I don't want to get into details of my situation, but it's like this:
I'm part of a website and so are other people. On this site, we are all waiting for something to appear on the site, but one must refresh the site to see if anything new appeared. The site rules explicitly mention that auto-refreshing tools are prohibited.
If I for example use a browser extension that would refresh the site every minute, could the site detect that? Do these extensions make the same request to the site as if I clicked the refresh button? I'm sure they could detect the refreshing intervals, but that can be avoided by a random timer. So what is the most undetectable way of autorefreshing a site?
Different extensions work differently.some use the javascript reload function, some will just grab the url and replace window.location with it effectively making another GET request
The only difference in the actual request will be whether or not cache control is set etc..so they might use that for detection.So definitely you need to take a look in the documentation to see how the request is being issued in that specific extension
As far as circumstantial evidence they can cookie you,use local data storage,use your ip address to determine you are the same user which in that case you would need to find a workaround for each one
Related
I was just looking at this stackoverflow question: Display web browser settings
And that helps.
But, I'm curious if I can detect certain IE specific settings. I'm thinking some of the stuff in the Advanced Tab (e.g. Is 'Enable Integrated Windows Authentication' on)?
Or that our site was added as a Trusted Site? And within the Trusted Site settings, "Atomatic logon with current user name and password" is set?
I don't want to change them (I get that would be a huge issue that could be exploited). I just want to be able to present to the User:
"Hey, you need these couple of settings checked or unchecked for the site to work properly. Do this: a, b, c ... or Contact your Administrator".
Is this possible?
I don't think you can query these settings from within a web site. Being able to do so might introduce security holes.
I'm sure some settings can be determined by using circumstantial evidence (like if a JavaScript doesn't execute, scripting is probably disabled). But I don't think there is a proper API to poll every setting; I guess the best you can do is serve the user some advice on what to look for. (like, "The xyz symbol in the bottom right bar should show a green checkmark like so.... the abc checkbox in the options dialog should be unchecked... etc")
You can't check the settings directly, but you could test the functionality instead. If you attempt to authenticate with the server and find out you don't have their credentials passed in properly, you know it's not configured right. At this point you could show them your information about how to connect to the site. This would be a better solution anyways, as you're better off testing for features rather than specific settings.
To distill your question down, it looks like you're trying to find out whether IE is configured to automatically send NTLM credentials to your server.
Unfortunately, there's no way to cleanly feature-detect this. My initial thought was to put a JavaScript file in a protected directory that simply set a global variable, and link to that script in the <head>. (<script src="protected-dir/test.js"></script> – protected-dir would be configured only for integrated auth with anonymous auth off.) If the script loads, the variable is set; and if it fails, the variable obviously isn't. Another script on the page could check the variable and show a message if it's not set.
This works flawlessly when everything is configured correctly on a client, but when auto login is off, this causes an ugly 401 dialog to pop up, which is clearly no good. Additionally, a XHR request isn't the answer since the spec specifically says the browser should ask for credentials if it gets a 401.
Sadly, I don't think there's a way to automatically determine if auto login is enabled without causing the 401 dialog to pop up.
I'm tasked with coming up with a way to determine if a person has reached our site via using their back button (meaning they left our site and came back) and log them out if so.
I've come up with some options, but am wondering what other options I may be missing.
FYI, we do have a session state, so server-side we're covered for long absences, but they want an additional check on the client side.
option 1: set a cooking via onunload that expires in x seconds. On each page of our site, I check for said cookie. If it exists, I assume they came from another page on our site and do nothing. If it's not there, I assume they have been gone from our site more more than x seconds and redirect out. Con: Blackberry devices running OS5 don't support onunload.
option 2: same as #1 but instead of setting cookie onunload, we set it on every click of every link that goes to another page on our site. con: messy
option 3: check browser history on every load of every page of our site. If the previous URL is not one of ours, we log them out. Cons: browser support? It looks like previous/next history objects are now blocked in modern browsers due to security.
Option 4: Via JS, every x seconds, check for a cookie. If it's there, reset it to expire in x seconds. If it's not there, assume they've returned from somewhere else. Con: Not sure if the JS cookies would be set while that page may be in the background (app switching on an iPhone, or using a different tab in a desktop browser).
Any other options I should consider? Is there a 'proper' way to handle this? Is this just grasping at straws trying to prevent normal browser behavior?
You could keep the current page name/action/identifier in a session variable, then use a javascript onChange/load/keyup/keydown to request the current state of the user from the server. If it does not match, redirect or otherwise block them from viewing the current page.
This is a method that I've used, but it has it's downsides.... for example, onload doesn't always seem to work when the user uses the back button. OnChange, etc on certain form fields definitely works. Timers are pretty straightforward, as well, but a quick user can get input through the page regardless.
