I have built a web application using MVC5 and just got a pentest result from ITSec department. I was told not to serve static files like .js, .css, .html, images file, etc. For example : someone hit my website with www.mywebsite.com/Scripts/myjs.js, it will show the content of the file.
I look around and find that people are suggesting the route.Ignores but no luck. So my question :
How to achieve this?
Is there any real security risk? (the document I got from ITSec dept is marked as Low risk)
Mate, Short answer is No, you can NOT stop user to check/see your css/js files, that's just simply impossible. Because the browser need to see your css/js file for rendering html, even you hide them somehow in routeing, user still could see them through browser easily.
Css/Js files should not contain sensitive/confidential information anyway, it's just should be how the web page behave and looks like, nothing should be with your business logic, at this point, exposing css/js file to public should be no risk.
Related
I create an HTML document using Sphinx. When I click on the index.html file it opens a browser and looks like this. The look depends on some .CSS and .JS files being executed:
If I open the same file from the JupyterLab file browser, it opens in a tab but looks much worse: .CSS and .JS are not displayed, and images are not displayed. It looks like this:
Is there a way to get JupyterLab to get JupyterLab to execute the .CSS and .JS and pass through any images linked in the text? The JupyterLab is running on a remote server, so I don't have the option of having it create a new browser process on my local machine, because the files are remote.
Using JupyterLab within JupyterHub (old school install with conda, no docker and such)
I've been stuck at this HTML Preview issue for a few weeks.
I have the very same use case as you (Sphinx stuff for a team to work on their docs).
So far, no luck.
It may or may not work (depending on... I'm not sure of...) if I'm using JupyterLab from the browser on the hypervisor hosting JupyterHub itself
It won't work if I'm using JupyterLab from the browser on my client machine.
I tried to mess around with
c.NotebookApp.allow_remote_access = True parameter with no luck
tried to put it in my profile ~/.jupyter/jupyter_notebook_config.py
tried to add it to general config file /path/to/conf/jupyterhub_config.py
=> Not sure of the right way to set this option on JupyterLab's JupyterHub install, nor if it's even a relevant option...
Well, security wise, it's not, that's a given (^^'), but Preview HTML is an important feature for Sphinx users, hope someone can help with this...
I also looked after nginx config, but you get the issue with or without the reverse proxy anyway...
Problem Description:
I have a problem at work where I should create a link to a html page which shows public data related to the customer.
www.example.com/content/user_123456/output.html
After I upload a user's data user_123456 folder to the /content/ directory.
style.css
main.js
The user_123456 folder contains linked styles and linked javascript
Expected Output:
When I load www.example.com/content/user_123456/output.html in a Web Browser I expect it to load the html page and the linked styles and javascript. Instead it shows me an error that indicates the directory is not visible.
Tested:
I have tried uploading images to the directory www.example.com/content/user_123456/image01.jpg and they load just fine in the browser so it can not be directory visibility problem.
I realise this is a broad question, but I want to estimate the technical cost of solving this problem and it would go a long way to understand the undertaking of such a solution.
Questions:
What is different about serving html files in comparison to jpg
files?
What needs to be done in a broad manner that the file functions the
way I expect it to?
I understand that the web takes major security measures to prevent programs from accessing files on client computers. What I want to do is use AJAX or some other functionality to dynamically access file and folder names in my own public directory located in my Github repository to be served on my static Github page.
To give a little insight into the project I am working on I will give this example: say I want to easily add content to my blog and my directory looks like this:
- website (folder)
-- articles.html
-- articles (folder)
--- top-10-diys.txt
--- child-falls-in-well.txt
--- my-biography.txt
--- new-article.txt
When I add "new-article.txt" to the "articles" folder, I do not want to have to edit the corresponding "articles.html" page to add a link to the new article. I simply want AJAX or a similar functionality to get all the file names in the folder and generate links to my articles.
Is this possible? I simply want to create this functionality for my static Github page. Using AJAX is not a necessity, but I would like a pure Javascript or AJAX method.
EDIT:
I have come across two possible options to give me something like what I am looking for.
Option 1: request a directory on my server with AJAX, which will return a full HTML document with links to all the files in the directory.
