Basically there is a MOSS 2010 site, and it contains a list of all user IDs that have accepted some terms. Of course these terms must be presented, and they should try to impede site navigation without accepting them.
The trouble is that the page they will access is editable only in HTML, so I can use Javascript as the only scripting engine.
So there is Site1 - Sharepoint, Site2 - HTML page.
User visits Site2 for first time, gets terms.
The user clicks Accept, it is recorded in a Sharepoint list located at Site1, terms disappear and the user sees regular website Site2
Security is the last problem. So let's assume the user is already logged in to the Sharepoint site.
I've tried iframes, but security asks for same domain/port/protocol.
Use JSONP. Send whatever data you need to as arguments in a URL that is set as the src of <script> element. Have the requested page return whatever data you need as JavaScript. That script will be executed and can do something like call an onaccepted() function in your page.
user sees regular website Site2
I am confused with statement above. You have written that site2 is just an HTML page. If that is the case I will just assume that site 2 refers to an HTML page which must be presented to the first time user when he is visiting Site1.
You can achieve this with a simple code on the default page.
Set default.aspx as the default page of Site1.
When the user visits Site1, a small piece of code runs, may be as a webpart or a delegate, which checks if the incoming user is in the Accepted terms list. If yes, it does nothing, else it redirects to site2.html.
The site2.html is a regular html page with Accept or Reject button. Upon accept, you will have to utilize Jquery code to put the user into the list once he clicks accepts.
Related
I'm working on customizing the landing page in our company's Acumatica Customer Portal by using a Wiki page, and I need to modify the displayed HTML elements based on the user's role, as well as write the user's name into one of the HTML elements.
What I'm trying to find, is a way to make an Acumatica function call maybe using Javascript, that returns the user's name and role, or maybe an API call I could make to get the same information.
What I've found / tried
I found that there's a function that returns the user name in this post, and I've tried to find ways to run it from Javascript, when the landing page loads, but haven't been able to make it work.
I also found that I can make API calls to Acumatica, and it gives a lot of options to retrieve production related data, but apparently none of the available endpoints directs to the current user's profile (which is screen SP408045 in the portal).
Thanks in advance for your help
There can be multiple users logged in at the same time.
System Monitor page lists logged in users:
An API call couldn't figure out which user you want.
With JavaScript you can try Cross Site scripting and parse the HTML element to find the logged-in user and roles. On Acumatica side the editor control values can be read with px_alls global javascript object. In both cases the logged-in user information must be present in the page. This means the pages have to be customized to add those elements. They can be hidden from UI but must be present in HTML source.
I would like to make a web application with adsense (or similar) and the following are my assumptions:
each web page (with unique text) needs to have unique static URL (e.g., /page1) in order to be able to index it for adsense
users navigate to other pages by clicking on links (there are multiple links that will send users to pages based on their behavior)
I would like to redirect users based on their history etc. at the server side, but in theory it would be possible to precompute each page to contain the correct links (i.e., to the intended target page based on the user response/click) directly
I do not want users to see to which page they are going (it would not work if they would see that by clicking on this link they would go to /page2, not to /page3, for this application it is important to not be able to guess the next step)
How to achieve this? If some of my assumptions are incorrect, feel free to challenge them.
Some solutions:
Redirect at the server side - i.e., the link will be resolved at server side, leading to redirect on each request (this is what I don't like here). Otherwise this would be very clean - the server would just get user's click and do the rest.
Put in the target links and hide them somehow from the user, so that he is not able to see whether the link goes to /page2 or /page3, i.e., solve this at client side. How can I do that in the best way? Perhaps using javascript for hiding the target URL or for reacting on each click, but here I don't like so much dependency on javascript.
Do you see any solutions for this? I don't need detailed code, just the direction to go, I am able to write javascript or to add redirect rules.
I just need to not let users see what will be the next steps based on their response/click and at the same time I think I need to preserve static URLs for adsense. Thanks.
