horok/firefox
1
0
Fork 0
Code Activity
firefox/widget/windows/docs/LimitedAccessFeature.rst
Daniel Baumann 5e9a113729
Adding upstream version 140.0. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-25 09:37:52 +02:00

58 lines
2.3 KiB
ReStructuredText
Raw Permalink Blame History

===============================
Windows Limited Access Features
===============================
--------
Overview
--------
`Limited Access Features (LAF)
<https://learn.microsoft.com/en-us/uwp/api/windows.applicationmodel.limitedaccessfeatures?view=winrt-26100>`_ are
features which require a special token and attestation to unlock them before
their corresponding APIs can be called. These usually take the form
``com.microsoft.windows.featureFamily.name``. This is most relevant to Firefox in
the context of pinning to the Windows taskbar as the new Windows pinning APIs require
Firefox to first unlock the corresponding ``com.microsoft.windows.taskbar.pin``
LAF.
If we need to use a new Limited Access Feature we should notify Microsoft
if requested in the feature's documentation.
-------------------
Unlocking Procedure
-------------------
Applications which exist in a packaged context, such as MSIX installs,
have something called a Package Family Name (PFN). The PFN is generated
at build time for MSIX installs and varies between channels. This can be
accessed through Windows API calls on MSIX. For non-MSIX installs we are
provided a specific PFN by Microsoft which lives in the rc file in
the final install and can be modified in ``create_rc.py``.
The registry key corresponding to the LAF can be read at
``HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\LimitedAccessFeatures\<lafId>``
This key's default value contains a string which is the "key" for the
Limited Access Feature.
To get the complete unlocking token, the LAF identifier, LAF key, and PFN
can be combined in the format ``"<lafId>!<lafKey>!<PFN>"`` and then
encoded in SHA256. Taking the first 16 characters of this output and
converting to Base64 yields the final token. The overall process is
as follows:
.. code:: text
Base64(SHA256Encode("<lafId>!<lafKey>!<PFN>")[0..16])
The other piece of unlocking is the attestation. We first need
the publisher identifier, which consists of the last 13 characters
of the PFN. With that, the attestation is assembled using the boilerplate
below:
.. code:: text
<PFN[-13]> has registered their use of <lafId>
with Microsoft and agrees to the terms of use.
The token and attestation can then be passed into ``LimitedAccessFeature.TryUnlockFeature()``
to unlock the corresponding APIs for use.
View git blame Copy permalink