I am adding inline image to Outlook body through compose message and came up with this issue. Here is the documentation for addFileAttachmentAysnc:
Office.context.mailbox.item.addFileAttachmentAsync(attachmentURL, attachmentURL, options, callback);
My attachmentURL is a query string that has image ID, user token, smtp:
http://namiq-pc/MailForms/api/GetAttachment?AttId=logo.png&MwToken=eteFIPebdPIKTLhfWKXDirp/rhdEVLmBxnKVU69mM36HgJCiINang8QDnB9w4ibKX6YG58esb1Kxa4oPw6s+QenADodv21An6/rjOkBIY1u5KObhrGhZFfOFRRD0+K7Q69J0VmL+6GY=&ReqId=HCYJ+G/WakTy/s1Hz5kURnU4cuANAb83lQ==&userSmtp=tw1621#mdev.org
Once I finish my compose form( a pop up window), I click finish which should add the image to the body. I should also mention that on my Controller, I am checking the IP of a user just to make sure they are allowed to make the request. When addFileAttachmentAsync finishes it sets img src to "cid:xxxx" and calls
Office.cast.item.toItemCompose(Office.context.mailbox.item).body.setSelectedDataAsync(body,{coercionType: "html", asyncContext: "set message body" }
When I click finish, text content is being added fine, I thin rendering image source forces it to go to my controller again and fails the IP check because now it is the Outlook making the request not the user(IP address of the request is in IPv6 format). (IP check has a list of potential users' IP addresses in 10.10.xx.xx format).
Now in my email body I get a broken image with my attachmentURL as a source and originalsrc is what I set
<div class="x_mw-images"><img src="http://namiq-pc/MailForms/api/GetAttachment?AttId=logo.png&MwToken=eteFIPebdPIKTLhfWKXDirp/rhdEVLmBxnKVU69mM36HgJCiINang8QDnB9w4ibKOnFdBCeOpo1Nr8bCtXa4vyQ5PI/bOg8yTI/qpY5HVNpPVBQJghdmnAfgR/WTaGk0hAiQn3237yU=&ReqId=IOyOCna5kLpAKN6EjFKuNExpYNANAb83lQ==&userSmtp=tw1621#mdev.org" alt="logo.png" height="100" originalsrc="cid:1528819032946.png" size="90196" style="user-select: none;"></div>
The way I understand is whatever you put a source Outlook overrides it with the attachmentURL and sets your "src" value as a original source. Checking the IP address is a crucial step for my case, any idea how to get around this issue or may be explanation of what I am doing wrong would help.
I figured out a solution to this issue. The way my code worked is, it first sends a POST request with user token and path. This POST request returns back file names that need to grabbed from sevrer. Then I call addFileAttachmentAsync with those filenames and some other details to help authentication.
http://namiq-pc/MailForms/api/GetAttachment?AttId=logo.png&MwToken=eteFIPebdPIKTLhfWKXDirp/rhdEVLmBxnKVU69mM36HgJCiINang8QDnB9w4ibKX6YG58esb1Kxa4oPw6s+QenADodv21An6/rjOkBIY1u5KObhrGhZFfOFRRD0+K7Q69J0VmL+6GY=&ReqId=HCYJ+G/WakTy/s1Hz5kURnU4cuANAb83lQ==&userSmtp=tw1621#mdev.org
I do IP check when addFileAttachmentAsync makes the GET request to the server. This step succeeds because of the IP safe list. In the case when IP check fails(which happens when compose form body is transformed to mail body), I am just making sure both POST and GET request are sent by the same address by comparing the hash of IPs.
Because the server makes the both requests in this last step, when everything goes right, they do match.You just need to carry POST request IP address throughout these steps(returning hashed IP from POST as a JSON) so you can compare it during GET.
Related
I am trying to build a SPA which would input box that would take a Gradio Link, (Gradio is simple tool to build Interface for ML Models). Now, I am using an Iframe that takes the user input URL and displays the result. Something like:
Problem is Gradio Link should not be kept open and some authorizations need to be kept.
Approach 1: Tried using Axios get request to make request to URL and display the content in iframe as srcDoc, but while trying to run the model in iframe it fails as returned HTML file as relative paths, example /run/predict.
Approach 2: Tried directly using <iframe src={url}/>, assuming origin Cookie (SPA authentication tokens) would be transferred to destination where I can verify User and send the response, but the cookies in the origin domain are not being transferred to source URL.
Now, for method 1 I need to intercept all the request going out from nextjs with user input URL, example /run/predict to url/run/predict. Nextjs Allows to proxy but when request is of type api/run/predict.
For method 2: I need to send the origin cookie to destination (Source URL). Tried, setting cookie sameSite: None, and secure to true, but still not receiving cookies on destination URL.
Can anyone help me with what could be a possible solution for method 1 or 2 or I am approaching wrong way then please suggest me with right one.
Posting question in StackExchange for first time. Apologies if this has issues...
Need to track email open.
This is something not very new and the approach generally used is to have a pixel in the HTML which calls a server URL asynchronously. By using this we get the number of opens for an email.
Now the issue is the email is send to a Distribution List (DL) and we have a requirement to track email open and also clearly state who has opened it..
Basically when a hit to server comes, it should says xxxx#mail.com has opened this email.
In my HTML if i have a way by whcih to capture the email headers, my requirement would be sorted... I would use Javascript to get the email headers and then when i call the server URL i will send across the details...