Option 2: maintain a text file with all the file names in the directory and use AJAX to load all the files on the list.
However there are problems with both these methods. Option 1 requires me to parse out file names from the HTML document. This is not a clean solution, and depending on the server permissions, it may not work at all. I would rather not rely on this hack.
The problem with Option 2 is that it still requires me to hardcode file names into a text document, and so the solution isn't really dynamic. Sure, I'll save some time maintaining each individual link, but I will still have to maintain the text file. On top of that, this just seems like a sloppy solution.
EDIT AGAIN
I came across an option I didn't see before which is to use a Static Site Generator. The one used by Github is currently Jekyll. If I can't find any other way to get what I want on the fly, I may go with an SSG, but it's really not ideal for my purposes. I'm really just including this edit so people with my problem know their options.
I would create a separate Node server API with an endpoint (to be hit from your github pages front-end using AJAX) that fetches the files from that folder and sends them to your front end.
I'm making a simple website in GitHub pages. I have a text file in the /docs folder (I can move though) and I want to change it's content through index.html. I found a lot of back-end solutions but GitHub pages allows static webpages only. Is there a way to do so in static webpage and if so how to do it in javascript?
Since it's static pages, you can't rewrite the hosted file from the front end client. To update the text file contents, you'll need to do it through the github interface, or as a commit into your repository unfortunately
No.
Changing content on the server requires code that runs on the server.
If you could do it with client side code, then every website would rapidly become defaced.
The closest you could do would be to store data on the client (e.g. via localstorage) and then have a script on the page read that data and edit the DOM locally. Obviously, changing the data would change it only for the particular browser and not for all visitors.
There are two answers to your question:
Technically, it is possible to change files on GitHub from a script:
GitHub's API allows you to update files through an HTTP request.
You could use Javascript to modify the contents of a file, and then send a request to GitHub's API to update that file. There are a few libraries that make it really easy to work with the API, but from here you have to figure it out yourself.
Here is the documentation for this: https://developer.github.com/v3/repos/contents/#update-a-file
Conceptually, it sounds like you are doing something wrong. Static webpages are called static because nothing changes. If you want to have dynamic content, you should really look into other solutions.
Here is the problem. The company I work for has a number of sites, and many of them use the same jQuery UI widgets, like datepicker. I would really like to have just one copy of each widget in an _javascript folder on the top level of the server. The problem is that because the code is outside of the site folder, I need to use ColdFusion mappings to point to it. Apparently you can't use these with script or link tags however. It doesn't expand the mapping. So I tried using "ExpandPath" and got a message that it doesn't have permission to access that resource. Some research turned up that JavaScript can't access files on local file systems because that would be a security hole. So, although it was ugly, I tried wrapping the CSS file in tags and the JS file in tags, and then included them with cfinclude. That worked- sort of. The main issue is that apparently the css uses relative links to link to the images used, and those are all broken because the JS is included on a page in another folder from the script and images themselves.
Here is my question. Is there any good solution here? I don't think that what I want to do is unreasonable, but should I give up and just keep a copy of the widgets in every site folder? Thanks in advance for any help.
Included javascript files, like CSS files, don't have to be touched at all by the ColdFusion processor. You just use ColdFusion to craft the link and feed it to the browser like you would any image, attachment, or link to another site. The only difference is that this link is in a <script tag. So if you have several sites and want to access a common /js directory on all of them the work has to be done in the web server itself (IIS/Apache).
In your web server of choice make a virtual directory (or symbolic link) to your javascript directory called /js (or whatever name you choose). Do this for all the sites, and you have one /js directory that is accessible from all the hosted domains.
My situation is that all our ColdFusion work is intranet only. While we only have a few sites, that is more than one. We also use a development server as opposed to having people develop on their hard drives.
The first thing we did was to create a mapping on "/" to point to a certain directory. Let's say that it's c:\fred. In c:\fred we have subdirectories named images, css, js, udf, etc. That allows us to do stuff like this:
<cfinclude template = "/Templates/Reportheader.cfm">
<link rel= "stylesheet" type= "text/css" href= "/css/cashflow.css" title= "style1">
<script type="text/javascript" src="/JS/browserDetect.js" ></script>
in any application.