I have a series of .swf files that I inherited from an old version of a site I'm trying to rebuild.
When flash_element.submitForm() is called, they POST some data directly to a static url ("/submit"), then depending on the response, reload the browser page.
I would very much like to capture the data that they POST using javascript - preferably without it getting sent at all - so that I can have more intelligent logic to handle to request/response than is built into the .swf files I've inherited.
Basically: When a flash object makes a http request, can I catch and cancel this event in Javascript?
Basically no. You can try and use the various swf disassembler/reassembler things like the swfdump.exe that comes with flex to get rid of the post, or change it to a javascript call. There's precious little control or knowledge you can gain from a swf directly from javascript that the swf doesn't make explicitly available via the appropriate API's. This is is as it should be- if what you suggested were possible it would be a fairly serious security hole.
Related
I'm using a javascript scripting engine for a MUD i'm playing, they have a javascript client hosted on their server. I'm wanting to store some information in a database and access it from the client (or inject it somehow into the client) but I'm not seeing how I could do that.
Basically I can write javascript files into the trigger section of the website and they fire. It has Javascript and JQuery options. It does not have a database option on their end, which is why I'm trying to add it myself.
I know client side javascript has a lot of restrictions on it, so I'm not sure how far I could really go with this.
I think you might be able to do this, but it's going to be hacky.
If you're able to attach a script node to the dom, you can trigger GET requests with no origin restrictions wherever you want. You would do that to your own backend.
You would have to throw away all good practices and use GET requests with a lot of query params so send data to that (your) backend.
You would have to write the backend so that it does whatever you want with the data, e.g. store it in the db.
You would have to make sure you return valid js to the client, even if it's only to dismiss it.
Alternatively...
you could load an iframe to a site you control, and change the iframe src with the data, and then do with the data whatever you want (like sending it to some bakcend of yours properly) in your site (that's loaded in the iframe) by detecting changes in the url...
I taught myself programming so my knowledge is very fragmented and now I have encountered a fragment I know nothing about. Sending and receiving Date. In addition I want to do it across domains. I know about the security policies that prohibit this but have read about some solutions. I still can't make sense of it in relation to my challenge.
What I want to do:
I want to build a plugin that sends data to my server when a function is called. The function is bound to an event listener.
this plugin contains of a little html-form and some js in the back. i want to send json or simular.
my questions:
I) how do I send data to an other server?
II) how do I receive this data? I know about parsing and dom but all I did so far is handle requested data. now this data is posted to my server-app without me knowing beforehand. the data is used to update a DB. the backend is coded in JS or python. I would prefer JS for compatability reasons.
III) how can I test the cross server connection on my local machine? especially without an active internet-connection?
I don't expect a complete guide or the code i need. just the resources and where to get the knowledge-chunks I need to build this.
Thanks a bunch in advance!
I) how do i send data to an other server?
You may use AJAX (or jQuery.ajax a more convenient way)
II) how do i receive this data? i know about parsing and dom but all i
did so far is handel requested data. now this data is posted to my
server-app without me knowing beforehand. the data is used to update a
DB. the backend is coded in JS or python. i would prefer JS for
compatability reasons.
As long as you send some data via AJAX, the browser makes a HTTP call and you could receive the data from server-side. Both JS or python would compatible with your client-side javascript and seldom do there have compatibility issue.
III) how can i test the cross server connection on my local maschine?
especially without an active internet-connection?
localhost and 127.0.0.1 is treated as different host and I usually use these to test cross server scenario. One issue of AJAX is that browser usually disallow Cross Domain calls unless you specify Access-Control-Allow-Origin headers.
I have a web-page which content must be constructed on the fly. When user clicks some parts of the web-page, it must load information from the file which is placed on the server in the same directory along with web-page into special content <div>.
As far as I get it, with JavaScript, I must use ajax technology so I have a question: should I configure server so that he can handle ajax requests specifically, or is it just simple GET over HTTP request which should be supported by any web-server anyway?
And my second question - if ajax is technology, which will work out only if server is properly configurated, can I do what I need by simple GET from JavaScript somehow?
Also, if it is easier to use server-side scripting, how can it be done by VBScript?
