I have a simple HTML page that rotates through several status pages that I display on several tv's around campus. I regularly update the page and the links. Many times the pages require authentication. It is a pain to remote to ever terminal to supply credentials. Some are HTTP authentication and some are some <form> based authentication baked into the site. Many times I can get around the <form> based authentication with HTML and JavaScript that post the right credentials.
Is there a better way to get around
the <form> based authentication
from the host page? (below)
Is there any way to get around the
Server/HTTP based authentication
from the host page without having to
manually authenticate on ever
display?
By <form> authentication I mean that a <form> action generates a session cookie?
( mikerobi, thanks for the comment)
Here is the code for the host page
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>
Important Stuff
</title>
<script src="/scripts/jquery.js" type="text/javascript"></script>
<style type="text/css">
html, body, iframe { margin:0; height:100%; }
iframe { display:block; width:100%; border:none; }
</style>
<script type="text/javascript">
var link = new Array();
link[0] = "http://mycompany.intranet/";
link[1] = "http://mycompany.intranet/weather.htm";
link[2] = "http://mycompany.intranet/systemstatus/";
var linkIndex = 0;
setInterval("doSomething()", 10000);
function doSomething() {
if (linkIndex >= link.length)
{
// reload in case the page has been updated
window.location.reload();
}
$("#frame").attr("src", link[linkIndex]);
linkIndex++;
}
</script>
</head>
<body>
<iframe id="frame" src="http://mycompany.intranet/"></iframe>
</body>
</html>
I don't see your code that sends the credentials for the POST-based login, but if you are using JavaScript to automatically submit a form (using its .submit() method), that is probably the best way. Keep in mind that the target attribute of an HTML form allows you to submit the form in a different window (or in your case, iframe) — just give a name="xyz" attribute to the iframe and use target="xyz" for the form. The form would be located in the host page and could be hidden using the CSS display: none.
You can include the HTTP Basic Auth username and password in the URL, like: http://username:password#www.example.com/path. Note that current web browsers may not allow this in their default configurations as a safeguard against a specific phishing technique, and you may have to change the configuration by editing the Windows Registry or other places where web browser settings are stored.
Related
I am new to coding so need some help please.
I have set up a url page where the images are changing dynamically using the following code. However when I link to this from my Outlook email signature, it isn't returning that image, just a broken link. Do I need to add javascript to get it to return the image when called please?:
<html>
<head>
<meta name="viewport" content="width=device-width, minimum-scale=0.1">
<title>dynamic email</title>
</head>
<body style="margin: 0px; background: #0e0e0e; height: 100%">
<img id="Projects" style="display: block;-webkit-user-select: none;margin: auto;background-color: hsl(0, 0%, 90%);" src="https://www.mywebsite.com/assets/email-assets/image1.png" width="547" height="184">
<script>var imageSources = ["https://www.mywebsite.com/assets/email-assets/image2.png", "https://www.mywebsite.com/assets/email-assets/image3.png", "https://www.mywebsite.com/assets/email-assets/image4.png", "https://www.mywebsite.com/assets/email-assets/image5.png", "https://www.mywebsite.com/assets/email-assets/image6.png", "https://www.mywebsite.com/assets/email-assets/image7.png"]
var index = 0;
setInterval(function(){
if (index === imageSources.length) {
index = 0;
}
document.getElementById("Projects").src = imageSources[index];
index++;
}, 1000);
</script>
</body>
</html>
Outlook does not run any scripts or submit HTML forms for security reasons.
Most email clients will not allow for javascript inside the email body.
To help protect you from viruses that might be contained in HTML-format and RTF-format messages, both scripts and ActiveX controls contained in these kinds of messages are deactivated automatically, regardless of the security zone setting. This is because Outlook places all incoming messages in the Restricted Sites security zone by default. The default setting for the Restricted Sites zone is High. This disables automatic scripting and prevents ActiveX controls from opening without permission.
