I have a got a file server and a web server. They are running on physically different machines.
I would like to download a file from the FTP server via JavaScript. The reason I have to do it via JavaScript is that I have an external application and I can only inject JavaScript into that application.
Basically, I need to specify ftp address username and password. But I am concerning about security as people can view FTP credentials.
What is the best way to implement such scenario?
Thanks for your help
Regards
Javascript only speaks HTTP and WebSockets (on newer browsers), and not FTP. In that situation, keeping it all on the client-side, you'd probably have to write a Flash or Java applet that handles the actual FTP protocol, and interface with Javascript to provide interactivity.
Unless you're planning on redirecting the browser to the ftp site, passing in the username and password? Are you concerned about the users getting the FTP information, or are you concerned with man-in-the-middle attacks sniffing the plaintext FTP credentials?
JavaScript doesn't support FTP. What you need is a server-side or a more robust client-side language to access the remote server.
If by "downloading" you mean "prompt user to save a file from external link" (which basically means open a new window with URL that points to a file) then you can just point user to a script you have control over.
window.open('http://myserver/get_file/filename');
And your server-side get_file script will do all the work of connecting to a FTP and fetching a file
How about creating an iframe and setting the url to ftp://whatever?
Related
How can I reach a HTML file over FTP stored on Firebase hosting. i.e. on how can I call ftp://your_ip_address/bridge.html if bridge.html is hosted with Firebase?
Why do I want to do this?
So I have a website running WebRTC for camera access. I've been getting some complaints from users about how WebRTC is not available in apps (i.e. UIWebView / WKWebView don't support WebRTC). The best solution I can think of is to make a pop up that takes users to Safari in this instance. Detecting this scenario is quite straightforward. The issue is really opening Safari. I found this solution on how to do this, however, it requires that I make an FTP request to a server. I'm using Firebase for hosting so I don't really know how to access the level of filesystems. Is there another way to set this up or something I can do on Firebase to get to reach a HTML file over FTP from Safari URL schemes? If not then is the only alternative for me to get a separate FTP server and store the file there?
Firebase Hosting does not implement an FTP server, so you can not interact with it with FTP client commands. If you must use FTP to read from/write to your hosting provider, you may want to look at other services that do support that requirement.
We are building a Java website to share documents with users.
Once a user access to his documents, he can digitally sign them with his certificate (It is stored on client-side).
The requirement is an on-line sign with a “sign button” on the documents list.
We researched ways to accomplish the requirement but apparently, there is not a way to do that without using Java Applet or a secured server that contains the users certificates.
We know what other solution would be use Itext on a stand-alone Java Application but that is not an online solution.
The question is:
Is there a way to access to the user's key-store or load the certificate from the file system on the sign process without use an applet?
Thanks and regards.
It is not possible to use a certificate installed on system/browser keystore using javascript due to security restrictions
An alternative solution is to install on the client an application with an embedded web server and send the document from the webpage to be signed at the moment. This application can use the keystore and include the itext library.
If the user has a certificate file (.p12/.pfx) it is possible to load the content using WebCryptographyApi and sign the document in client side (without uploading certificate to server. See How to load a PKCS#12 Digital Certificate with Javascript WebCrypto API
#pedrofb is right, you won't, without the help of a plug-in, be able to access the certificate store on the host.
You can in browser use WebCrypto with a library like PKIjs load a key into the browser and sign with it, you can also verify the PDFs signature if you like. Here are some related examples:
https://pkijs.org/examples/PDFexample.html
https://pkijs.org/examples/PKCS12SimpleExample.html
https://pkijs.org/examples/PKCS10_complex_example.html
http://unmitigatedrisk.com/?p=543
You can see https://hwcrypto.github.io/ for a discussion, and plug-ins that provide access to smart cards within the browser.
Modern browsers does not support applets. For browser based signing scenarios, my company has published free Chrome extension Signer.Digital and setup may be downloaded from cNet using link https://download.cnet.com/Signer-Digital-Chrome-Extension/3000-33362_4-78042540.html
Installing this host and restarting Chrome will automatically add Signer.Digital Chrome Extension
Javascript to call method from extension:
//Calculate Sign for the Hash by Calling function from Extension SignerDigital
SignerDigital.signPdfHash(hash, $("#CertThumbPrint").val(), "SHA-256") //or "SHA256"
.then(
function (signDataResp) {
//Send signDataResp to Server
},
function (errmsg) {
//Send errmsg to server or display the result in browser.
}
);
If Failed, returns error msg starting with "SDHost Error:"
If success, returns Base64 encoded pkcs7 signature - as you said, use iText or any suitable library to inject sign to pdf.
Disclosure: I work for CISPL (Signer.Digital)
I have the idea of having something like a web server but without a web server. Instead I want to use websockets. Is for internal use.
The user will have a basic webpage which will only open a websocket connection and should receive an .html, and immediately navigate to it.
Also it should be able to load a .js with helper functions for this new html.
