Mixed content blocking behavior in Firefox - javascript

In Firefox version 23, mixed content blocking behavior is added.It means that Firefox has blocked content that is insecure on the page you're visiting.It shows the shield icon in the address bar which blocks some uploads in my app.From development side how to turn off this behavior?? .I am in ruby on rails development.
Can anybody guide me??

You cannot turn this off remotely! Except in your own browser, of course.
That is: Your rails application cannot turn off mixed-content blocking in the browser.
This is a preference only a (skilled) user may change in her browser... But shouldn't in the age of Firesheep, etc.
Instead, you should make all your active content available via https.
Or downgrade to insecure http. Since you're essentially wanting to allow Man-In-The-Middle attacks anyway, because that's what mixed-content means, the result of using http in the first place wouldn't be that much different. The only difference would be that a MITM could stay passive in http-only, instead of having to actively modify data in https-mixed-mode. But, seriously, what percentage of your users would recognize an active MITM, who maybe even only runs a small targeted attack?

I think you are using firefox version below 23.0 my suggestion is to
first upgrade and then proceed
First Uninstall and reinstall Firefox using Ubuntu software center.
New version of Firefox is available in Ubuntu software center
Reboot the system
your firefox will be upgraded to 23.0 version

Related

How does Javascript Malware work?

I'm facing a problem with my Chrome on both Ubuntu 15.04 and Windows 10. It's some sort of malware named xnxx-ads.js. This malware opens unwanted tabs and plays advertisement audio on all sorts of pages. For instance, I might have a SO tab open with a speaker icon! playing ad.
The thing that is important to me (as a web application developer) is that how this malware works!? How can some script be loaded on a web page without it being addressed in the source? Is it because of a security hole in Google Chrome?
BTW, my Chrome is: Version 46.0.2490.86 (64-bit) on both operating systems.
[UPDATE]
My Chrome was just updated to Version 47.0.2526.73 (64-bit) and the problem remains.
To get mal-ware inserted into pages, you generally need one of these things:
If it is only on a specific site, it is possible that that site has been compromised and the content comes from the site already infected.
Something in your ISP is compromised and the content comes from your ISP already infected.
Something in your own network (e.g. router) is compromised and the contents arrives on your PC already infected.
A malicious program got itself installed on your computer and it is injecting things into web pages as they arrive on your computer (either by modifying the incoming TCP or by messing with the browser).
A malicious browser extension got itself installed on your computer and it is injecting things into web pages as the browser loads them.
The most likely options are 4 and 5.
You can probably rule out 1, 2 and 3 by checking the site on your phone or tablet while attached to your home network's wifi. If there is no infection on the web pages viewed on the phone or tablet, then it is not likely 1 or 2 or 3.
If you disable all browser extensions in Chrome and the problem still occurs, then you can probably rule out #5. If the problem goes away when you disable all browser extensions, then you probably have a bad browser extension.
In all cases, you should run a good malware detector. When something like this happened to my daughter's computer, Microsoft Defender did not detect it, but when I downloaded and ran the free Malware-Bytes scanner, it did find the problem and removed it.

Launch Chrome browser from Internet Explorer

We have a web application which has some features that works only in Chrome and I want to launch this web app using Google chrome browser with url of the web app as parameter from Internet explorer via a hyperlink. I tried
file:///C:/Program%20Files%20(x86)/Google/Chrome/application/chrome.exe
but it downloads the file + how do I add parameter to the exe.
By default, a browser cannot launch another program (plugins and extensions being possible exceptions). If they could, imagine the havoc some malicious user could get up to.
I don't think there's going to be a great answer for this, but you could make a .bat file that opens chrome to a particular URL (assuming you're using Windows), download that and click on it after it downloads.
Here is a useful answer in that case.
You could also (theoretically) make an extension or lower the security settings on IE to allow ActiveX controls. Here's a partial solution. I tried to make something similar a while back and didn't have much luck, but if you're determined...
Maybe there's a better way that doesn't involve such complicated solutions?
I found myself needing to achieve this myself. It appears a later release of Chrome had broken the fix described in Adam Fowlers blog.
I got in touch with him and he's now updated his post, providing the now necessary registry changes required to make this work.
I've tried this myself and it works nicely.
Adam Fowlers blog post - How to launch a URL in Google Chrome
https://www.adamfowlerit.com/2015/05/how-to-launch-a-url-in-google-chrome/
Big thanks to Adam for his time! Hope this helps.
This is a .reg file that creates (on a 64-bit Windows) a special URL protocol that allows you to open chrome: links in Chrome:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\chrome]
#="Chrome URL Prorocol"
"URL Protocol"=""
[HKEY_CLASSES_ROOT\chrome\Application]
"ApplicationIcon"="C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe,0"
"ApplicationName"="Google Chrome"
"ApplicationDescription"="Access the Internet"
"ApplicationCompany"="Google LLC"
[HKEY_CLASSES_ROOT\chrome\DefaultIcon]
#="C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe,0"
[HKEY_CLASSES_ROOT\chrome\shell]
[HKEY_CLASSES_ROOT\chrome\shell\open]
[HKEY_CLASSES_ROOT\chrome\shell\open\command]
#="cmd /v:on /c \"set url=%1 & set url=!url:chrome:=! & \"\"\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\"\"\" -- !url!\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\chrome]
"WarnOnOpen"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\chrome]
"WarnOnOpen"=dword:00000000
Links should be like chrome:https://google.com or chrome:google.com. "chrome:" part is removed before launching Chrome.
You can use a URI Scheme, Google installs one by default as shared by Adam Fowler here:
http://www.adamfowlerit.com/2015/05/28/how-to-launch-a-url-in-google-chrome/
So you can create a link like this (note the space before the URL):
ChromeHTML:// www.bbc.co.uk
But it is broken! There's a bug report with Google, see Adam's article. It would be good to add some weight/comments to this bug if you want it fixed.
However your next decision depends on whether you have some control over the deployment of your web application because these bugs can be fixed using registry fixes.
Interestingly, if you can deploy registry fixes, in theory you could create your own URI schemes.
If you can modify the IE permissions on the PCs needed, you can use a javascript link to launch a process. Mine launches a custom program that launches chrome with command line switches and a URL, or opens a web page that indicates they need to contact IT to install Chrome on their PC:
javascript:(new ActiveXObject('Shell.Application')).ShellExecute('\\\\server\\path\\LaunchInChrome.exe', '-incognito --use-system-default-printer https://outlook.office365.com/owa/?realm=xxx http://webserver/MissingChrome.html');
But you could modify it to launch chrome.exe directly instead. You will need to enable Initialize and script ActiveX controls not marked as safe for scripting in the Intranet Zone (I wouldn't recommend this for any other zone).
you have to pass the parameter to chrome, something like this.
start chrome https://www.google.com/

