If I login on any new site, google chrome asks me if I want it to save my password.
My initial thought was that it simply watches form submits, but the prompt doesn't show when the login fails because of a wrong password.
So how does it know? Is it looking for URL changes or something more complex?
(Context: I'm working on a chrome extension that alerts you whenever you enter a weak password. Simply adding an 'onsubmit' event handler to the login form doesn't work for me, because some of the checks run asynchronously. I also tried using event.preventDefault() and asynchronously calling the form submit again later, but that doesn't seem to work for some sites.)
My guess is that it watches for URL changes after submit. I noticed with some slow-loading websites that the password save dialog is shown only after the subsequent page begins to load. On the other hand, the dialog is not displayed when the same login page is simply reloaded (with or without additional args) which usually happens on bad login.
But this is an educated guess only.
Related
I am trying to figure out a way to have someone auto complete a survey and then press submit. I have figured out have to get the information prefilled. The issue comes in when pressing submit.
I followed this link Link Here However, I get this error SecurityError: Permission denied to access property "document" on cross-origin object
I realized that the page I followed is old and this error is telling me that what I am doing is an attack on the site. However, this is not an attack I am trying to do but instead just press the submit button.
The survery is on LimeSurvey if it helps.
Does anyone have any ideas on either this way or another way of pressing submit on a third party page?
Due to the same-origin-policy this is not allowed and if there was a workaround, it would render the same-origin-policy useless.
The only thing I can think of is using something that controls the browser like the browser testing framework selenium. But that requires installation on the local system.
I am using PhantomJS to test a website. However, when you login to this website, you have to enter a CAPTCHA string. I try to render the page, then enter the CAPTCHA from console and pass it to the CAPTCHA field, but the page reloads again and my string does not match the CAPTCHA anymore. I guess it's a session problem.
So I want to know if there is any way that I can login to this page on a browser (Firefox or Chrome...) and do something so that when my PhantomJS program opens that page, it will lead to the main page, not the login page. Or is there any better solution?
I'm currently working on a web application that is loaded inside an iframe inside a webview in a mobile app. As the user clicks a button, I perform an AJAX request, and once I get a successful response, I need to redirect the user to another page, by modifying window.top.location.href. This works in most situations, but in a certain iOS app, the redirect is not performed in a fair amount of cases.
I've tried to search for information about this, but given the peculiar setup, I haven't really been able to find anything. I don't control the iOS app, only the application running inside the iframe, so it's fairly hard to debug.
When the redirect fails, it does so silently. If I inspect the network traffic of the app, I can see that there's no request being made to the URL I try to redirect to.
My current hypothesis is that the redirect is being blocked as a security measure because it's not a direct result of a user interaction. You click on a button, the request is made, then the redirect happens a second or two later (depending on how long the request takes). I have tried to verify this in two ways:
Tap the screen in random, non-interactable spots while the reuqest is being made. If there is some kind of simple timer that is reset any time you interact with the device, to determine whether or not the redirect should be allowed, then tapping should make the redirect work. As far as I can tell, that is the case, but it's hard to verify that it isn't caused by something else.
Introduce an artificial delay before the redirect. So even if the request is done after 500ms, I wait an additional five seconds before doing the redirect. This should cause the redirect to fail consistently. Doing this also seems to support my hypothesis, but again, it's hard to know if that is the reason.
Has anyone else experienced this issue? If so, is my hypothesis correct, and did you come up with another workaround than adding a "Click to continue" button to actually do the redirect? Is there any documentation on this behavior anywhere?
I've faced the same issue. Emulation of a click does the trick:
document.getElementById('linkElementID').click();
I want to automatically log in to specific websites, e.g. the groupware webinterface at work. My browser (Chrome on Linux, if that matters) saves passwords for me, but I want a complete auto-login, so that I don't even have to click the "login" button anymore.
I have investigated multiple ways to approach this, but none of them has turned out to be satisfying:
1. Use a Tampermonkey JavaScript which clicks the "login" button on the website
I wrote a custom JavaScript which was supposed to just click the "submit" button once I load the login page. Chrome was supposed to fill in the password fields. The idea sounded pretty straight-forward. However, this is bad for 2 reasons: On the one hand, I cannot use Chrome's saved password. Chrome has a policy that the password field already displays the circles, but the password is not actually filled in and is also not accessible from JavaScript until the user has performed a gesture such as clicking (see this Chromium issue), which kind of defeats the purpose of my JavaScript. I could go around this by saving the password in localStorage additionally (security wouldn't be compromised, as the saved passwords are not encrypted either), but this doesn't feel good. On the other hand, this breaks a (imho) significant security feature of Chrome. It is the same feature mentioned above which prevents XSS attacks from stealing login passwords. Because whenever I load the login page, the password would be filled in and it would log me in.