I'm building a website that is functionally similar to Google Analytics. I'm not doing analytics, but I am trying to provide either a single line of javascript or a single line iframe that will add functionality to other websites.
Specifically, the embedded content will be a button that will popup a new window and allow the user to perform some actions. Eventually the user will finish and the window will close, at which point the button will update to a new element reflecting that the user completed the flow.
The popup window will load content from my site, but my question pertains to the embedded line of javascript (or the iframe). What's the best practice way of doing this? Google analytics and optimizely use javascript to modify the host page. Obviously an iFrame would work too.
The security concern I have is that someone will copy the embed code from one site and put it on another. Each page/site combination that implements my script/iframe is going to have a unique ID that the site's developers will generate from an authenticated account on my site. I then supply them with the appropriate embed code.
My first thought was to just use an iframe that loads a page off my site with url parameters specific to the page/site combo. If I go that route, is there a way to determine that the page is only loaded from an iframe embedded on a particular domain or url prefix? Could something similar be accomplished with javascript?
I read this post which was very helpful, but my use case is a bit different since I'm actually going to pop up content for users to interact with. The concern is that an enemy of the site hosting my embed will deceptively lure their own users to use the widget. These users will believe they are interacting with my site on behalf of the enemy site but actually be interacting on behalf of the friendly site.
If you want to keep it as a simple, client-side only widget, the simple answer is you can't do it exactly like you describe.
The two solutions that come to mind for this are as follows, the first being a compromise but simple and the second being a bit more involved (for both you and users of your widget).
Referer Check
You could validate the referer HTTP header to check that the domain matches the one expected for the particular Site ID, but keep in mind that not all browsers will send this (and most will not if the referring page is HTTPS) and that some browser privacy plugins can be configured to withhold it, in which case your widget would not work or you would need an extra, clunky, step in the user experience.
Website www.foo.com embeds your widget using say an embedded script <script src="//example.com/widget.js?siteId=1234&pageId=456"></script>
Your widget uses server side code to generate the .js file dynamically (e.g. the request for the .js file could follow a rewrite rule on your server to map to a PHP / ASPX).
The server side code checks the referer HTTP header to see if it matches the expected value in your database.
On match the widget runs as normal.
On mismatch, or if the referer is blank/missing, the widget will still run, but there will be an extra step that asks the user to confirm that they have accessed the widget from www.foo.com
In order for the confirmation to be safe from clickjacking, you must open the confirmation step in a popup window.
Server Check
Could be a bit over engineered for your purposes and runs the risk of becoming too complicated for clients who wish to embed your widget - you decide.
Website www.foo.com wants to embed your widget for the current page request it is receiving from a user.
The www.foo.com server makes an API request (passing a secret key) to an API you host, requesting a one time key for Page ID 456.
Your API validates the secret key, generates a secure one time key and passes back a value whilst recording the request in the database.
www.foo.com embeds the script as follows <script src="//example.com/widget.js?siteId=1234&oneTimeKey=231231232132197"></script>
Your widget uses server side code to generate the js file dynamically (e.g. the .js could follow a rewrite rule on your server to map to a PHP / ASPX).
The server side code checks the oneTimeKey and siteId combination to check it is valid, and if so generates the widget code and deletes the database record.
If the user reloads the page the above steps would be repeated and a new one time key would be generated. This would guard against evil.com from page scraping the embed code and parameters.
The response here is very thorough and provides lots of great information and ideas. I solved this problem by validating X-Frame-Options headers on the server-side , though the support for those is incomplete in browsers and possibly spoofable.
OK, so basically I've put together a very low security log in page (javascript username and passwords) which isn't a big deal cause there isn't really anything it's protecting, I just made a login page for the youth on my church website to view and study Sunday School material. What I'm wanting is to make it so you can't type in the direct html to your "profile" or bookmark it, I want them to have to use the javascript log in. For example, the script will direct bob to his "profile" at bob.html, but I want to only go to bob.html only if it comes from login.html, is there any way to do this without getting extremely complicated? I'm expecting there isn't but I thought I'd ask anyway.