Changing the zone setting to something other than the default is not recommended.
If you need to run the script on an individual message when the security zone is set to Restricted Sites, you can work around the default protection by following these steps:
Open the message.
On the View menu, click View in Internet Zone.
Click Yes when you are prompted about running the script.
You can now run the script.
I wonder if it's possible to navigate to a web page via link and zoom in to be 150%?
The only thing I could think about is to rewrite the '.click()' function and change the css there such as '-moz-transform', maybe something like this:
<!DOCTYPE html>
<meta charset="utf-8">
<html>
<head>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
</head>
<body>
<a href="https://www.google.com/search?q=kobe&igu=1" id="myLink" ></a>
</body>
<script>
$('#myLink').click(function() { zoom_page() });
function zoom_page()
{
// DO SOMETHING HERE!!
}
function autoClick() {
document.getElementById('myLink').click()
}
window.addEventListener("load", autoClick);
</script>
</html>
but not sure how exactly to do it.
Anyone can help? Thanks!
Andy
Given your example uses the URL of a well-known public site which you, almost certainly. have no control over: You can't do that.
Any JavaScript you run will apply to the current page and not the next one you navigate to.
If you could run JavaScript on arbitrary third-party websites then there would be a major XSS problem everywhere.
If you had control over the destination page then you could modify it with server-side code or JS embedded in the destination page contingent on data passed from the previous page (e.g. via the URL's query string).
It seems that firefox has disabled the ability to run a javascript: from the URL...does anybody know of a way around this?
My site requires an id pulled from the html of another site when that user is logged in. Instead of having the user search the 'view source' page I devised a javascript link to scrape it and send it to the site automagically, but it doesn't work on firefox.
The actual code I'm trying to run:
javascript:void(window.open('http://mysite.com/login?u=' + encodeURIComponent(window.location) + '&s=' + SessionId));
Scrapping the session id from the game in order to pull data for the player, nothing like a facebook hack or anything malicious.
I'd have to see your code but you really shouldn't have a problem doing what you're attempting to do. If you need another option though I have one you could try. If the content of the page you're scraping is within the same domain as your other site you could use an iframe to get the ID.
Here's some code to consider:
Your data collecting page:
<!DOCTYPE html>
<html>
<head>
<title>Disable Firefox 7.0.1 javascript in url security</title>
<script type="text/javascript">
function scrapeData() {
var frame = document.getElementById("otherPage");
var otherPagesObj = frame.contentWindow.document.getElementById("otherContent");
alert("Your data: " + otherPagesObj.innerHTML);
}
</script>
</head>
<body onload="scrapeData();">
<iframe id="otherPage" src="otherpage.htm" width="1" height="1" />
</body>
</html>
Your page to be scraped (otherpage.htm):
<!DOCTYPE html>
<html>
<head>
<title>Other Page - Disable Firefox 7.0.1 javascript in url security</title>
</head>
<body>
<div id="otherContent">1</div>
</body>
</html>
Using the above code you can see "1" alerted from the div of another page. This is a simple, cross-browser compatible option for what you're attempting to do.
Hope this helps.
I have a signup form which is inside an iframe on my site and I want to create a redirect when the url of the iframe changes (when user successfully signed-up).
These 2 sites are cross domain and I know that it is almost impossible to pull the url cross domains but is there a workaround? I know the src will not change and I was thinking to use onload(), when the iframe loads a second time (when user successfully signed-up), execute a function to redirect to a thank you page.
Here is an example using the javascript 'Porthole'.
Its possible, but keep in mind the safety issues with iframes. The solution: if you have control of the original page + iframe, you can 'trick' the browser by implementing some javascripts on both sides.