So what I would rather want is a special (if possible local) page which I can bookmark, but which will (probably) never be known to anyone performing an XSS attack on me.
2. Use a local HTML page which loads the login page, fills out the form and logs me in
This is a simple idea and would accomplish my goal, but of course it doesn't work because of the same-origin policy.
3. Use a script/program
This would theoretically work. I could write a program which downloads the login page, reads the form, submits it and then transfers the cookies (or the login URL, if the form uses GET to submit to the browser. However, this would be a major piece of work, especially for the case where the forms use the POST method (I'd have to transfer cookies to a possibly running instance of Chrome).
Plus, I'd have to somehow tie this program to a local webserver or turn it into an extension so I could access it from within my browser. After all, opening a shell and typing a command is not really easier than clicking a login button.
4. Use cookies
This is not really an approach, but I mention it here for completeness' sake. By default, Chrome removes all cookies when I exit the browser. I can configure it to keep the cookies of specific websites so I don't have to log in again when I restart it. Some websites use only session cookies, though, so closing the last tab already (correctly) removes the cookies and I have to login again. As a result, cookies only solve my problem for a few websites, but not all.
So my question is: Is there an easier way to accomplish automatic log-in without having to circumvent security features or write a large program?
P.S.: I know, this is a lot of effort to get around clicking a single button every now and then :)
I have experienced a weird problem with javascript.
The problem page uses some jQuery code to collect data and it does input checking validation. If the validation is true, it posts to the server. Some of our users reported (10% or maybe a lot less), they could not submit on the website.
We talked with one of the users who had the problem, and were even more confused afterwards.
Tester's PC: XP, IE8, FireFox
The first time he used IE and the JavaScript validation did not fire, he was NOT able to submit data to server neither, because the validation was set to be false by default.
(it is supposed to have a error message showing up if the validation is false)
Afterwards he tested with F.F. (F.F. worked straight away).
Coming back to IE again, the validation script started working and the submit was again successful.
So, after all the tester don't have problem any more, and couldn't replicate neither.
I am wondering if there is any software or program may stop the js file from downloading properly?
Because the page is also hosted in a i-frame in another website, that is why i thinking some antivirus may think this is a across-domain threat and stopped the posting working.
If so how can i do a check to ensure all the required js files are downloaded before user doing a submit?
What else should i look into, since the problem happens on client end only, with no server-end validation yet.
#drachenstern: thanks for the edit
You could disable the submit button, enable it only after jQuery is fully loaded and executed.
For example:
<input type="submit" disabled />
then, in your Javascript,
$(function () {
$('input:submit').attr('disabled', false);
});
However, be advised that
User will not be able to submit
anything on a browser that doesn't
support Javascript
You should not
depend on Javascript to verify the
user content; always validate the
data again on the server-side.
It is possible that there is some delay in loading the javascript on the client sde. anti-Virus "Internet secutiry" products (may) do a lot of checks.
It is highly possible that the internet security product scans a call, and then decides "ok, this is safe" and then the javascript file is downloaded. There might be a delay in this.
How to avoid the situation?
Don't tie your form submit to javascript. Let it happen always, with or without javascript. If javascript is ready the user will have a good experience (immediate validation). If it is not yet ready, the user will still be able to do the submit, do the validation and throw error messages the "traditional" way - by refreshing the page
Make the user wait till the javascript is loaded. You can have a small "loading" icon somewhere in the page to tell the user he has to wait. The user can enter the data, but can't submit yet. In the background, keep checking whether the javascript is loaded (setTimeout and checking for a specific variable). Once it is loaded, you can use javascript validations
A combination of the two: Allow non-javascript submit till you know that javascript is loaded. Once done, use javascript validations.
I would suggest at first that you should always validate everything on the server. The only reason to validate on the client is to make the response to the user faster on bad inputs.
Additionally, to ensure that each file is downloaded and processed, you could always put a global var in each file, then check them in the document proper to see if each variable has been found. It's a crude back but it would work.
You didn't specify what version of IE the user was using, but the problem of the file not being loaded right away in IE sounds normal behavior to me, however quirky. I've run into that many times, and the only solution is a ctrl-F5 for me. I don't know what else to say there. It would be WONDERFUL if we could always have every browser respond the same, but we can't, so we go on. Also, what OS were they doing all this testing on? And What browser do you test on?
What behavior do you see in IE? If you're using IE8 or later, you'll have debug tools for sure, and you could always use FirebugLite to debug your pages in IE without using the IE tools. Then you could see what the page is doing in IE. Perhaps it's throwing a javascript parsing error? Are there any icons on the window chrome in IE that would give a tipoff?
But I think that if you're trying to fix the second paragraph, you're doing it wrong if you're relying on the javascript to process the validations. But I'm just one guy.