I have a main header page that is included in many different applications across a couple of different languages, including Java and classic ASP. The file (file.js) is going to be obsolete soon. We are going to be going to an "out-of-the-box" solution, a new header created by another group. They gave us a link ("google.com") that we need to use to show this new header. I was wondering if there was a simple solution I could implement in my file.js that would show this content to the users. I know an easy way to do it in jsp is
<c:import url="http://google.com"/>
but this won't work in the js file, nor will it work in the jsp. Is there a way for me to do this?
Thank you,
Explosive_donut
Obviously the URL you are really given isn't Google. I suppose the second team is able to modify their own (document) headers sent to clients.
First way I think of is to use AJAX to retrieve the contents of the URL and create a div or select an existing to set its new content.
Unfortunately AJAX is restricted to the Same Origin Policy which can be circumvented with CORS (Cross Origin Resource Sharing). To allow CORS, your remote server as well as your client maschines need to send respective headers. Check out the link for more information.
If you need any more information and/or tutorials, let me know in the comments.
Related
I'm making a program to parse a bunch of information from several pages of a database website for a JavaScript library. Just by messing around with the console, I've figured out how to isolate the information I need, but I don't know how to access the information from the parsing program. I'm almost exclusively proficient at HTML/JavaScript, so naturally I'm sticking with what I know for what should be a relatively simple parser. Here's the basic idea of what I intend to do:
for (var i = 0; i < 5; i++) {
var outsideHTML = getDocumentByURL("https://www.example-database.com/page-"+i);
//other code that parses information from the variable "outsideHTML"
}
I just need a function to serve as getDocumentByURL(). Thanks in advance.
Due to something called same-origin policy, you cannot access the document or other contents of another webpage using client-side JavaScript unless the other webpage is on the same domain as your webpage, or unless the other website explicitly allows it by supporting JSONP or setting Access-Control-Allow-Origin headers. It sounds like you're trying to retrieve a webpage, so JSONP isn't relevant, and it's fairly uncommon for Access-Control-Allow-Origin headers to be set on a webpage. Thus, this probably isn't possible to accomplish in the way you've described.
To retrieve the data from the other website, there's a couple approaches you can take:
Run server-side code (i.e. PHP, Node.js, Java, etc) that retrieves the other webpage and extracts the information you need. Server-side code is not affected by browser security policies such as same origin policy.
Use a cross-origin proxy (such as crossorigin.me). This proxy will retrieve the data for you and add the Access-Control-Allow-Origin headers that allow you to access the page contents.
Depending on what you're trying to achieve, you might transform your idea from a webpage to a browser extension -- browser extensions can be given the freedom to ignore same-origin policy.
Ask the website owner if they'd be willing to accommodate you by providing the data in a friendlier format.
Note that both of the first two approaches result in the request being made from a server rather than from the client's computer. This means that you can't retrieve any information that requires that they be logged into the website.
Due to hotlink protection I'm having difficulty displaying images. The http request send in order to obtain the images contains a non empty referer header. This causes the hotlink protection to kick in.
Using a referer control tool, I can block the referer, which bypasses hotlink protection. However now I want to do this in a PHP/HTML/javascript code. I found information that it is possible, but I don't fully understand how to implement it.
Can some one give me a hand?
Thanks in advance!
FYI: I have permission of the website to do the hotlinking, as it's for an android app. However they cannot provide me with an API.
There is no way to forge the referer header from a browser request, not even via a call made from JavaScript.
2022 UPDATE: As pointed out in the comments, and other answer, this is now possible (except on IE and other really old browsers).
You could set up a proxy server, that forges the Referer header. You then need to have your android app point to your own server to get all the images. You can do this from PHP, using the curl functions (or even directly via the socket API).
Note: if the purpose was to actually hotlink then this saves nothing, as you end up serving all the images. And it adds another moving part that could break. If your image supplier cannot give you a better solution, find another provider?
You can try to avoid hotlink protection by setting no-referrer value to attribute referrerpolicy of img element.
Details here.
I want to put a restriction on my API so only registered users can use it on their websites. The javascript will be used on their website by pasting it into their html. Right now I use a token for each user but it's visible to the public on their site so anyone could copy it. It tracks usage but doesn't restrict it to only their site.
My first thought was to get the HTTP_REFERER variable from the http headers on the server and make sure it's from the domain registered by the user. This won't work because HTTP_REFERER can be blank or changed.
My second thought was to use JavaScript in the pasted script to get the document.location and pass that back the to server. That can also be tampered with so it is unreliable.
I'm looking at OAUTH2 now as a solution. I don't know much about it besides it's used for SSO. Looking at this JS OAUTH2 Lib too: https://github.com/andreassolberg/jso
Could they be used for what I need to do?
One requirement is that the script is pasted into the HTML. There shouldn't be any other configuration on their site that needs to be done.
What other solutions are their for this?
There shouldn't be any other configuration on their site that needs to be done other than pasting your javascript ?
Well, then probably OAUTH2 is not what you are looking for, OAUTH adds the concept of an authorization server to your web API and the complexity increases.
http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
if you are not looking to authorize users but just identify domains that can consume your api from javascript, enable cors and add an attribute to specify which origins are allowed to access the resource. Example :
http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api
Thanks.
