I want to make it easier for a user to import bookmarks to my server. Is there anyway to automate this process using javascript to obtain the user's bookmarks? I'm assuming the browser has to have this feature - and I'm not sure if any browser does due to the inherent security risk.
Nope, that's not possible for security/privacy reasons. The only way is to ask them explicitly through form input to give you but I don't think you want to do that.
The browser is obviously aware of their bookmarks, but no, JS cannot access this information - it would be leaking private data as you yourself have noted.
Anything you can do in JS with the user's permission can be done without their permission. The only manual control they have is "Run scripts" or "Don't".
As yourself and others have noted, it's not possible because of privacy and security implications.
What you can do however is to import bookmarks from a source (XML, JSON, HTML...). Most browsers have an export bookmarks feature that generates a file. You can parse that to get what you want.
What Sarfraz said, and thank God for it. I don't think users want people on the web to be able to access their bookmarks for any reason.
im a 100 % sure there is no way to do this in js due to the securtity risk, however its probably possible with activex but thats only available on internet explorer
Related
Is there a way to get the physical path with Javascript (or any other library) where the user saved the file he/she downloaded from my Web Application?
No, having such a feature would be a security flaw.
Only Google Chrome support the filesystem-API, but i'm not sure if a website can use this Api.
More informations.
No, unless he/she tells you where they saved it, or unless you control the user of the application's computer. This is a silly question if you think about it logically, do you not think there might be few very major security concerns if you were able to very easily spy on the internals of users computers?
Some of the secure websites on internet such as banks etc. have disabled "Right-click". I know that it's just for preventing the end-user from accessing "Inspect Element" or the "Toolbox" items. But, on some browsers, just pressing F12 key, or any equivalent might does the job.
So, Is there any way to check the webpage for change in code(HTML,CSS and JS) continously, and redirect them to a warning page, if anyone attempts to tamper the code? or just prevent them before they even try to read the code?
Disabling right-click is the absolute easiest thing to work around. You can never completely rely on a web browser to secure your content. Additionally, most, if not all, major modern web browsers have built in protection against cross-site scripting. These browsers are likely going to be better at detecting these than you are. I would actually suspect any Javascript attempt you make to prevent cross site scripting could actually make your page more vulnerable to it.
Some things you could look into to make your web server safer:
When using forms, consider using an anti-forgery token.
Always validate user input. Your web server sends messages to a client computer which then loads that content into a web browser. A good hacker doesn't even need a web browser to hack your web site. So, you can't assume incoming messages are safe at all. This is why you need to validate all input.
Consider creating honeypots to detect malicious attempts by robots or hackers.
I agree with jeff in the comments above; don't worry about those users because you'll never get security tight enough to thwart everyone. Just worry about the 99%. If anyone says they can prevent all users from modifying browser code it is a lie.
Do your actual processing and logic on the server side, not in browser, and NEVER trust ANYTHING they send you. Assume it is a lie or garbage until you validate otherwise.
Likely no, because that action(starting inspector) occur on different layer of browser functionality, html and javascript simply has no access to that layer. As result it's impossible to prevent that action ( viewing html and javascript of page).
If you would lock all possible actions which open js inspector. I am sure that there ways to lock your event bindings, for instance executing js code prior youth, which make it's impossible to add your own lockers for F12, right click and other actions.
I have to upload one file from client using Button.I have to get the full client path.for example,
suppose, user uploaded a file from this local machines "d:\my files\docs\test.xml".So, now i want to get the same path("d:\my files\docs\test.xml") to proceed further.how do i get it?
i have used FileUpload1.PostedFile.FileName...But it is worked fine with IE and but not in Firefox...
So, Can you help me with this for Firefox and chrome...
Good Source:
http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
Checkout the "File Upload Control" section near the bottom. quoted:
Additionally, the “Include local directory path when uploading files”
URLAction has been set to "Disable" for the Internet Zone. This change
prevents leakage of potentially sensitive local file-system
information to the Internet. For instance, rather than submitting the
full path C:\users\ericlaw\documents\secret\image.png, Internet
Explorer 8 will now submit only the filename image.png.
This would suggest it is possible if the site is trusted (in IE) / older browsers
No, it is not possible. Browsers do not allow that due to security restrictions.
If i could set which file I wanted from javascript, a hacker could take a lot of files from your PC.
So, asp.net or otherwise, getting the full client path in a browser is not possible.
http://www.ietf.org/rfc/rfc2184.txt and http://www.ietf.org/rfc/rfc2388.txt seem to be the relevant RFCs that discuss this. They are quite lengthy but what it boils down to is that you do indeed get a filename but not a path.
Browsers will follow these standards so through the standard browser interface there will be no way to get the information you want.
This leaves other techniques such as javascript, flash, silverlight, etc.
Javascript does all of its work through the browser object model so again by default won't help. Anything to do with playing with the file system is considered a security risk (do you want random pages looking through your file system?).
It is possible that you could create your own flash or sliverlight upload tool (or find one) that will allow you to collect richer information, I don't know much about those technologies. At the end of the day though I would expect them to follow similar rules about access to the client computer.
So the RFCs and there spirit which are likely followed everywhere says that no, you can't do this.
You could always ask the user for a path in a textbox though if it is important and just have them copy it in...
