I'm running into a major issue with Safari compatibility for my website. It's not an error per say, but apparently Safari classifies my website as 'third party'.
This means, that for me to set cookies (which is 100% necessary for my web app to run), the user needs to open up Safari preferences, click to 'Privacy' and opt-out of Safari's default setting. They need to set Safari's cookie policy from 'Block cookies from third parties' to 'Never block cookies'.
This is a terrible experience and means that probably most users who use Safari on my site will just navigate away because it's not working. I could pop up an info graphic to walk the user through the process, but come on... Most every other major browser (chrome, firefox, etc) takes an opposite stance and default to accepting all cookies.
Is there some application process to Apple that will get my website classified as 'first party'? Does it have something to do with SSL? Is it a CORS issue?
How do I get classified as a 'first party' website?
I think there is a conceptual misunderstanding here. A web site isn't first-party or third-party by itself, and there isn't some kind of list of these maintained by Apple. It is the third party in a specific context. When Safari blocks third-party cookies, what that means is that website www.aaa.com (the site the user is visiting) can't set (or retrieve) a cookie for www.bbb.com (a third party to the transaction between the user and www.aaa.com). I suspect you are doing something involving an iframe or otherwise including elements from one domain in a web page on another domain, and that is the source of the problem.
Related
I'm facing a problem with my Chrome on both Ubuntu 15.04 and Windows 10. It's some sort of malware named xnxx-ads.js. This malware opens unwanted tabs and plays advertisement audio on all sorts of pages. For instance, I might have a SO tab open with a speaker icon! playing ad.
The thing that is important to me (as a web application developer) is that how this malware works!? How can some script be loaded on a web page without it being addressed in the source? Is it because of a security hole in Google Chrome?
BTW, my Chrome is: Version 46.0.2490.86 (64-bit) on both operating systems.
[UPDATE]
My Chrome was just updated to Version 47.0.2526.73 (64-bit) and the problem remains.
To get mal-ware inserted into pages, you generally need one of these things:
If it is only on a specific site, it is possible that that site has been compromised and the content comes from the site already infected.
Something in your ISP is compromised and the content comes from your ISP already infected.
Something in your own network (e.g. router) is compromised and the contents arrives on your PC already infected.
A malicious program got itself installed on your computer and it is injecting things into web pages as they arrive on your computer (either by modifying the incoming TCP or by messing with the browser).
A malicious browser extension got itself installed on your computer and it is injecting things into web pages as the browser loads them.
The most likely options are 4 and 5.
You can probably rule out 1, 2 and 3 by checking the site on your phone or tablet while attached to your home network's wifi. If there is no infection on the web pages viewed on the phone or tablet, then it is not likely 1 or 2 or 3.
If you disable all browser extensions in Chrome and the problem still occurs, then you can probably rule out #5. If the problem goes away when you disable all browser extensions, then you probably have a bad browser extension.
In all cases, you should run a good malware detector. When something like this happened to my daughter's computer, Microsoft Defender did not detect it, but when I downloaded and ran the free Malware-Bytes scanner, it did find the problem and removed it.
I am facing some issue with Javascript injection on IE9 (>Medium-high security). In my application when user wants to add any web page to their bookmarks, they click a link, and it injects a Javascript into that page, this injected javascript grabs all details about page and redirect users to my site.
On IE9, it does not seems to be working with Medium-high security. I suspect this has to do something how IE9 handles cross-site javascript injection. But, was not able to find any relevant information.
Can someone please help or guide me to some related information.
Thanks
You may find this TechNet post useful, especially the row "Allow scripting of Internet Explorer Web browser control".
Apparently Internet Explorer doesn't allow scripts to control the web browser except on Medium-Low and Low security levels. Because of this, you won't be able to redirect the browser unless it's set to one of those two levels.
Perhaps instead of redirecting them you could add some kind of notification to the DOM and give them a link to your website?
Suppose there is an extension for Google+, so when I'm visiting plus.google.com, it's running, but what happens if I close Google+ tab? Is it still running and consume my computer resource?
PS: I ask this because I'm wondering that if this is the truth, I can write an extension that enable or disable other extensions according to the website that I'm visiting, so maybe my Chrome would be faster
It depends.
