process, Apple made it harder to maintain session state in extensions (extra work in adapting a web app or other browser extension).
I tested using Safari 5.1.7 on Mac OS X 10.7.5 with Charles proxy.
Just figured I should post the solution that worked for me, that I commented in my own question earlier, for easier viewing by others with similar problem:
Turns out for Safari extension, what works for me is to set the browser to not block any cookies and website data. So users would have to do that to use the extension. No code changes needed. But that's not cool though.
The particular step is Safari > Preferences > Privacy > Cookies and website data: Always allow (at least under Safari 10 on Mac OS Yosemite). Although one could try "Allow from websites I visit" to see if that more restrictive option will work or not.
We have a mobile web based app at my company. Due to the nature of the application we do not want the browser on the users phone to prompt the user to save the passwords on the form a.k.a the autocomplete feature.
We managed to do that for IE and Firefox by setting the autocomplete tag to "off" but that doesnt seem to work for Opera mini (and i am guessing opera in general). I know user's can set it to off in their settings but for security reason we rather have it disabled?
Is there a workaround for this through code? the app is Java app using faces components based on an Jboss/Apache architecture.
In general, Opera lets the user configure whether it should respect autocomplete=off. On principle, users should be able to configure the password storage feature, and web sites should not be able to affect the configuration at a whim.
However, I can certainly see that for specific scenarios, like "send one-time passwords by SMS to the device Opera remembered the regular password on", this sucks. If you have stored password for a high-value site + use SMS one-time passwords as an "out of band" authentication, a lost phone becomes a major risk. The root of this problem is the assumption that an SMS constitutes "three-factor" authentication - if the stored login and the SMS is on the same device it's no longer "three-factor"..
It is tricky to try to leave users in control, while yielding to the web site when it's a really good idea to do so. Sadly, I think this is an unsolved question for now.
If you have a good use case for disabling password storage and are working on an important site, perhaps Opera Mini server admins could be persuaded to disable password manager on a site-specific basis? I don't know, but if you report it as a bug to Opera it would at least give the internal discussions some more momentum. Feel free to contact me with a reference to the bug report because I'm in a position where I could keep an eye on it ;-)