First create a 'proxy' page on both domains. Name it 'proxy.html' or something (note: you have to use 'porthole.min.js', you can get this from the sources in the bottom)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Replace the url with your own location -->
<script type="text/javascript" src="porthole.min.js"></script>
<script type="text/javascript">
window.onload=function(){ Porthole.WindowProxyDispatcher.start(); };
</script>
</head>
<body>
</body>
</html>
On the parent page: (refer to the iframe proxy.html page)
<script type="text/javascript" src="porthole.min.js"></script>
<iframe id="guestFrame" name="guestFrame" src="http://iframe.otherdomain.com/"></iframe>
<script type="text/javascript">
var iframeDomain = 'http://iframe.otherdomain.com';
var redirectUrl = 'http://www.mydomain.com/redirect-to/signed-up';
function onMessage(messageEvent) {
if (messageEvent.origin == iframeDomain) {
if (messageEvent.data["action"]
&& messageEvent.data["action"] == 'signed-up) {
window.location.href = redirectUrl; // The final action!
// This is the eventual redirect that will happen
// once your visitor has signed-up within the iframe
}
}
}
var windowProxy;
window.onload=function(){
// Create a proxy window to send to and receive messages from the iFrame
windowProxy = new Porthole.WindowProxy(
'http://iframe.otherdomain.com/proxy.html', 'guestFrame');
// Register an event handler to receive messages;
windowProxy.addEventListener(onMessage);
};
</script>
On the iframe page (refer to the parent proxy.html page)
<script type="text/javascript">
var windowProxy;
window.onload=function(){
// Create a proxy window to send to and receive messages from the parent
windowProxy = new Porthole.WindowProxy(
'http://www.mydomain.com/proxy.html');
// Register an event handler to receive messages;
windowProxy.addEventListener(function(event) {
// handle event (not used here, the iframe does not need to listen)
});
};
</script>
From the iframe you can send a message with javascript to the parent page (and also the other way). If you use only 1 javascript within the iframe domain, you can do something like this to send a message to the parent frame when the url is changed to something specific, for example 'signed-up.php' (untested, but you'll get the idea)
<script type="text/javascript">
window.onload=function(){
if(window.location.href.indexOf("signed-up.php") > -1) {
windowProxy.post({'action': 'signed-up'}); // Send message to the parent frame
// On the parent page, the function 'onMessage' is triggered.
}
};
</script>
Sources:
http://ternarylabs.github.io/porthole/
Github: https://github.com/ternarylabs/porthole
Demo: http://sandbox.ternarylabs.com/porthole/
I am trying to code this for hours and still couldn't do it. It keep tell me "Permission Denied".
Here is what I am trying to accomplish. This pretty hard to explain please follow the example below.
For example. domain111.com and domain222.com.
When I am on domain111.com i click on the popup link , it will pop-up the domain111.com/popup.html then it redirect me to domain222.com. On this domain222.com it will redirect to couple pages before it redirect back to domain111.com with the result. I want to send the result from domain111.com to domain111.com.
The process is like below.
Domain111-popup to-->Domain111-redirect-->Domain222-redirect xxx Domain222 pages then redirect to-->-Domain111---SEND to parent window->Domain11
Here is my code.
File name 1.hml on domain111.com
<script type="text/javascript">
function IamParent() {
alert('I am the parent of this window')
}
function PopUP() {
window.open("http://domain222.com/2.htm", 'ALpop').focus();
}
</script>
<body>
<a href="#void(0);" onclick="PopUP();" >Click</a>
</body>
File name 2.html on domain222.com
<head>
<title></title>
<meta http-equiv="refresh" content="1;url=http://domain111.com/3.htm?Result=Yes" />
</head>
Filename 2.htm on domain111.com
<script type="text/javascript">
parent.IamParent(); //execute the function from the same domain111.com/1.htm
</script>
Please don't suggest AJAX or web request because it will not work with this case.
Thanks for reading.
Parent windows in other domains are inaccessible due to a security restriction requirement in the JavaScript engines. This applies to all browsers. It is a cross-site scripting attack prevention that cannot be disabled.