It's not that complicated... Use javascript history object
history.next gives you the complete url of the page in the forward button. A simple regex can tell if it's from your domain or not.
I just don't know if it's supported by all browsers
I'd like to be able to create a "HTML link" that the user can click on and be taken to an URL (location) specified either in the browser (preferences?) or system environment.
Is this possible? Any suggestions on how to do it please?
For example, it may look something like this (or alternatively it could be a clickable image or even a submit button):
"Click here to go to your preferred news site."
When the user clicks on "here" the browser would go to a location specified not in the HTML but somehow in the browser (preferences?) or some system environment variable (OS specific etc.)
Of course, the user would have to set up this preference or environment variable (or have some local application or better Web page that could set it - when approved by the user).
This is sort of like most OS these days allow you to set "preferred app" for image processing or playing media. I would like to set preferred Web sites for certain tasks.
Thanks for any suggestions. Hopefully with Javascript and modern browsers and perhaps HTML 5 something like this is possible.
Update: I would like the user to be able to set this once for themselves (e.g. in the browser or the OS) and then for this to work on any site they go to that includes the same "abstract link".
So Web site A and web site B could both an "abstract link" to go to the user's preferred news site and when clicked on the browser would go to the site specified in the browser or the OS). So it cannot be site-specific (like a cookie?).
Cheers,
Ashley.
The general process would be something like this:
Set a cookie using js. Then create a function that retrieves the cookie and redirects. Then trigger an onclick or an onmousedown even like onmousedown='retriveAndRedirect()'
Check out there resources.
QuircksMode's JavaScript Cookies Reference.
W3School's JavaScript Cookies Reference.
UPDATE:
I see what you're trying to do here. In order for your redirection to work from any site, that site has to host your redirection and preference method somehow using js, html, serverside script, etc...
Your other option would be to build a plugin which the user would have to download, that way you wouln'd need any site host your redirection and preference methods for you.
As far as your link retrieval methods go you can either use cookies, or store the links in a database and then call on trigger.
You can store the preferred web site in a cookie. Simple version using the readCookie function from there:
Click to go to your preferred news site
Is there any way to programatically disable cookies being created by a page displayed inside of a frame/iframe? Or to generalise further, is it possible to programatically disable javascript running on such a page?
Thanks,
DLiKS
with iframe sandbox attribute (html5) it will be possible (implemented in chrome)
http://dev.w3.org/html5/spec/Overview.html#attr-iframe-sandbox
NullUserException already answered what you can do today without browser support
The only way you could change that for an external website you have no control over is to retrieve the pages using a server-side script, filter the input and display it to the user (ie: act as a proxy).
You just can't modify sites out of your domain (or subdomain - it might depend on the browser) using J/S for security reasons.
If you mean that you want to change the settings of the browser by code in a web page, then no, this is not possible (and if it were possible, it's a huge security breach and all alarms would go off).
You may surpass this, however, by writing a plugin, but then each user must first download the plugin. You can also request higher priviledges, but it'll depend on the browser whether you can change any user settings.
If you mean that you want to write a script on every pc in your company to disable JS + cookies for certain pages, you can write plugins and install them everywhere, or use a proxy (as has been suggested by others) and filter the pages. If it is just for debugging a self-made page, use the Developer Toolbar for the various browsers, that can turn JS/Cookies on and off.
Why would you want to do such a thing? If you want to disable cookies, you disable it on your own page by simply not using cookies. The same goes for javascript: don't add it to your page and you've disabled it on your page.
Note: if any page would change anything of the user settings of the browser, your page will probably be blacklisted by Google, most virus scanners and fishing prevention tools.
Is there any way I can detect when my page has been set as the user's homepage in their browser?
I'm most interested in something in javascript, but I'd be happy to hear about other approaches as well.
Edit: I'm not looking for anything sneaky. I'm wondering if there is anything that is explicitly allowed through the browsers to find out this information.
There isn't likely to be a foolproof method, as that's an intrusion into the privacy of the user.
One thing that comes to mind is checking for a referrer. If the user arrived at your page without following a link, they a) typed the url, b) followed a bookmark, or c) have your page set as their homepage. But that's about the best I can do.
Nope. You can tell if they got to your page by following a link or not. Check the referrer. However, the browser going to your page as the home page will not appear any different than the user typing in your page or using a bookmark.
Mozilla/Firefox has a window.home() method which loads the user's home page. This method could be used (in an iframe, maybe) combined with server access logging, to see if the site's home page is instantly requested loaded by the current user.
However, other browsers don't seem to support this javascript method.
Simple solution, you shouldn't be checking if you or anyone else's site is set as the user's homepage. If they want it as their homepage, they'll make it so.
However, if you've got some Javascript that will check their email and see if they've sent links to your site to their friends or colleagues, I'd be very interested in that functionality ;-)