I have a site with user profile pictures. I would like to protect the identities of the users, but Chrome (and other browsers) default to allowing reverse image searches on the jpeg images. Is there a way to post pictures while preventing reverse image search on them? What actually causes this option to appear on the right click menu on some images and not on others?
You may consider disabling the right-click menu on the image to prevent them from accessing any options "copy, search etc.". This is primarily a deterrent.
<img oncontextmenu="return false" src="http://placehold.it/350x150">
Any savvy user, though, will be able to do whatever they want with the image. Once it has been loaded in a browser the user owns the image locally.
If you publicly publish an image on the internet, it can be downloaded and reverse searched. Be it with chrome right click or a more manual way.
There is no way you can prevent that. At most you will be able to make it a few seconds longer to reverse search the image.
I have a site with user profile pictures. I would like to protect the identities of the users, but Chrome (and other browsers) default to allowing reverse image searches on the jpeg images.
That's novel, but once an picture is delivered to any client, they can do whatever they want with it. They have the file. They could access the image from their file system and simply do a manual reverse search.
Is there a way to post pictures while preventing reverse image search on them?
No, there is essentially no way to prevent this from happening. If someone can see the picture, they have it. There are ways to deter them, but any person slightly inclined to get the picture will find a way, be it disabling JavaScript, accessing browser cache, or simply taking a screenshot.
What actually causes this option to appear on the right click menu on some images and not on others?
That option shows up because the browser has the option for it. Since the browser is a client-side tool, you can't directly control it. No matter what you try to tell the client-side, the client can simply ignore your directions.
The safest way to protect your users is to not expose these images to the public net. Secure them behind some kind of authentication scheme on a private network and make sure to serve them over https.
Related
I have PDFs that I have stored in my google drive and embedded into my site. I wanted the site visitors to be able to continue reading from where they left off when they reload, or when they leave the site and comeback. I tried to get the scrollTop value but that returned zero.
Either the page number or the scroll position would work just fine. Is there anyway to achieve this at all? Because I haven't found anything on the internet about this.
You need to store the scrolling state. To do you could use url fragments. Look at this post for more info and code working example
I have a simple Pan card no : xxxxxxx7654 , which i am showing using jsp in the browser. Now , if i use the view source functionality of the browser or the firebug tool or chrome bug tool, then i will be able to see the text in the DOM. Now, I want to get the text displayed in browser, but want to hide it from prying eyes of people who will be using fire bug, chrome bug or View Source of a browser .
The field name is PAN_CARD_NO.
I display it using : <p id ='My_Pan'>My Pan is :<%= PAN_CARD_NO %></p>
Now this brings the value in the browser, which is nice and dandy, but i don't want it to be shown using fire bug or chrome bug or view source.
Does any body have any suggestions as to how it can be done ?
The source of the page is what is delivered to the browser to be rendered. Because of that, anything that you want to present to the end user in the browser will be visible in some way in the source code. There are no work-arounds here. If it is displayed in the browser, the end user has access to it in one way or another.
If your goal is to not show the whole PAN card number, that should be done on the server side, before it's delivered to the browser. In this case, you make sure that the PAN_CARD_NO variable only contains something like xxxxxxx7654. With this method, full PAN card number is never delivered to the end user.
If your goal is to prevent unauthorized users from viewing the PAN card number, then you need to make sure that you only deliver the card number for the authenticated user. This will require you to have the user authenticate themselves to the server in some way (e.g. logging in).
I have been studying JavaScript and I've found so many things what it can do and I feel comfortable using this language, but I'm getting worried about the right click savers out there. Is there a way to prevent people from ever saving the images from my website and put it onto their desktop?
Some girl
Some person
That person took the images
Store it on his/her desktop
Makes fun of the girl
No, there isn't any way to do this that isn't easily circumvented.
You can put some overlay onto the image, but that wont stop people with a dev console for their browser.
Another way is to load images from a script and only allow them to be shown when they are on a certain page (using php or any other server implementation)
No. If someone has gone to your web page and can see your image the browser has already downloaded the image and saved it to the local cache, whether or not the user knows how to get to it.
