I was checking for some load latency on a php page I am building.
I discovered some resources that I wasn't loading:
l.js
r.js
icp
s.gif
I disabled all css and js files (including jquery) in my page but still see these files loading. The s.gif is especially disturbing because the request has the URL of my php file on it and I really don't want that information out there. (I am running the server over https for security but don't want to have to put a user login on top of the server.
I am serving on OS X Server and using Safari as the debugger and load analyzer.
This issue did not show code that explaind where the resource requests were coming from. I started disabling browser extensions and that did the job. Apparently they were injecting resource requests with the downloaded pages.
Related
I am running a tomcat server and my localhost base domain is :
C:/apache/webapps/ROOT/
My webpage is also present here.
However the javascripts are present in an external location.
D:/something/something
And i am importing them the following way
<script src="D:/something/something/js1.js"></script>
In IE the page loads fine and able to locate the scripts, however with chrome it fails.
On debugging I see that chrome tries to append the following:
http://localhost:8080/D:/something/something
How do i get it to work on chrome without copying the scripts to base location?
For doing anything useful from within the JS code, you'll most likely have to obey the same origin policy. This means you'll have to configure your Tomcat so that it serves the scripts, too.
If you really insist on reading the scripts from local files, that's what file:// URLs do.
You can't do this because you will search for D:/something/something/js1.js in the user/client computer.
You can do it calling (read and print) the file via PHP (D:/something/something/js1.js.php) or any other server side programming language or installing a webserver in your external location to call the file via URL like myCDN.mydomain.com.
EDIT: If you will only work in localhost, use #Pointy and #Konstantin K solutions :)
I'm using Jira in https and I have some adjustments I'd like to make with some extra JS. My JS is hosted on an insecure server (no https available).
When I dynamically load the insecure JS file by inserting it into the DOM (using a browser extension), Chrome tells me:
[blocked] The page at https://jiraserver/browse ran insecure content from http://myserver/jira.js.
I can see how this is very secure and all, but I don't care. I want to load that insecure JS file. How can I tell Chrome to trust me and just do what I say?
My insertion method (in the extension code):
document.body.appendChild((function(s){s.src='http://myserver/jira.js';return s;})(document.createElement('script')));
According to this Chrome Support Q&A you can launch your Chrome with the following command line flag to prevent Chrome from checking for insecure content:
--allow-running-insecure-content
Here is some documentation on how to run Chrome with command flags
Chrome simply will not load an insecure script in a secure page.
Does your jira.js have to be loaded from a server? The best way to inject it into the page would be by including it in your extension bundle.
var s = document.createElement('script');
s.src = chrome.extension.getURL("jira.js");
s.onload = function() {
this.parentNode.removeChild(this);
};
(document.head||document.documentElement).appendChild(s);
If you must load it from a server, I suppose your extension could make a XHR request for the script, then inject the response into the page.
// make a XHR request, then...
var s = document.createElement('script');
s.textContent = codeFromXHR;
(document.head||document.documentElement).appendChild(s);
s.parentNode.removeChild(s);
I had the same problem:
Our client link a CSS file and js file hosted in our server on a domain which is not secure.
We will solve it by using Amazon CloudFront. They server HTTPS using their certificates which is verified.
That's not a bad solution for use since CDN is often a good idea and these resources are somewhat static. (The CSS file is tailored for each client and is in fact generated but a sane TTL can be configured and the CDN flushed if required)
Note that the CDN solution may even be more affordable than actually buying a certificate depending on your data load.
I have faced the same issue and find that if we are logged in to our google account in chrome then Chrome stop loading the insecure content in https.
If we use incognito window in to load the website which has insecure content then it will work.
I have HTML and JavaScript files on my filesystem for a mobile application that is in development. When the application is deployed to a mobile device, these files will be hosted on the local filesystem there, where XSS from file:// is not an issue. An important part of this application is sending XHR POST requests to a RESTful API.
It seems like XSS should not be a security issue for browsers if the files making the request are hosted on a local filesystem instead of deployed to a web server.
Does anyone know of a browser extension or configuration change that will enable XSS from files hosted on a local file system?
Well, although you will have to change the server and client code a little bit, it isn't very clean and you will have to trust the server, you can load the data as a javascript which contains a call to a function in your page and a big string or so as the parameter. This seems to be a good example.
Alternatively, you could serve the files from a local webserver and fiddle around with the hostsfile and document.domain.
I've found a useful link that's helped me execute POST requests from localhost to another domain. It is a Firefox hack that allows XSS from files hosted at localhost. It's not perfect, but it helps me get this thing developed.
I have a JS file hosted on Amazon S3 (http://s3.amazonaws.com/wingify/vis_opt.js). I want the file to be cached on users' browsers so that they don't have to download it with every page view. However, in spite of setting Cache Control header I don't think it is getting cached. Browser still contacts Amazon Server with every pageview.
Here is the example of page where this script is embedded: http://myjugaad.in/
If you have Firebug, you will be able to see that browser requests it with every pageview.
What can I do so that the file gets permanently cached? Thanks for help.
You need to set the Cache-Control header when upload your files.
This tells your browser how long it can cache the file for.
i was wondering - when using jQuery (or any other javascript include) in my web,
does the browser cache it after the first download for all all pages (i assume yes) or will it download it every time?
2nd, when the user quits the browser and starts it again (for loading my website), will the jquery js file still be cached or will it completely download again?
thx
This depends on the browser and on how your server is set up. Have a look at the headers sent by the server along with the file (you can use a tool like Firebug to look at the headers). A good idea is to use the jQuery file hosted by google, since many other sites (including stackoverflow) use the same file. Then the browser can cache that file and never download it from your server. This page has a list of files hosted by google, and this page explains how to properly set your server up to (tell your browser to) cache files.
1: Yes, the browser caches all jscript/css includes
2: If the user does not clear his/her cache. Yes it will still be in the cache of the browser, even after closing and reopening it.
If your webserver serves jquery.js using a proper expires header, then yes, the browser will cache it.
http://developer.yahoo.com/performance/rules.html#expires
Yes the scripts will get cached between page views, along with the CSS files and images.
Yes as well, in general. The cache is normally maintained between browser restarts.
It will typically not be downloaded again, but unless your server explicitly tells the browser to cache it for a while, then it will send a request on each page load asking "was jquery.js updated?" which is almost as slow as just downloading it again.
You can test how it works on your site with Google's Page Speed or Yahoo's YSlow.