There seems to be ways to do it but at the same time it looks like it will only work if it is your machine. Here is a link that explains it.
http://www.codingforums.com/showthread.php?t=72288
The problem occurs because it is seen as a malicious script trying to access information that is not under its control giving the user a prompt. So unless this is for machines under your control or users who trust you then it isn't the best of ideas. Most users who see security risk alerts will always block them.
My question is quite simple, i need to develop a Google Chrome Extension and by the way create dynamically HTML/CSS files. Basically i was thinking to do this with javascript but it's not possible for security reason. So i'm thinking about using directly Chrome API.
Is there a persistance API with chrome ?
Chrome Extensions use localStorage for data persistence. Check out http://diveintohtml5.ep.io/storage.html for a tutorial.
Note that only strings can be saved to localStorage. You'll need a JSON parser/stringifier if you want to load/save objects.
It is possible to do this with javascript. Chrome is very strict when it comes to calling scripts outside its domain(your extension folder I mean).
1. Make sure you are making js calls from your background page and not your content scripts.
2. If you are making js/ajax calls, note that chrome always sends an OPTIONS request. even for GET requests. So your server have to be able to grant permisions.
I hope these 2 points help your js. However, as everyone is saying, LocalStorage does a really good job.
I'm not completely sure of what you are asking but take a look at Local Storage
Hope it helps!
Currently browsers have incomplete caching implementation. It only allows to set expiration or keep immediate expiration. Important 3rd option to expire cache programmatically is missing. Without that 3rd option developers cannot deploy new version of code efficiently and reliably.
If they use 2nd option it is inefficient if they have framework of many small files. Combining many small files into one is not efficient because any small change will cause whole framework to be deployed instead of one single file.
If they use 1st option updates will not get to user until cache expiration which creates compatibility problems between server side code and client side code and potentially between different parts of client side code. Setting expiration requires prediction of future deployment, which is inconvenient and will disallow quick bug fixes.
When people ask about that problem, some suggest to use version numbers or other temporary ids to trick browser cache by loading unique URLs. The problem with it is that it puts unnecessary overhead on network and local file system to load and store unnecessary old versions and tons of unique URLs. It almost defeats the purpose of caching by URL.
The right solution is to allow programmer of a web site to clean cache of files that came only from that web site. That way list of updated files could be requested and cache of newer files would be cleaned to allow browser to load fresh versions.
Proper caching mechanism is simple and powerful pattern that could boost all web client-side development to new levels, I only wonder why browser producers did not implement it yet.
Hehe, well, as far as us developers are concerned, of course!
On the other hand, cache is there to facilitate the user's experience in terms of responsiveness. It is our responsibility to work-around all these nuisances and protect the user in a shell of ignorance and all-is-wellness.
I do not think it is this easy. One problem I can see is that it is not just the browser cache. your files can be cached in many places along the way from your server to the browser (clients). Some of the browsers can still use the old version, and the answer to the question which one is cleared and what version is supposed to go to this particular client becomes really uncertain really fast.
It's an interesting idea, but how would the browser know when to ask your website if it should clear the cache? Every time the page is loaded? Wouldn't that partially defeat the purpose of caching? Set reasonable cache expiration intervals, and schedule your updates to match those, and it should be ok as it is.
I don't think what you suggest is necessary or desirable.
The client-side cache should be controlled by the user, not by you (the data/code provider). If the user wants a better way to manage his "Temporary Internet Files", then that's up to the browser developers, but I think you should not have a say in how it is managed.
For all intents and purposes, you only need to say, "this data/code is usable until X date", "this data/code is usable until Y version", or "it's never usable again".
Excellent cache control strategies can already be setup by using the existing HTTP headers (Cache-Control, ETag, etc.). If you want something to be "forced" to be refreshed, you can always add a querystring with the date on it. This is not really a hack, as you suggest, because you are saying, "get me the version of the file as of this date"... and your server has all the freedom in the world to refresh the caching policy: return "302 redirect" to the non-querystring version, or send down new headers, etc.
Edit:
I can refine my idea from above:
You can use a path or querystring to identify the "current" version:
http://somedomain.com/somepath/current/yourfile.js
The "current" URL can be setup to give a 302 redirect to a particular version of yourfile.js, while also telling the browser never to cache the current version:
302 Moved Temporarily
Location: /somepath/v3.2.3/yourfile.js
Cache-Control: no-cache;
This allows your "loader" HTML to include Javascript that decides to use a certain version:
<script type="text/javascript">
<%php
if($action == "clearCache") {
print "var version = 'current';";
} else {
print "var version = '" . $version . "';";
}
%>
</script>
they theorically do, with cache params in the header section and meta parameters
(google meta no-cache, PHP/ASP no-cache)
like cache-expires, the date that should expire etc
I agree that this is weird in most, if not all, browsers.
sometimes it works, sometimes it doesn't or takes more time to clear the cache for some reason
but would be nice to have that option in the script, like a javascript or something directly on the tags, like img src="blah.jpg" expires="my_blah_last_edited"
it could be better, true
I imagine there are great security concerns. You have anonymous and remote web-pages telling local a client to delete files on the client machine - this has all sorts of potential for disaster. Would you trust IE to do this? It just sounds too risky. There's a big difference between a directive to not cache something in the first place and a directive to delete something already in existence from the cache.
Why not embed some kind of unique tag or timestamp in the image etc. uri for each deployment, thereby causing the browser to reload?
there should be a javascript or jquery which tell the browser that content hasbeen changed and download it again even the url of content is same..