If no server side programming is involved you will have to use a simple JavaScript redirection which is not even considered as a "low-level" security but as a "non-level" security :)
Anyway you can check the referrer with document.referrer and redirect to the main page when its not correct, remember that this is very easy to manipulate by the user.
More details on document.referrer can be found here http://www.w3schools.com/jsref/prop_doc_referrer.asp
if ((document.referrer).indexOf('login.html') > 0 && username=='someone' && password=='pass') {do stuff} else {user did not arrive from login.html or username is wrong or password is wrong}
If this is all from client-side javascript, then you can't do anything that's real security. I'm assuming you know that.
But, you can create a slight obstacle to direct access for the casual viewer by having the link from the login page set a very short expiration cookie (like 1-5 minutes), then go to the profile page and have the profile page have all the profile content hidden by default (via a CSS rule). Then, your javascript can check to see if the cookie is present upon loading and, if so, show the content.
If the viewer tries to go directly to the profile page, the cookie will not exist and the page content will not get shown by the javascript. Obviously, the content is still present in the page so any viewer with any knowledge of how web pages work could still see the content in other ways, but it wouldn't show by default in the browser.
Multiple schemes are possible, like the one presented above by jfriend00.
You can also use rolling URLs.
Say your profile page is at http://example.com/profile/foo. Change it to http://example.com/profile/foo?time=yyMMddhhmm where yyMMdd represents the current date, and hhmm represents the current server time. Then make sure that the server refuses to serve this page if the time doesn't match.
Easy to see what happens if someone bookmarks this link. Their bookmark will work for at most one minute.
Unfortunately, the link on the page also expires in one minute. You can solve this problem that updates the URL roughly every minute, but it is not as straightforward as it may look. You will need to take into account the fact that the time on the user's computer may be different from the server time.
Another way to do it is with a session cookie. Session cookies are good until the browser is closed. They expire automatically when you close it. This is a variant of jfriend00's original answer.
Hope this helps.
Requests to third party servers keep slowing my site down, so I am trying to have as few as possible.
In my book, the ideal "tweet this" solution should
be a small JavaScript snippet to be hosted on my own site
not have any activity while loading the page (at least as few as possible, but no additional HTTP requests)
just when clicked, retrieve short URL and tweet it
Is there anything like this? All solutions I have found do load stuff from other servers while my page is loading.
I would not mind to do some of the scripting around this myself, but of course I do not want to re-invent the wheel, if there is a good solution around.
EDIT: In case anyone is interested in what I finally ended up with.
I decided to implement the API call in my backend, triggered by an AJAX request when the user clicks a button. From the client perspective, this solution needs least resources and is as lazy as it can be. Plus: addressing the bit.ly API directly is really trivial.
However: retweet.js (posted below) is still the best out-of-the-box client-side solution I have seen so far.
Not 100% certain this is what you're after, but have you had a look at this?
Easy Retweet Button by John Resig http://ejohn.org/blog/retweet/
It uses bit.ly to shorten urls and forwards the user to their Twitter login page.
Oh, and it uses jQuery which can be hosted on your site. :-D
You could go with a really lo-fi solution and simply link to the Twitter page from your home page. Add a link like this:
Tweet this!
... where [mystatus] would be some string representing the tweet you want the user to send.
This link, when clicked on, will open a new window/tab and, if the user is logged into Twitter, will populate the status message input with the [mystatus] string. If the user is not logged in, they'll get redirected to the Twitter login screen and after a successful login their status input will be populated with the [mystatus] string.
You would need some kind of solution to customize the [mystatus] string to contain what you want it to contain. Some options:
You could do this with a server-side language: construct and populate the href attribute of the anchor tag before the HTML is composed and sent to the client.
You could also do this with JavaScript after the page loads: attach some function on page load that will change the href attribute of the anchor tag to contain the status message you desire.