The author of a Chrome extension can tell Chrome that the extension should only be active on particular websites. However, no matter the website you are visiting, the extension will always be running. To observe this phenomenon for yourself, hit Shift+Esc to display the task manager. Note the extension processes. You can see by trial and error that if Chrome is running, all of your enabled [background] extensions are also running.
The benefit of the Chrome extension developer specifying particular websites is that, even though the extension is always running, it will not receive event notifications for websites that don't apply to it - basically, it will be sleeping. So the effect is appreciable.
For more information about Chrome extension configuration options, see the Chrome extension manifest documentation here.
Edit: Please see Serg's answer re: modifying other extensions.
There are two types of extensions from resource consumption point of view - those that have a background page and those that don't. Permission warnings you see in the gallery don't give you any indication what kind of extension it is.
Extensions without a background page are consuming resources only (well, probably mostly) when used. Those with - consume memory always, plus might consume CPU depending on what they are doing there.
You can very easily write extension that disables all others with management api and the benefit from it will be noticeable on performance (I wrote one for myself actually).
Notice how Firebug can access the DOM of cross domain iframes and even allow you to modify them? I'm wondering if there is an firefox addon extension or a config setting that will allow a page on our intranet to do this.
Longer explanation:
I have a two "kiosks" in our reception area that the public can use. As we're running in kiosk mode (fullscreen, no chrome), I have created a small web application consisting of a menu and an IFRAME. The menu allows users to browse to approved sites and also perform actions like printing. It also gloms onto requests for popup windows and instead overlays them in a modal iframe rather than allowing the browser and OS chrome to be exposed - breaking the "kiosk" experience.
Obviously, this works perfectly on anything internal because it's all on the same domain. It gets trickier when browsing external sites because the XSS protection kicks in and you can't see the DOM inside the IFRAME.
I have also tried using a web-based proxy server on the same domain (PHProxy for example), which works okay, but there are horrible edge cases where it doesn't work - a big one is the CAPTCHA on our website forms. So that's pretty much not an option for me.
Basically I think the only solution that will work for me is to modify the browser in some way using a security setting or an addon. Any ideas?
Thanks guys very much for you time and consideration. It is VERY much appreciated.
--Iain
There is a way for unpriviledged JavaScript code (loaded from a web page) to request more privileges in Firefox. This is an old, non standard API that prompts the user for permission and if accepted allows the JavaScript to do things normal JavaScript cannot. One of these things is to bypass Same Origin Policy.
Sample code:
try {
// ask user for permission
netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead');
} catch (e) {
// user refused permission
alert('Permission "UniversalBrowserRead" was denied.');
}
//Should now be capable of bypassing same origin policy if user accepted
Since the kiosk browser does not restart (I suppose) very often, the dialog just has to be accepted once. Not sure this is the most elegant solution but might work, at least for now (the API is old and might disappear).
Here is a link for more details: http://www.mozilla.org/projects/security/components/signed-scripts.html#privs-list
While looking for the exact privilege name I found this page about Security Policies in Firefox. This would be a much nicer solution. I have never used it, so I cannot give more info, but here is the link, might be a good place to start looking:
http://www.mozilla.org/projects/security/components/ConfigPolicy.html
Hope this helps!
I found an addon called CrossDomain. The addon hasn't yet been updated for newer versions of Firefox. In the end, I solved this whole problem by writing an HTA and using the internet explorer rendering engine - which made my IT manager happy :). Here is the link to CrossDomain in case this helps someone one day. Thank you everyone for your submissions.
https://addons.mozilla.org/en-US/firefox/addon/13004/
Why not use Greasemonkey, it will allow you to run your script on any page.
I have a web page that links to another web application, which unfortunately only completely functions in IE, so, when viewing the original page with another browser (like Chrome or Safari) I display a warning that the application won't operate fully operate unless opened in IE.
Of course, some savvy users of Firefox have the IE tabs extension and have configured it such that the problematic web application always opens in an IE tab. These users would prefer it if my intrusive warning weren't shown for them as it is not necessary.
So, is there a way that my web page can detect that the URL will open in an IE tab? I presume it would require the extension to expose this information somehow as Firefox does not generally allow javascript access to settings for security reasons.
well I am not sure how FF's IE tab works but I assume they share cookies set a cookie when it is IE and check whether it exists and do not show the warning. This will only remove the warning after first usage if my assumption about cookies is correct.
Second is more hacky, use css :visited puseudo styles to detect whether your user has ever downloaded the XPI of firefox tabs.