When i searched i found a POST which was doing something similar...
Read email headers in Outlook Web Access (OWA)
But this was for office application...
Also, i am not sure whether this would even work...
Any pointers is well appreciated....
I am specifically at the moment looking for exchange server...
In my HTML if i have a way by whcih to capture the email headers
You don't.
I would use Javascript to get the email headers
You can't run JavaScript in an HTML formatted email
The only identifying information you can get back from the email is the information you put it in it in the first place.
You can put a unique ID in a tracking pixel (increasing the chances of it being marked as spam) but that ID will be given to anyone who gets a copy of the email (including if it is forwarded automatically by a mailing list or manually by a reader). The tracking will also fire only if the image is loaded from the server (plenty of people keep email image loading turned off).
There is no way to find out who your email actually ended up with.
Upon completion of an ajax call I would like to direct the user to an html page, but at the same time passing a hidden variable (this variable contains sensitive information and should not show up in the URL).
How can I accomplish this?
window.location.href = 'userpage.html?id=14253';
But with the id remaining invisible? Can I POST the id somehow while sending the user to userpage.html?
You should not be checking user credentials on the client side of your website. Regardless of how the ID is being passed to your script, it can be replicated without you being able to check if the request is valid.
To start being even remotely secure with what information is granted to a user, you need to be checking it via the server side. With every request, ensure the user is authenticated to view such data.
If I were you, I would look into using PHP sessions as the first line of defense for checking if a user is authenticated. Doing so will at least keep the information about a user out of a replicable space that can be viewed by the user.
Look up 'php session login tutorial' on Google and you will find plenty of simple tutorials which should get you on the right track.
Example Tutorial
No matter what, the information you pass along is insecure. You can submit a post request using XMLHttpRequest objects if you'd like (or use a framework/library to make AJAX calls) -- but the user could still spoof the data and get different results.
ID enforcement should be done in the backend. Does the requested ID match the ID of the user signed in? No? Don't show it. etc etc.
Through several threads I can see that the use of the MVC antiforgery token is overkill on areas of a site where a user is not authenticated.
I have an application that posts some information to mysite.com from site1, site2, site3, etc. Each site has a unique identifier that gets sent in the POST request through an asynchronous Javascript POST. The Javascript that is executed on site1-3, is generated on mysite.com, then returned to the sites with some Javascript variables populated.
So the lifecycle is as follows:
A page on site1 has a Javascript reference to mysite.com.
That link reference is to a controller route that generates Javascript to return to site1.
The end of the JS that is returned contains a POST request that goes back to mysite.com containing Url, browser, etc., details for the visitor of the page on site1.
I can read in the POST parameters just fine in the accepting controller from the JS POST request, however, what I wanted to know is if there is any point in adding an antiforgery token to the parameter list.
If so, I would have to generate it on the initial request, and pass it back as a JS variable in the JS returned to site1, then pass it back along with the form POST in the second request.
Since any processing on mysite.com will only occur if a valid account is found, is there any point in going through this?
If so, how would I generate the antiforgery token on at the controller level?
I would say that it depends on the sensitivity of the data that is being posted. If another user could cause harm (or annoyance) by crafting forged requests and submitting them, then I would say that it would be appropriate. It sounds like you're just collecting some usage information so that's not likely to be the case.
A one-time, random nonce might be a better solution. That would make it difficult to forge a request and prevent erroneous multiple submits, say from the user using a cached copy. Generate a random value (a GUID might work) on mysite.com, inserting it in the database and marking it as unused. Send it back with the POST. Check whether it has been used or not. If not used, then mark it used and perform your logging action. If it has been used already, discard the request as a duplicate submission.
Note that you wouldn't need a POST for this, a simple GET with URL parameters would be sufficient since the nonce will prevent it from being accidentally repeated.
I'm trying to load a page differently if it is a post or a get, and seems like jQuery would have something so I could do
if (isPost())
{
// do something if this page was a post
}
I'm showing/hiding something based on the request type and want to do it specifically with javascript. I can easily do it with the framework I'm using, but don't want to.
The problem here is that you are confusing client-side with server-side.
GET, POST, PUT, DELETE, etc are all HTTP 'methods' that are sent to a server from the client (e.g.: the browser). The server then responds with the appropriate HTTP response, normally in the form of content that contains HTML.
POST/GET/etc have no context at the client side outside of dictating how a request should be sent to the server.
Think of the browser being your postal mailbox and POST/GET/etc being the method it was delivered. When someone sends you a piece of mail, they specify the method, such as first-class mail, overnight express, or same-day delivery. The Post Office handles the mail based on how it was received and sends the mail using the appropriate action. When you pick up your mail in the mailbox, you don't know if it got there via standard mail, overnight express, or same-day delivery. The only way you would know is any information that is on the envelope itself.
The solution to your problem would would follow this same principal. To resolve it, what you will need to do is include a hidden value that jQuery can pull in, either in the query-string, a special element, or as a hidden textbox that contains the HTTP method used to get the page.
This requires that server-side code be changed accordingly to push that information back to the client.
Hope that helps clear it up a bit.
i don't know if this is really possible in javascript. But you can check if there is a query string which is GET in the URL
if (location.search.length > 1) {
// your code.
}
location.search returns the query string in the URL
http://example.com/index.html?id=1&value=3
in this case location.search will be ?id=1&value=3 including the question mark.
so if it is present then you have a GET