How do I check if the user accepted a file download in JavaScript. Example: If the site pops up a download link, and the web browser asks the user to download the file, how do I determine on that page if the user accepted the download or not?
JavaScript will not have access to that information. In general, JavaScript inside web browsers is limited to simply interact with the DOM.
You may be able to do something on the server-side that logs the start of the download stream, but as #Pointy and #Marcel noted in comments to another answer, this could be quite tricky. In such a case, you would then be able to ask the server for this information using AJAX, or long polling, etc, in near real-time.
You will have to do it indirectly by checking the web server log file via an AJAX call. This will require you to write some server side code (and you must have access to the log files).
There's a second way of doing it, and that's to stream the file through a server side program. That way you can set a flag when the file has started to stream and retrieve this flag via an AJAX call.
Related
I'm using a javascript scripting engine for a MUD i'm playing, they have a javascript client hosted on their server. I'm wanting to store some information in a database and access it from the client (or inject it somehow into the client) but I'm not seeing how I could do that.
Basically I can write javascript files into the trigger section of the website and they fire. It has Javascript and JQuery options. It does not have a database option on their end, which is why I'm trying to add it myself.
I know client side javascript has a lot of restrictions on it, so I'm not sure how far I could really go with this.
I think you might be able to do this, but it's going to be hacky.
If you're able to attach a script node to the dom, you can trigger GET requests with no origin restrictions wherever you want. You would do that to your own backend.
You would have to throw away all good practices and use GET requests with a lot of query params so send data to that (your) backend.
You would have to write the backend so that it does whatever you want with the data, e.g. store it in the db.
You would have to make sure you return valid js to the client, even if it's only to dismiss it.
Alternatively...
you could load an iframe to a site you control, and change the iframe src with the data, and then do with the data whatever you want (like sending it to some bakcend of yours properly) in your site (that's loaded in the iframe) by detecting changes in the url...
I'm currently making an open source browser extension that will send requests to my site. This can easily be done with Ajax, a request will be sent to the page action.php.
My site will use PHP, well now the question is, how can I make sure action.php receives the request from the original extension? I mean griefers could easily send false information to the server, or a fork could be used and send incorrect data. I thought of generating a token of some sort, but anyone could recreate it I guess.
How can I prevent this situation?
I have some experience with this myself. I've been building an extension with a login and eventually came to the inevitability that security in an extension is inherently difficult.
The issue is that an extension is just a bundle of JS and HTML that anyone can inspect the values of. This means that anyone determined enough to dig through your code can potentially find out how to bypass anything you have built in.
The solution I eventually came to is that, the extension itself cannot hold any long-lasting secrets. A session with a timeout is the only safe thing to store. The actual login for my extension is done via a website over HTTPS.
If you are trying to do this without any such login, your only recourse is to make it as difficult as possible to determine what needs to be sent by using an algorithm that can generate server verifiable tokens, and then only publishing minified code to the webstore.
EDIT: Reread the question and noticed that you said you are doing this open source. Without some sort of authentication on the webserver via HTTPS, there is little you can do to stop those determined to bypass your protections because they will be on display in your public repository.
For sensitive endpoints like this, it would make sense do to the data processing server-side. The client would only have to query the server to process the data.
User will click on button to download file, once it started then it will abort or cancel after some time interval. Also I want to upload a file without user intervention. I would like to know whether it is possible with client side scripting (jQuery, Ajax, jQuery-form.js...).
Can some one suggest whether it is possible using either of these techniques (i.e. without any server side scripting).
Regds
The short answer is: not likely. The long answer:
You might be able to upload a file using a PUT http request. However, most servers are not set up to handle PUT requests without some sort of server-side scripting. (See this article for how Apache can be set up to handle PUT requests.) Also, many servers are set up to not handle PUT requests at all due to security concerns.
Another possibility is to store files on the server using ftp. (See the Mozilla docs on using XMLHttpRequest.) Unfortunately, most browsers will not support an Ajax request where the protocol is changed to ftp:. (Note that the XMLHttpRequest spec states that protocols other than HTTP/HTTPS might be supported but are not covered by the spec.) As with PUT, configuring the server to handle ftp requests also raises security concerns.
No there is not, as there are some basic questions that the browser scripting cannot answer, the most important being:
Where do I save the file to?
I have built a vb.net web application. I have tried to make it secure, with all users requiring a password to get in.
The only problem is that if anyone can guess (or detect using some kind of hacking tools) the url of the javascript file, they can download it and read it, without even having to log in first.
Is there any way that this can be prevented?
If the javascript file is not required as part of the logon process, then you can secure the file on the server so your users need to be authenticated and authorized in order to access it. This will prevent unauthorized access. Approaches to securing this file include using file system Access Control Lists (ACLs - 'Windows file permissions'), or using the "authorization" element in the ASP.NET web.config.
If the javascript file is required as part of the logon process, then you've got to give anonymous (unauthenticated) accees to the file, in which case you cannot prevent people being able to download it.
Don't serve the JS file up to people who haven't authenticated.
I don't known ASP.NET well enough to say what the best approach would be, but worst case is you stick it in a .aspx file, do the auth/authz stuff at the top, then set the right content type and serve it.
I'm making a script that lets my users open the page, vote for our site, and then get a password to some restricted content on the site. However, I plan on storing the password in a file outside public_html so it cannot be read directly from the source code.
Is there any way to do an AJAX call to a file above public_html? I don't want to AJAX to a file inside public_html that will read the file, it'll just defeat the purpose.
Not directly, no. And, frankly, thank goodness for that (since js is executed client-side, and the client should never have access to the web-server above public_html).
You can, however, use Ajax to call a php script inside the web root that has access to documents outside of the web-root. This way you're still keeping the password out of public reach, but still allowing your users to make use of it.
The down-side is that the password might make it to the client-side in the Ajax call (depending on what your Ajax call does). Basically, if JS can get access to the password then so can any interested user.
No, you cannot do that.
The web server does not allow you to do that.
Also, it is highly insecure to expose access to non public_html files on the server.
No, you can't have an AJAX call to a file that's not served by the web server (I'm assuming the file above public_html doesn't have an apache ALIAS or virtual directory setup).
To accomplish what you're trying to do, create a script (php?) on your site that AJAX calls and this script will either:
Read the password file wherever it is on the system (assuming the file has the correct file permissions)
Embed the password within the script itself since the source code of the script can't be retrieved.
No. An AJAX request is simply a request like any other that loads a resource from your server. The only difference is that it exposes the result to javascript on an already loaded page instead of loading a new page. So if an AJAX request can get this secure file, than anyone can.
You could setup a proxy script in some web application programming language to fetch the file from disk and send it along for you. But then it wouldn't be much different from putting the file right in the public directory.
You may need to rethink your approach here.
Why don't you do an AJAX call to some view function on the server that can access the file you need and then return whatever data to the AJAX request?