Also, they can always turn off Javascript in their browser
You can make it hard to download the image but it's IMPOSSIBLE to prevent image theft!
Using a grid of small images and showing just a part of whole image when user zoom in is the way most photography site uses to make it hard to steal the image. When you use grid of images then drag and drop or Save As wouldn't save whole image.
But it's still possible to steal the image by collection all parts of image and connecting them together via an image editing tool
I have a page served over https that in some instances can display images pulled from rackspace over http.
In IE this triggers a warning asking if the user would like to display the insecure items.
If the user chooses to display them, all is good. However if they choose not to show them they will find the page looks broken.
I was trying to work on a solution where, if the user chooses to hide them, I detect that and pop up a dialog explaining why the page looks broken and what they need to do to make it work.
I tried adding an image, loaded over HTTP with an onerror event to call the dialog but it doesn't fire when the image is blocked.
I understand that this is not an ideal situation in the first place and it's a problem that will eventually be solved but, in the mean time, any idea how I can detect which option the user has chosen?
I am not at all sure if this will work. If you have Apache installed, may be you can proxy the HTTP URL through a local HTTPS one. Sort of like tunnelling it.
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
https://www.example.com [main page]
https://www.example.com/help.html [pass unchanged]
http://www.othersite.com [gets blocked]
This should be changed to:
https://www.example.com [main page]
https://www.example.com/help.html [pass unchanged]
https://www.example.com/secure/?url=www.othersite.com [proxy it]
Is there any reason to NOT have a webpage retrieve it's main content on the fly?
For example, I have a page that has a header and a footer, and in the middle of this page is an empty div. When you click on one of the buttons in the header, an http GET is done behind the scenes and the .innerHTML() of the empty div is replaced with the result.
I can't think of any reason why this might be a bad idea, but I can't seem to find any pages out there that do it? Please advise!
It's not unheard of, but there are issues.
The obvious one is that some users have javascript turned off for security reasons, and they will not be able to use your site at all.
It can also negatively impact handicapped users that are using assistive technology such as a screen reader.
It can make it harder for the browser to effectively cache your static content, slowing down the browsing experience.
It can make it harder for search engines to index your content.
It can cause the back and forward buttons to stop working unless to take special steps to make them work.
It's also fairly annoying to debug problems, although certainly not impossible if you use a tool such as Firebug.
I wouldn't use it for static content (a plain web page) but it's certainly a reasonable approach for content that is dynamically updated anyway.
Without extra work on your part it kills the back and forward history buttons, and it makes it difficult to link to the pages each button loads. You'd have to implement some sort of URL changing mechanism, for example by encoding the last clicked page in the URL's hash (e.g. when you click a button you redirect to #page-2 or whatever).
It also makes your site inaccessible to users with JavaScript disabled. One of the principles of good web design is "graceful degradation"--enhancing your site with advanced features like JavaScript or Flash or CSS but still working if they are disabled.
Two considerations: Search engine optimization (SEO) and bookmarks.
Is there a direct URL to access your header links? If so, you're (almost) fine. For example, the following code is both SEO friendly and populates your page as you desire:
Header Link
The catch occurs when people attempt to bookmark the page they've loaded via JavaScript... it won't happen. You can throw most of those potential tweets, email referrals, and front page Digg/Reddit articles out the window. The average user won't know how to link to your content.
Where did you read it is a bad idea? It purely depends on requirements whether or not content will be populated on-the-fly. In most cases, however, the content is loaded along with the page not on-the-fly but if you need your content on-the-fly, it shouldn't be a bad idea.
If your content is loaded via javascript and javascript is disabled on users' browser then definitely it is a bad idea.
I cant think of a bad reason for this either (other than possibly SEO), one thing that would probably be a good idea is to load the data only once. ie
Show Div1 - do ajax/whatever only if the innerhtml is blank
Show Div2 - do ajax/whatever only if the innerhtml is blank
<div1></div>
<div2></div2>
This should keep the server load down so the divs content is only loaded once.
Cheers
This is pretty standard behavior in ajax enabled sites.
Keep in mind however that extra effort will be needed to:
ensure the back button works
link to (and bookmark) specific content
support browsers with javascript disabled.