2021 Update Rollup 2

Security Considerations of the Fabasoft Folio Client Web Browser IntegrationPermanent link for this heading

The Fabasoft Folio Client runs as a local process on the workstation in the context of the user currently logged on and may share the user session with a web browser.

Once a user creates a session in the web browser client, the session cookie issued to the user is passed to the Fabasoft Folio Client. To securely pass this information, the Fabasoft Folio web browser extension (Microsoft Edge, Mozilla Firefox and Google Chrome) or the Fabasoft Folio Browser Extension ActiveX control (Microsoft Internet Explorer) is used.

Note: This is only valid if a corresponding session cookie has been configured.

Microsoft Edge, Mozilla Firefox and Google ChromePermanent link for this heading

The web browser extension uses the WebExtension API and the native messaging protocol to communicate with the Fabasoft Folio Client. This communication can be restricted to scripts of a specified domain. This is enforced by the Fabasoft Folio Client by validating the source URL. The source URL cannot be manipulated by a script (security mechanism of the web browser extension technology). The native messaging host may only be used by the Fabasoft Folio web browser extension by default configuration.

Apple SafariPermanent link for this heading

The Fabasoft Folio Browser App Extension uses the macOS Framework API to communicate with the Fabasoft Folio Client. In detail a ContentScript (on page), an extension handler (native extension background process) and local socket communication with the Fabasoft Folio UI process is used. This communication can be restricted to scripts of a specified domain. This is enforced by the Fabasoft Folio Client by validating the source URL. The source URL cannot be manipulated by a script (security mechanism of the Safari App Extension technology).

Microsoft Internet ExplorerPermanent link for this heading

The Fabasoft Folio Browser Extension ActiveX control uses the window messaging API to communicate with the Fabasoft Cloud Client. This communication can be restricted to scripts of a specified domain. This is enforced by the Fabasoft Folio Client by validating the source URL. The source URL cannot be manipulated by a script (security mechanism of the ActiveX control container).

Fabasoft Folio ClientPermanent link for this heading

The Fabasoft Folio Client validates a cookie received from the web browser (expected format, size and parameters) and stores the current value in the cookie store. After the local checks, the cookie is sent to the server, where the authenticity and session information is validated. If the cookie is valid, the Fabasoft Folio Client stores the value in the in-memory cookie store of the HTTP client and uses it for further requests.

Communication SecurityPermanent link for this heading

The communication with the Fabasoft Folio Client is only possible if the respective application was signed with a digital signature certificate and the issuer of this certificate is known to the Fabasoft Folio Client.

Restrict the Allowed DomainsPermanent link for this heading

The usage of the Fabasoft Folio Client can be restricted to certain domains. By default, all domains are allowed. It is strongly recommended to restrict the usage of the Fabasoft Folio Client only to your specific installations. You can configure the restriction with the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Fabasoft\NativeClient\Folio
"VALIDDOMAINS"="<domain>(:<port>)"

This restriction can also be defined per user:

KEY_CURRENT_USER\Software\Fabasoft\WebClient\ConfigValues\Enterprise21\
"VALIDDOMAINS"="<domain>(:<port>)"

Note: The value of VALIDDOMAINS can consist of a list of domains, separated by semicolons, commas or spaces. Subdomains can be defined by the appropriate name or * as wildcard and you can also restrict to specific ports (e.g. 443, 80).

Example: *.example.com; example.com; *.example:443; sub.example:8080