I saw here something to load an image file
http://liamkaufman.com/blog/2012/02/11/12-pushing-files-to-the-browser-using-deliveryjs-socketio-and-nodejs/
but I don't know how to navigate to a received .html file and how to execute a received .js file.
Do not try to convince me of using a webserver or other technologies, I have my reaasons for doing this :-)
Thanks
Using a websocket inherently means you need to use a server. A websocket is be definition a connection between the client and the server.
From here
WebSockets is an advanced technology that makes it possible to open an interactive communication session between the user's browser and a server. With this API, you can send messages to a server and receive event-driven responses without having to poll the server for a reply.
Regarding running a javascript file that you have downloaded, you can use eval, or you can create a new script tag on the body to load your javascript.
Recently received a request to add communication to a device connected via serialport on the client's machine through my webpage.
I'd done some googling and found that node.js with node-serialport seems to be the javascript way of doing it. However, in my case, the device is actually connected to the client's machine, and not the server.
My question would be how do i implement node.js in this sense? Since the code is run at the client browser, is it possible for me to 'embed' node.js on my webpage?
Or is there any other alternative for doing this? Applet and ActiveX are out of the picture though.
Thanks
UPDATES:
Had managed to convince the client to have applet loaded from the web, so we'll be going through the applet route. Thanks all for your great info! =)
JavaScript in the browser only has access to the APIs provided by the browser: it lives in the browser sandbox where it (rightly) has no access to the client file system or other hardware.
This is different from node.js, which is a server implementation that has access to all sorts of other file system APIs.
To "break out" of the browser you must use some sort of browser extension.
You will have to create a plugin, an applet, or a client side application to get the data into the client's web browser before being sent off to your server.
You could make a small app that reads the serial port of the clients machine that creates a .js file, and then your web page includes that src of that "dynamically" created js file on the client's machine and presto your webpage gets access to the serial port in a roundabout way.
This is how GPSGate works: http://gpsgate.com/developer/gps_in_browser/
See also here: How to read from Serial port in a webpage
And a java applet based solution:
http://code.google.com/p/java-simple-serial-connector/
http://code.google.com/p/java-simple-serial-connector/wiki/jSSC_Terminal
Try app.js if you want to access node.js functions from browser.
This can only be done via Active X or a plugin like Java or Flash. Code in JavaScript is only as powerful as the APIs provided to it from the browser.
Want to sent an HTTP request to a server? JavaScript can do that (subject to the same-origin policy), because the browser has the XMLHttpRequest API. Want to query what processes are running on the operating system right now? JavaScript cannot do that, because no browser provides an API for querying the OS about what processes it is running.
No browser that I know of implements any kind of JavaScript API for performing serial port operations, so there is no way to do it without using a plugin.
However, this does not preclude the possibility of such an API existing someday: the getUserMedia function can grab data from a camera or microphone, and it could theoretically be expanded to get data from other devices as well.
Another option (other than ActiveX or Java applet with security permissions) might be Google Native Client and the Pepper API, though whether this would be sufficient to access a serial port, I do not know.
A Firefox extension can include a native XPCOM component that could access the serial port, and you might find there is already a way to access the serial port from browser chrome (which extensions are) because the security token and smartcard system supports serial readers. A Firefox extension could also be used to deliver the next solution, which requires placing a native component or application on the system.
Can you tell us what browser(s) and OS('s) are targetted here, and why ActiveX and Java are ruled out?
Others have suggested a native running proxy exposing the serial port through some protocol. You could use node for this, or python, or any other language that can create both a serial connection and a socket. To access the proxy from a browser application you would need special security permissions to be granted to the page, and then you can make your proxy an HTTP or WebSocket server. You can also serve javascript from the proxy which would grant the script HTTP and WebSocket access to it's origin server which is the proxy. Google Chrome extensions can access any destination and port with their socket client. Also, I believe a config can be set in Google Chrome to allow this for certain or every page, the same with allowing native client to be used by a webpage.
Without knowing more about your goal, I can't determine what the best solution would be.
Another option to read the serial port data is using sockjs and sockjs-client-node at the server side and sockjs-0.3.js at the client side.
I have built a vb.net web application. I have tried to make it secure, with all users requiring a password to get in.
The only problem is that if anyone can guess (or detect using some kind of hacking tools) the url of the javascript file, they can download it and read it, without even having to log in first.
Is there any way that this can be prevented?
If the javascript file is not required as part of the logon process, then you can secure the file on the server so your users need to be authenticated and authorized in order to access it. This will prevent unauthorized access. Approaches to securing this file include using file system Access Control Lists (ACLs - 'Windows file permissions'), or using the "authorization" element in the ASP.NET web.config.
If the javascript file is required as part of the logon process, then you've got to give anonymous (unauthenticated) accees to the file, in which case you cannot prevent people being able to download it.
Don't serve the JS file up to people who haven't authenticated.
I don't known ASP.NET well enough to say what the best approach would be, but worst case is you stick it in a .aspx file, do the auth/authz stuff at the top, then set the right content type and serve it.