Chromium/Google Chrome Frame doubt...

I was messing around with Chromium/Google Chrome Frame, and I've experienced mixed results.

But, first thing first. I'm not using Google Chrome Frame itself, but rather using what's already part of my Chromium install. I simply registered the DLL file npchrome_frame.dll so that it appears in Internet Explorer 10 addons.

It's loaded and it works for some websites, but it won't work for others. I do understand that websites need to have a meta tag, but according to something I've read it appears that if we type cf:https://www.wilderssecurity.com, that it should work. But, it's not.

But, if access other websites such as www.chromium.org, which does contain the said meta tag, then it works fine. So, Chromium Frame it's working as it should, because when right-clicking the webpage I see the About Chromium Frame.

Monitoring Process Explorer also reveals that the chrome.exe process runs.

According to this website (-http://www.askvg.com/force-microsoft-internet-explorer-to-always-use-google-chrome-frame-to-open-urls/), there are a few ways of forcing Chromium/Chrome Frame, one being a registry hack, but doesn't appear to be forcing it, at all...

Is anyone running Google Chrome Frame and also experiences the same, or have you tried Chromium Frame the same way I did, and had any luck having all websites using Chrome Frame instead of IE's own rendering engine?


Thanks!

 

According to -https://dshield.org/tools/browserinfo.html the browser user agent does include chromeframe/. But, if I right-click the website it doesn't show About Chromium Frame. I'm wondering if it's actually necessary for that to appear as a sign that the CF is working? I think that if it was not working, even for such websites, then the user agent would be IE's one...

 

I got it working!

It turns out that the AskVG article is wrong!

I finally found the info I wanted at the Chromium website. For some reason I let the info pass through my eyes.

Source: -http://www.chromium.org/developers/how-tos/chrome-frame-getting-started#TOC-Testing-Your-Sites

So, the actually registry key is HKCU > Software > Google > ChromeFrame with a REG_DWORD key named "IsDefaultRenderer" with a value of 1.

Stupid AskVG article.

Anyway, this turned out to be a great exercise.

 

I understand the need for this in IE8 and below (rendering modern websites at the cost of security), higher however I do not. You just increase the attack surface. It wasn't long ago that MS were complaining because Google's Chrome Frame plugins weren't opting into security measures like ASLR.

 

First thing first. I'm not doing this to use IE or Chrome Frame, but just to experiment with stuff.

Second, which attack surface? I remember reading the "complaints" from Microsoft, and I agreed in part with something, and that was the fact that at first Google wasn't much into the quick bug fixing. But, that changed short after, and Chrome/Chromium Frame updates come out at the same time that a Google Chrome/Chromium version comes out, and in Chromium's case, it's pretty much hourly builds (I think).

I'm pretty sure you agree that Google has been quick fixing bugs, especially when involving serious security vulnerabilities. (You're entitled to disagree, though. But, it's just my opinion, judging by the release cycle.)

Third, the dll file loaded in Internet Explorer does support ASLR (I'm not disagreeing with the past, as I don't know about it.).

Fourth, I'm running chrome.exe with a low integrity level, and the renderer processes run with Untrusted by default (Low <-> Untrusted). So, I believe this is safer than Internet Explorer's own Medium <-> Low.

All running under EMET.

Anyway, just experimenting. But, if you do know of more that could give me enough reason to stop experimenting, then I'll be more than glad to evaluate this.