I want to be able to detect if the browser support SNI - Server Name Indication. I'm hoping to redirect non compliant clients to a different address.
I was thinking of loading some content through SSL and make sure it was transfered securely. Otherwise the browser doesn't support SNI. Can this be done?
You could set up a server that supports SNI, serving two host names, on where you require SNI and one that's a fallback solution, both serving the name that they are hosting.
Something along the lines of:
https://www.example.com/name returns a representation saying I'm www.example.com
https://www.example.net/name returns I'm www.example.net (and requires SNI).
If you make an XHR request to https://www.example.net/name and it returns www.example.com, then the browser doesn't support SNI.
Not sure if this is what want but there is this
RewriteEngine on
# Test if SNI will work and if not redirect to too old browser page
RewriteCond %{HTTPS} on
RewriteCond %{SSL:SSL_TLS_SNI} =""
RewriteRule ^ http://www.example.com/too-old-browser [L,R=307]
If an old browser tried to use a site which needs SNI then it will be redirected (in this case back to http and a page saying browser is too old). But you will always get an error. It can't be avoided. The browser says hello IP...., and apache replies hello here is my certificate. If the browser does not supply SNI in the hello apache just sends default (i.e. wrong) certificate. Browser then complains.
If you want to pick this up from http before swapping to https then you could put something like this in htaccess
#Set $_SERVER['SSL_TLS_SNI'] for php = %{SSL:SSL_TLS_SNI} or value
SetEnv SSL_TLS_SNI %{SSL:SSL_TLS_SNI}
And then in your page do a https fetch from the default domain (default so browser does not say there is a security error). If SNI is working the in php $_SERVER['SSL_TLS_SNI'] will have the domain name, otherwise it will have %{SSL:SSL_TLS_SNI}. This bit of code could be improved but you get the idea.
You can only test for SNI support prior to requiring it. That is, you cannot force users onto SNI HTTPS and then fall-back if they don't support it, because they will receive an error like this (from Chrome on Windows XP) with no way to proceed.
So (unfortunately) the user has to actually begin over an insecure HTTP connection and then be upgraded only if they support SNI.
You can detect SNI support via:
Remote script
From your plain HTTP page, load a <script> from your destination SNI HTTPS server and if the script loads and runs correctly, you know the browser supports SNI.
Cross-Domain AJAX (CORS)
Similar to option 1, you could try performing a cross-domain AJAX request from the HTTP page to the HTTPS, but be aware that CORS has only limited browser support.
Sniff the user-agent
This is probably the least reliable method, and you will need to decide between having a blacklist of browsers (and operating systems) known not to support it, or a whitelist of known systems that do.
We know that all versions of IE, Chrome & Opera on Windows XP and below do not support SNI. See CanIUse.com for full list of supported browsers.
Since commercerack upgraded to SNI for all sites we've had the same issue. (Users starting checkout and getting a nasty SSL issue).
Feel free to use this as a starting point.
As the list of browsers grow I will update but it does IE on XP + Android 2.0-2.2 right now.
https://github.com/brianhorakh/html-sni-useragent-sniffer-warning
Related
React app. I want to block specific browser (Kiwi Mobile) from my site. But i can't use User-Agent header, because people, who using site also using chrome extension, which change User-Agent in requests. So, is there any other ways to get browser info?
I tried to detect extension, but it works like a VPN extension: intercepts requests and then send changed data to my servers. I blocked an extension IP in Cloudflare, but it works only for a week, then they start using proxy servers, and detect all proxy servers is nearly impossible.
I need to block using this browser by React app (just not load the page if it is a kiwi browser). Or maybe, block it by cloudflare, if it's possible
I added a custom port in etc/hosts file
127.0.0.1 testlocalhost.com
When launch server(http not https) from this port, I noticed Chrome banned Camera and Mic permissions, and threw
getUserMedia() no longer works on insecure origins
When launch from localhost directly, I can change these 2 permissions although still seeing Your connection to this site is not secure warning.
I was wondering if it's possible to whitelist the custom port.
thanks!!!
(When test in Firefox, it still gives me the options to change Camera and Mic permissions.)
