Content files return "empty" on SSL connection - javascript

I have two websites in IIS7 (WS2008) that points to the exact same folder on my server. The standard website (http://example.com) uses a normal HTTP protocol. However I have issued a SSL certificate to a subdomain (https://ssl.example.com) on the other website and it's on this protocol I'm having troubles.
On the HTTPS website some of my files just return empty or "nothing". Take for example my general CSS or JavaScript files. They work fine on my HTTP website, but on the HTTPS website they are just empty.
Am I missing a configuration in the IIS or am I just stupid? What am I missing here?

I just had an analog situation that might pertain to yours. In our case the server has .gz (compressed) versions of html and js and these were empty due to the way the build was deployed. It might also happen that your web server is not configured to serve the .gz files up to the client with the correct file type in HTTP.

Related

Difference between Localhost and opening html file

What is the fundamental difference running a file using a server in localhost, and opening a file such as file:///Users/$user_name/$your_directory/index.html, assuming no backend is used, and it is only frontend and contains html/css/js
How does this also affect interactions with other server ie. ajax requests?
I am sorry if this is too broad, but I haven't found a solid answer to these underlying questions.
Fundamentally, assuming at some point you're going to host the result on an actual web server, the former matches the target environment while the latter doesn't. Browsers treat local files and files served from web servers (even localhost web servers) differently, although very similarly. One aspect of this is the encoding: When you retrieve a file from a web server, the process of determine what encoding the data is in is different from opening a local file.
How does this also affect interactions with other server ie. ajax requests?
This is one of the primary ways in which they're handled differently, and it even varies from browser to browser. A page loaded from a file:// URL has origin null from a Same Origin Policy standpoint. Some browsers (like Chrome) disallow Cross-Origin Resource Sharing entirely for origin null, even when the server you're trying to talk to has a wide-open CORS policy (*). Others (like Firefox) allow origin null to match the wildcard.
In general, for best results, ensure that your development environment matches your deployment environment in the important ways. That means doing your development using a web server process rather than local files. Most IDEs will happily provide that process for you; if not, Apache or Nginx aren't hard to install.
answer is simple,
if u don't have made active backend yet for "index.html" then it would not effect.e.g.-"localhost" and "index.html" will be same this time.
but when u start working with the backend,then most of the backend processes need an active server (need localhost).
e.g.-
1.
fetch('local.json')... //fetch json or any file would not work for local files.
2.
u may not ineract with mysql/django etc. databases.
means it cause errors in signup/login , store any image/video/docs at database etc.
so better is work in localhost, it's most easy way is :-
VScode(IDE) >> extenctions >> live server (just need to click a button to make
localhost and click again to stop localhost)
https://marketplace.visualstudio.com/items?itemName=ritwickdey.LiveServer
It won't make any difference, I think.
But there is an exception when using Chrome! Sometimes I have seen if a html file is added with some CDN link, then it doesn't loaded into html specifically in Chrome but if you try the same file in Firefox or Internet Explorer, it works.
I have faced this problem and hence I always put it under local IIS default website.

Why gulp-gzip and can I serve gzipped content without configuring the server?

I ran into a dilemma lately as I was exploring the various plugins for gulp. One of them was gulp-gzip and till then, I have never thought about compressing my files. I got gulp-gzip to work correctly and spit out gzipped versions of my HTML, CSS and JS files but then, what next?
I googled around and found that most articles talk about configuring the server to send gzipped versions of the content automatically to the client upon request. But then, I kind of don't seem to understand the purpose of gzipping locally.
So, my questions are:
Can I serve gzipped content I get from gulp-gzip without configuring my server?
If yes, how should I proceed -- what should I name my gzipped files as? Should I keep the .gz extension and link to my CSS and JS files using the same?
If yes, can I test it locally by linking to the same .gz files?
If no, what is the purpose of gulp-gzip in a development environment if the server can be configured to do it automatically?
Most servers have an option to serve statically pre-compressed files if a *.gz version exists, i.e. when user requests foo.css, the server will check if foo.css.gz exists and use it.
It requires server support (the server has to set appropriate HTTP headers), so it won't work with the file:// protocol and may not work on every server.
In URLs you have to refer to the base filename (do not link to .gz directly).
Compressing files ahead of time may be better:
You can use higher compression level (e.g. maximum gzip level or the Zopfli compressor), which would be too slow to do real-time on the server.
Compressing ahead of time saves CPU time of the server, because it doesn't have to dynamically compress files when they're requested.
Just be careful when you deploy files to the server to update both *.css and *.css.gz at the same time, otherwise you may be surprised that you sometimes see old version of the file.

Can a file served by http (localhost or remote) be accessed from a local file opened through file:// protocol? And vice versa? How to implement this?