AJAX requests are very much like usual HTTP requests. So you do not need to configure your server in any special way to make them work.
A usual server should already support at least GET and POST requests.
One thing, that might be important for you, however, is, that as long as there is no other "protection" for the files, everyone can access them directly, too. So in case the AJAX-loaded content contains some kind of user sensitive data, you should put some access control in place!
AJAX involves server side scripting, so it doesn't make sense to say it is easier to use server side scripting. Additionally, AJAX is nothing more than GET or POST requests that a script carries out for you asynchronously, allowing you to use the server responses in a document without reloading the entire page.
AJAX in and of itself is not so much of a technology as a technique. You can use AJAX, for example, without ever using the ubiquitous XmlHttpRequest object supplied by javascript.
With the jQuery AJAX methods, you can request text, HTML, XML, or JSON from a remote server using both HTTP Get and HTTP Post - And you can load the external data directly into the selected HTML elements of your web page...
and yes, no configa server properly
i suggest to you jquery framework (no server configure needed) (see also Sirko answer)
http://api.jquery.com/jQuery.ajax/
this is help you to load dynamic content see this
I read this article here that talks about progressive enhancement for javascript and the author mentioned:
First, build an old-fashioned website
that uses hyperlinks and forms to pass
information to the server. The server
returns whole new pages with each
request.
Now, use JavaScript to intercept those links and form submissions and
pass the information via
XMLHttpRequest instead. You can then
select which parts of the page need to
be updated instead of updating the
whole page.
I'm a little curious if does that means returning html markups at the server side instead of json, which usually means building the markup on the client side? Is there a disadvantage for this approach?
Also, I notice applications, for instance Facebook, looks pretty crippled when I disabled Javascript (can't post updates etc.) Does that means that it does not handle graceful degradation properly?
Does progressive enhancement means no json with ajax?
No, it most certainly does not mean that. If JavaScript is disabled, there is no XMLHttpRequest, so there is no ajax.
Now, use JavaScript to intercept those links and form submissions and pass the information via XMLHttpRequest instead.
The JavaScript bits that intercept links and form submissions can freely change where the requests are made, URL parameters, and so on, which means that ajaxified URLs don't have to be identical to JavaScript-less ones. For example:
linky
could be intercepted and turned into an XMLHttpRequest which is actually made to
/some/page.json, or
/some/page.html?ajax=1, or
/bibbidi/bobbidi/boo (for all that it matters)
Progressive enhancement means that you start the page with code that will work everywhere, and then progressively add functionality that is accepted by that user's browser. A good example of this is on ajax type functionality with anchors. When the page loads, you can use urls in the hrefs so that spiders and non-javascript browsers can still get the content. But you also add an onclick that does the ajax loading. That way both the enabled and disabled clients get the best behavior that they can.
Essentially, progressive enhancement means you place the priority and importance of building a fully working "no-Javascript" website first, then slowly enhance your website by adding the Javascript functionality and then AJAX, while keeping the "no-javascript" features working.
This is just to allow those who have Javascript disabled to access and use the site as per normal.
I had a discussion with my colleague about Flash security. We're in the phase of planning some things for our web project that is using Flash plugin to display content. We need to dynamically pull settings for the Flash application from the server, using JSON.
Proposal that I offered was that we should save an extra HTTP request to pull the data file after the plugin is loaded and embed the JSON directly in the page containing the Flash plugin. Flash would fire a Javascript function that'd return the deserialized JSON data to it.
My colleague opposed this proposal with significant "security concerns".
I believe that there's literally zero difference between these two approaches besides the fact that his approach requires additional HTTP request. All of this is client/server and client should never be trusted. If I want to change the data that is in the JSON query, I can do that in both cases. File pull is little more difficult to hack though, but possible with custom HTTP proxy.
What are your thoughts?
There is no difference. Both can be fabricated.
if you really care that much about delivering original settings to the .swf:
don't use http - httpFox is a brilliant plugin - use a server that supports RTMP/RTMPE and NetConnection.call() to retrieve the data.
create an algorithm for validating original json so that your app won't work if the config doesn't pass the test.
after the config is loaded your swf might check the values with the server (not all at a time) and throw an error if something goes wrong