How to easily run local content (javascript, Flash) especially in IE11

I've developed interactive content for a client ( VR Objects ) using javascript and Flash (if needed) that they now want to distribute to prospective customers via a flash drive. That makes it local content causing security issues especially with IE. Actually there doesn't seem to be much problem with any browser except IE. True, IE displays the "allow blocked content" button but they fear that is too complicated or scary. And on IE11 in Win 8.1 it still may not work.
The development environment I use has a way around that for testing using an "embedded web server" although all that seems to do is produce a localhost address such as http://localhost:60331/wyj-01xn/output/surfacide_flash.html. Paste that in the URL bar of any browser on the same machine and you are good. Try it on another machine and no go. So I gather the port address and whatever the /wyj-01xn/ is about are machine specific. Another possible problem -- it may not work easily with IE11 on Win8.1, but I don't personally have that setup to test.
QUESTION: Is there a way I can produce this same functionality for my client, distributed along with the content on the flash drive, without the need to install some special software (local web server) on each client computer??? The current workaround is to tell customers they should us any browser except IE. Client isn't happy.
You could distribute your webpages along with a portable Nginx server, or wrapped inside a Node-webkit or AppJS package.

Configuring maximum number of simultaneous open WebSockets (in IE)

I've got this JS application. All client side JS communicating with a third party stream server via web sockets. I have about 18 different web sockets open for one page. Firefox and Chrome handle this many open web sockets at once just fine. IE11 seems to have a limitation of 4 open web sockets at once. Once I open that 5th web socket, regardless of socket call to the third-party server, I get an error thrown by IE, which closes the socket and gives the general error "SecurityError" and expanding the proto section it gives me . Seems to be pretty generic errors from my searches. At first I thought there may be a trusted zone type issue with IE, but I've added the client site to my trusted zone as well as the server providing the data.
This post provides info on max number of websockets for Firefox & Chrome, but I don't see anything specific about IE. Are there any known limitations to IE and web sockets? Answered, see edit below.
This MDN site talks about increasing the max value, but again, I can't find anything about IE. Is there some IE setting to up the amount of open connections? Answered: see below edit.
EDIT: This site shows the max connections settings for IE. It looks like it's a registry setting in Windows that controls the amount of web socket connections. Interestingly enough, I don't have that registry Key anywhere, but there is still a limit for this. The page speaks of IE10, and I'm working with IE11 specifically. Does anyone know if there are registry settings for this in regards to IE11? Has anyone just added these feature web socket registry keys and solved this issue?
The MSDN documentation you referenced is clear on the default being 6 concurrent connections (which means if not specified in the registry, that's what you'll get); and, if the documentation doesn't specify differently, it's probably safe to assume newer versions of Internet Explorer act in the same way as version 10.
Try setting through group policy. It worked for me.
https://jwebsocket.org/documentation/reference-guide/internet-explorer-tips

HTML5 File System Info Bar Not Responding In Kiosk Mode

I am creating an application that runs in chromium portable in full screen with the --kiosk flag. It is written in HTML, JavaScript, and CSS. I am also using the HTML5 File System to store some large sets of data. The application opens up in full screen, and the info bar to request permanent storage pops up.
The problem is that, while running in kiosk mode, you cannot select either "OK" or "Cancel" to the file system's request to store data. You can only close the info bar with the "X". This results in the file system not getting any kind of quota and the application fails.
So is there a way to have unlimited storage for an application running from "file:///"? I have tried using --unlimited-storage but it doesn't seem to work for a webpage.
Is there a way to open up in full screen without using --kiosk? Any other work arounds or suggestions are welcome.
What version of Chromium Portable are you using? I had a similar issue awhile back, but I don't have the same problem in the newer versions. I am using the latest version as of now which is Chromium Portable 30.0.1599.10 (released on 2013-08-21).

Categories

Resources