I've got several html files (TiddlyWiki Classic instances) which are stored on a USB-stick (and for it to remain removable, I open them through the file:// protocol). I use Ajax (via SharedTiddlersPlugin, but that's not that improtant) to load contents of some of them into others of them and that works nicely.
I've also set up several TWs using localhost (WAMP # Windows 10 and a simple saving server called MicroTiddlyServer, the latest version can be found here). But "including" (via Ajax request) from localhost to file and from file to localhost does't work.
So, the question is which ways of including (loading content of an html using JavaScript) is possible:
from file to localhost? Meaning that I open a TW at localhost and get contents of a file on my USB-stick (looks like a big security issue, so it's more likely that this is forbidden, at least using Ajax, but may be there's some workaround),
from localhost to file? (my guess is it's possible via CORS, but adding Header set Access-Control-Allow-Origin "*" to <Directory ...> of Apache's httpd.conf prevents my server (WAMP pack # Windows 10) from working and putting .htaccess file with the Header set Access-Control-Allow-Origin "*" content into the TW directory causes Internal Server Error \n The server encountered an internal error or misconfiguration and was unable to complete your request.)
from remote server to file? (I guess this shouldn't differ much from 2. aside that I usually can't configure the server as I'm not an admin; but as I'd like to use TW as an RSS aggregator, let me include this here, too; this also would help including from and TWs on my smartphone which can be served from there using a PHP server; including to TWs on the smartphone requires localhost->remote server, though, which seems forbidden, too)
I really need some working examples (not necessarily with TW, just with html files) as I'm kinda lost in all those CORS questions and tutorials (the latter being about http, not file protocol). Actually, any working solution (not necessarily via Ajax) will do if:
my USB-stick remains removable at any time except for saving moment
the server-side part can be done at Android as well (PHP is good, Python should do as well, although I haven't tested it yet) and server config is described clearly (well, this happened to be not clear enough in my case)
including remains async
In fact, there's quite a number of ways described for servers, but working with file:// is somewhat different (there's no server to configure!).
The main goal of this question is to understand whether I have to create a server which will serve TWs on USB-stick once it's inserted or I can achieve all 3 goals in a "mostly client-side" way (opening TWs through file protocol). But also I hope that working examples will be helpful for others since this topic seems somewhat poorly documented.
For evident security reason this behaviour is not allowed.
from file to localhost? Meaning that I open a TW at localhost and get contents of a file on my USB-stick (looks like a big security issue, so it's more likely that this is forbidden, at least using Ajax, but may be there's some workaround),
It is not allowed as you cannot use Access-Control-Allow-Origin in an html meta tag.
from localhost to file?
from remote server to file?
Actually, that's the same, there's a web-server, so it's the same mechanism. And as no server will respond with the Access-Control-Allow-Origin header, you cannot access file:// url.
yes accessing file from a server is surely a security issue, but why accessing a server from a file-served html is an issue?
If you could do that, you could send your entire hard drive anywhere on the web just by double clicking on a file.html in your file explorer...
The only way to access your content is to serve it, sorry.

How to call CSS and JS from a sub-domain - to make loading faster in Magento

When calling css and js files from a sub-domain, what would be the correct way to do this in Magento?
First, make sure the sub-domain resolves to the same folder as the rest of Magento. So a file, "http://www.example.com/file" will appear exactly the same as "http://static.example.com/file".
Then, in Magento's admin, go to System > Configuration > Web > Unsecure and change {{unsecure_base_url}} to your new sub domain (eg. "http://static.example.com/") for the Skin, Media and JavaScript options. Repeat for the "Secure" section too.
Edit:
I just remembered that for secure sub-domains you either need a wildcard certificate or an additional certificate for the sub-domain installed. It might be simpler to skip the "Secure" section because of this, most pages will not be served as secure so the inconvenience is minimal.
Also I've had problems with the image upload for products when using sub-domains, you can get around this with No Flash Uploader.
Just to add to that, it's recommended to set up static files on a different server running Nginx (or other optimized server, not Apache). If you are using separate servers you should share image folder via NFS (export on static files server, mount on all web nodes) so image upload works correctly.

Enabling XSS from files hosted on local filesystem

I have HTML and JavaScript files on my filesystem for a mobile application that is in development. When the application is deployed to a mobile device, these files will be hosted on the local filesystem there, where XSS from file:// is not an issue. An important part of this application is sending XHR POST requests to a RESTful API.
It seems like XSS should not be a security issue for browsers if the files making the request are hosted on a local filesystem instead of deployed to a web server.
Does anyone know of a browser extension or configuration change that will enable XSS from files hosted on a local file system?
Well, although you will have to change the server and client code a little bit, it isn't very clean and you will have to trust the server, you can load the data as a javascript which contains a call to a function in your page and a big string or so as the parameter. This seems to be a good example.
Alternatively, you could serve the files from a local webserver and fiddle around with the hostsfile and document.domain.
I've found a useful link that's helped me execute POST requests from localhost to another domain. It is a Firefox hack that allows XSS from files hosted at localhost. It's not perfect, but it helps me get this thing developed.

Categories

Resources