Right in the error message you must have had, there is a link to this page, where there is a paragraph about Testing Powerful Features which enumerates a few options, and among them,
You can run chrome with the --unsafely-treat-insecure-origin-as-secure="http://example.com" flag (replacing "example.com" with the origin you actually want to test), which will treat that origin as secure for this session. Note that on Android and ChromeOS this requires having a device with root access/dev mode. (This flag is broken in Chrome 63 but fixed in Chrome 64 and later. Prior to Chrome 62, you must also include the --user-data-dir=/test/only/profile/dir to create a fresh testing profile for the flag to work.)
So you just have to start Chrome from command lines with the flag --unsafely-treat-insecure-origin-as-secure="http://testlocalhost.com"
Short answer is no - you cannot bypass the saved word localhost with an IP address which represents it. The reason is that Google Chrome uses the actual word localhost to detect develper debugging and allow using getUserMedia via HTTP. All other addresses, regardless if they represent localhost or not, are only allowed to use getUserMedia via HTTPS or WSS.
Like above post answered, I can run chrome with flag by chrome://flags/ in search bar, search flag: insecure origins treated as secure, enable it, and add your custom ports there, separate with ,
I have a Javascript application running in a browser, and I want to access some data sitting in a server that can't enable CORS.
It's not a testing application, is meant for the end-user, even if a little techy one.
I considered:
PHP Proxy: Not appropriate. Server on the other side make decision about IP geolocation.
Java/SilverLight: Unfortunately my #1 target is Chrome
JSON: Not available
What are my options?
Please notice that I'm not trying to make any malicious application: if the user need to approve or allow me to make this request is totally fine.
You are trying to do exactly what the Same Origin Policy is designed to prevent (and what CORS is designed to allow the server to permit).
Your options are:
Find a way to work with whomever controls the server
Get the users to download and install software which isn't subject to the Same Origin Policy (such as a stand-alone application or a browser extension).
You need to ask your users to install chrome extension to overcome CORS. I used to use it while developing ionic apps and testing on chrome
https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en
https://chrome.google.com/webstore/detail/cors-toggle/omcncfnpmcabckcddookmnajignpffnh?hl=en
I would extremely appreciate some help with the following issue:
I have a payment web app hosted in IIS and configured for SSL. I need to integrate a POS terminal (or pin-pad) with a static IP that's not SSL compatible. I can talk to it running the site without SSL (HTTP to HTTP), but not HTTPS to HTTP - obviously getting "Mixed Content ..." error as Chrome doesn't allow that. I don't need to care about other browsers, but I can't run my site HTTP and as mentioned terminal doesn't support HTTPS.
Now, before you mark it as duplicate - I've read:
sending request from https to http from chrome extension,
Chrome extension - Disable Blocking of Mixed Content
Since v38, Chrome extension cannot load from HTTP URLs anymore, workaround?.
And it looks like Chrome extension might provide a solution. I don't have any experience with Chrome extensions though, but comfortable with JavaScript. I would prefer to avoid chasing something that would result in a dead-end. So, my question is - am I on the right path? If so, how do I go about implementing this? How do I go about delegating the ajax post call to the extension?
Any thoughts, ideas, tips, suggestions would be highly appreciated!
If you are going to use chrome-extension, do you want everyone who visits your payment site install the extension first? If the answer is yes, then sure, chrome-extension can help with that. Take at the following guide:
Cross-Origin XMLHttpRequest, it tells you that background page can send request to http site, even if current page is https
chrome.webRequest.onBeforeRequest, it tells you that you could redirect a http(s) request.
What is best-practice way of consuming a SOAP web service in Firefox OS?
Are there any Firefox OS specific issues I should pay attention to or it comes down to a problem of consuming a web service from JavaScript (where I can use JQuery AJAX or similar)?
There shouldn't be any Firefox OS-specific issues - if/when you could make it work in a browser (preferably a Firefox browser, that is) then it should work just fine in Firefox OS, too.
Although one issue might arise, if the SOAP service doesn't serve CORS allow-origin headers, in which case your XMLHttpRequest would fail as the OS won't allow cross-origin XHR-s. You could overcome this by creating a Privileged application, that requests in the webapp manifest the SystemXHR permission, in which case you are allowed to make cross-origin requests to remote services, regardless of CORS headers.