NPAPI plugin support or similar for reading smartcards

Asked 23/4, 2015 at 9:8 Answered 11/12, 2015 at 23:30

html google-chrome nfc npapi microsoft-edge

Now that Chrome and FireFox (FF to a lesser but still relevant extent) are removing support for NPAPI (basically Java) and Edge (formerly Spartan won't have it, what are the alternatives?

I appreciate there is no one-size-fits all replacement and as of yet I am struggling to find something which would suffice. It will need to connect to a NFC reader attached via USB, with the ability of reading and writing to smartcards.

I have found various options such as Native Client but this is Google Specific - it would need to be cross browser.

Balbriggan answered 23/4, 2015 at 9:8 Comment(0)

FireBreath 2 will support this, since you don't need drawing support. If you're willing to get your hands dirty you could probably use it for what you need, but you'd need to be willing to help track down and fix bugs and such.

It's currently in the "refactor" branch in FireBreath's github repo, but I expect that'll change eventually.

Squat answered 23/4, 2015 at 16:18 Comment(2)

Considering this use the NPAPI framework this is surely affected as well? – Balbriggan 24/4, 2015 at 7:26

FireBreath 2 changes all of its APIs to be async. It now has 3 browser access methods instead of 2: ActiveX, NPAPI, and FireWyrm. FireWyrm is a new RPC mechanism developed specifically for FireBreath 2 which can be accessed via native messaging. As of writing this there is still a lot to be done but it's getting close. – Squat 24/4, 2015 at 14:55

You could write a local REST service in any language that listens on http://localhost:[some_custom_port] that will communicate with the NFC reader.

Then you just need to write JavaScript to communicate with the REST service. This should work from any browser.

Some issues with this approach: - Each PC with a NFC reader will need to install the service before being able to communicate with the NFC reader. - Some sand-boxed browsers(such as the Metro IE) won't be able to reach localhost.

Jordanjordana answered 9/5, 2015 at 11:5 Comment(1)

If Edge, the default browser in Windows 10, can't access localhost then this approach has some big downsides. – Prittleprattle 12/6, 2015 at 17:31

In order to provide a secure connection and to support all browsers there is a solution looks like communication between browser to a native desktop app by a custom uri and from native app to Browser through web service i tried,the native app will handle the reading functionality,the implementation seems to be complex but applicable for a secure communication source

Systematism answered 11/12, 2015 at 23:30 Comment(5)

I did not get the clear context of man in the middle you are pointing ,But i imagined you are asking for an attack ,i am using a token based validation ,I created a new repository for my standard code base ,post the code soon link :) :) – Systematism 16/2, 2016 at 18:1

So you are using a https server on the client side and I suppose you are installing the https server certificate as a trusted root ca. Right? This will endanger your users privacy. – Metonym 1/3, 2016 at 16:58

my exe(proposed) is not signed with that certificate ,Its be signed with a secure one and private key is hosted in that signing ,All datas will be encrypted with that one and your server only will understand the encryption , the certificate for https server can be a self signed or trusted ca ,its just to communicate with ajax call from a secure web page :) – Systematism 1/3, 2016 at 19:23

Ok, but if your webapp is HTTPS you will need your client-side server to be HTTPS too (to avoid mixed-mode restrictions). Now, in order to have your client-side server to be in HTTPS you will have to make your self-signed certificate trusted by browsers and this is the problem look what happened with DELL computerworld.com/article/3008113/security/…... I am still looking for a solution to this problem... – Metonym 2/3, 2016 at 16:17

As of my knowledge all browser will accept self signed if your https client server is present in the client machine ,The URL from DELL is seems to be a different context ,They are using self signed certificate to access the root of the machine ,Here the local client server don't have any permission to access the client machine contents and its only to communicate with the card reader ,Agree the connection is an open connection even it is https becuase of self signed , but the data is encrypted with the secure key you only knows, – Systematism 2/3, 2016 at 18:14

Recommended topics

Hot tags