I have some HTML/PHP pages that include javascript calls.
Those calls points on JS/PHP methods included into a library (PIWIK) stored onto a distant server.
They are triggered using an http://www.domainname.com/ prefix to point the correct files.
I cannot modify the source code of the library.
When my own HTML/PHP pages are locally previewed within a browser, I mean using a c:\xxxx kind path, not a localhost://xxxx one, the distant script are called and do their process.
I don't want this to happen, only allowing those scripts to execute if they are called from a www.domainname.com page.
Can you help me to secure this ?
One can for sure directly bypass this security modifying the web pages on-the-fly with some browser add-on while browsing the real web site, but it's a little bit harder to achieve.
I've opened an issue onto the PIWIK issue tracker, but I would like to secure and protect my web site and the according statistics as soon as possible from this issue, waiting for a further Piwik update.
EDIT
The process I'd like to put in place would be :
Someone opens a page from anywhere than www.domainname.com
> this page calls a JS method on a distant server (or not, may be copied locally),
> this script calls a php script on the distant server
> the PHP script says "hey, from where damn do yo call me, go to hell !". Or the PHP script just do not execute....
I've tried to play with .htaccess for that, but as any JS script must be on a client, it blocks also the legitimate calls from www.domainname.com
Untested, but I think you can use php_sapi_name() or the PHP_SAPI constant to detect the interface PHP is using, and do logic accordingly.
Not wanting to sound cheeky, but your situation sounds rather scary and I would advise searching for some PHP configuration best practices regarding security ;)
Edit after the question has been amended twice:
Now the problem is more clear. But you will struggle to secure this if the JavaScript and PHP are not on the same server.
If they are not on the same server, you will be reliant on HTTP headers (like the Referer or Origin header) which are fakeable.
But PIWIK already tracks the referer ("Piwik uses first-party cookies to keep track some information (number of visits, original referrer, and unique visitor ID)" so you can discount hits from invalid referrers.
If that is not enough, the standard way of being sure that the request to a web service comes from a verified source is to use a standard Cross-Site Request Forgery prevention technique -- a CSRF "token", sometimes also called "crumb" or "nonce", and as this is analytics software I would be surprised if PIWIK does not do this already, if it is possible with their architecture. I would ask them.
Most web frameworks these days have CSRF token generators & API's you should be able to make use of, it's not hard to make your own, but if you cannot amend the JS you will have problems passing the token around. Again PIWIK JS API may have methods for passing session ID's & similar data around.
Original answer
This can be accomplished with a Content Security Policy to restrict the domains that scripts can be called from:
CSP defines the Content-Security-Policy HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources.
Therefore, you can set the script policy to self to only allow scripts from your current domain (the filing system) to be executed. Any remote ones will not be allowed.
Normally this would only be available from a source where you get set HTTP headers, but as you are running from the local filing system this is not possible. However, you may be able to get around this with the http-equiv <meta> tag:
Authors who are unable to support signaling via HTTP headers can use tags with http-equiv="X-Content-Security-Policy" to define their policies. HTTP header-based policy will take precedence over tag-based policy if both are present.
Answer after question edit
Look into the Referer or Origin HTTP headers. Referer is available for most requests, however it is not sent from HTTPS resources in the browser and if the user has a proxy or privacy plugin installed it may block this header.
Origin is available for XHR requests only made cross domain, or even same domain for some browsers.
You will be able to check that these headers contain your domain where you will want the scripts to be called from. See here for how to do this with htaccess.
At the end of the day this doesn't make it secure, but as in your own words will make it a little bit harder to achieve.
I am writing a JavaScript application where I plan on host the code on a CDN. Now I plan to include this code to my clients' sites. However, I have a problem, I want to use AJAX to communicate between the client and the server. Now, from my understanding of XSS, this is not possible.
Ex:
User visits site.com, where a script tag's source is pointing to a file on cdn.somedomain.com
The script on cdn.somedomain.com fires an event.
This event will communicate with a PHP. I know it is possible for the script from cdn.somedomain.com to request documents on site.com. However, is it possible to send data back to a PHP file on cdn.somedomain.com?
Thanks for helping an entrepenuer! :D
The short is I think this is possible, but it depends on a couple of things. The same origin policy is a weird thing in that it won't allow cross domain reads, but will allow cross domain writes.
I think a way you could accomplish your goal is by making a GET request (minimally by creating an iframe, img, or whatever else that pulls a src) or possibly even using AJAX. If your goal is to only send data, then that should be fine. However, if you want to read this data back then I think that'll be a little less straight forward. I can't really answer that right now - especially without knowing more details about your system setup.
Sounds like a weird use of a cdn. Normally cdns serve static assets, so you wouldnt put a php file there. In fact the cdn wouldnt normally run dynamic server side code at all.
You can address the problem in several ways. Newer browsers support CORS and cross domain ajax. The cdn would then have to use the Access-control-* headers. You could also look at something like easyXDM, which works in older browsers.