Are there any free Comet JavaScript libraries that allow multiple windows/tabs to reuse the same connection? In other words, when you open a second window, it detects that you have another window open under the same domain. Rather than open a new connection, it starts listening to the other window's connection. That way it can stay within the browser's per-domain connection limit.
Lightstreamer seems to handle this well, but I'd prefer something open-source.
I think the closest thing you're going to find in the Open Source world is going to be the functionality build into Dojo.
I'm sure in the future, you'll see more Open Source support for that kind of functionality...but for now you might have to hack something together.
You can't do that directly, because different browser windows/tabs don't know what connections are open in other browsers/tabs. The best you can do is either 1) wildcard a bunch of subdomains (the per-domain limit is per-subdomain too) or 2) use a cookie or some other form of persistent storage and fall back to short-polling, which is what the dojo framework does.
Related
We are looking for a way to prevent users from opening the application in multiple tabs under the same browser.
The idea is to get plugged into one of the query Filter and then get access to the session maybe, and check if there is an already opened tab before proceeding.
I looked into httpSession and HttpRequest stuff but found nothing that can help.
Is there any functionality in the java side to know if the app is already opened in another tab?
thanks,
There's ways to accomplish this with Javascript.
See past questions / answers
How to prevent same website open multiple tab pages?
Stop people having my website loaded on multiple tabs
Preventing user from opening multiple tabs for the application
But all of those javascript techniques fail to work if ...
your user simply turns off Javascript.
they load the website from multiple browsers.
they load the website from normal and incognito modes on the same browser.
they load the website from multiple devices (laptop and cell phone).
You'll wind up with a mix of feature to attempt to prevent this (but it's a losing battle, and there's countless ways to get around it).
If you have a login, you'll want to track past logins and offer to disconnect / invalidate those other logins on a new login. (this will help with the multiple browsers and devices attempts). Your authorization layer on your server side will invalidate old sessions if they are attempted to be used.
If you have multiple tabs in the same browser, the javascript techniques from the old questions/answers are probably the best.
There are also people attempting to use websocket to act as the single point of communication, but I don't understand how that could work, but you'll come across it in your research.
From the server's perspective, it doesn't matter if the requests come from the same browser tab, different tabs, different browsers or different devices. Two tabs can share the same session. There is no way for the server (or the servlet) to know whether the request came from tab A or tab B. Tabs are a browser feature, it doesn't get sent in the HTTP header.
If you would elaborate on why you want to do this, I might be able to give a better answer.
I created a small JavaScript application for which I reused some (quite large) JavaScript resources that I downloaded from the internet.
My application runs in the browser like other interactive web applications but works entirely offline.
However, I intend to enter some private information in the application which it shall visualize. Since I cannot ultimately trust the JavaScript pieces that I downloaded, I wonder if there is a JavaScript option to make sure that no data is downloaded and, in particular, uploaded to the web.
Note that I am aware that I can cutoff the local internet connection or perhaps change browser settings or use an application firewall, but this would not be a solution that suits my needs. You may assume that the isolation of a browser instance is save, that is no other, possibly malicious, web sites can access my offline JavaScript application or the user data I enter. If there is a secure way to (automatically) review the code of the downloaded resources (e.g. because communication is possible only via a few dedicated JavaScript commands that I can search for) that would be an acceptable solution too.
You should take a look at the Content Security Policy (CSP) (see here and here). This basically blocks every connection from your browser to any other hosts, unless explicitely allowed. Be aware that not all browsers support CSP, which leads to potential security problems.
Reviewing the library code might be difficult because there are many ways to mask such code pieces.
Find it yourself by watching your browser's network activity while your application is in action.
There are more than enough tools to do this. Also, if you know how to use netstat command line tool, it is readily shipped with windows.
Here is one cool chrome extension which watches the traffic of the current tab.
https://chrome.google.com/webstore/detail/http-trace/idladlllljmbcnfninpljlkaoklggknp
And, here is another extension which can modify the selected traffic.
https://chrome.google.com/webstore/detail/tamper-chrome-extension/hifhgpdkfodlpnlmlnmhchnkepplebkb?hl=en
You can set the filters and modify all requests/responses happening in your page.
If you want to write an extension to block requests yourself, check this answer out.
Some of the secure websites on internet such as banks etc. have disabled "Right-click". I know that it's just for preventing the end-user from accessing "Inspect Element" or the "Toolbox" items. But, on some browsers, just pressing F12 key, or any equivalent might does the job.
So, Is there any way to check the webpage for change in code(HTML,CSS and JS) continously, and redirect them to a warning page, if anyone attempts to tamper the code? or just prevent them before they even try to read the code?
Disabling right-click is the absolute easiest thing to work around. You can never completely rely on a web browser to secure your content. Additionally, most, if not all, major modern web browsers have built in protection against cross-site scripting. These browsers are likely going to be better at detecting these than you are. I would actually suspect any Javascript attempt you make to prevent cross site scripting could actually make your page more vulnerable to it.
Some things you could look into to make your web server safer:
When using forms, consider using an anti-forgery token.
Always validate user input. Your web server sends messages to a client computer which then loads that content into a web browser. A good hacker doesn't even need a web browser to hack your web site. So, you can't assume incoming messages are safe at all. This is why you need to validate all input.
Consider creating honeypots to detect malicious attempts by robots or hackers.
I agree with jeff in the comments above; don't worry about those users because you'll never get security tight enough to thwart everyone. Just worry about the 99%. If anyone says they can prevent all users from modifying browser code it is a lie.
Do your actual processing and logic on the server side, not in browser, and NEVER trust ANYTHING they send you. Assume it is a lie or garbage until you validate otherwise.
Likely no, because that action(starting inspector) occur on different layer of browser functionality, html and javascript simply has no access to that layer. As result it's impossible to prevent that action ( viewing html and javascript of page).
If you would lock all possible actions which open js inspector. I am sure that there ways to lock your event bindings, for instance executing js code prior youth, which make it's impossible to add your own lockers for F12, right click and other actions.
I want to open any custom application say VLC Player or any other installed application in the system through HTML page. I have tried WScript.shell technique but no luck.
You can't do this in general. There's no way to open any arbitrary application from a webpage. Here are some scenarios where it's still possible. One possibility: some programs have protocol handlers associated with them, and those can be launched through a link or via javascript (e.g. window.location = "someprotocol:path?argument=value"). I don't think VLC (to use your example) is among them, however.
There might be a more useful solution if you limit yourself to a particular browser/OS.
This has been asked a lot of times already: I need to get the full file path via a web-page. The use case is an application running on the same machine as the browser (i.e. the application starts a local HTTP server and fires up the browser.) File-paths are of course valid and the same for both client/server now. The use case it that the user selects a file and then the server process does some computation on it, and the input files are typically large (read: several GiB in size.)
The easiest thing would be to directly access the path using , but for security reasons, this is disabled. I'm looking now for the least intrusive workaround to this problem. The target browser in question is Chrome. I'm fine if the user has to click "accept" once on some security warning, as long as I can ensure that it won't appear again.
Do I have to write an extension, NSPlugin, can I use some special header magic to mark my page as "local", is there some security setting I can set? The less the client has to do the better, and I would prefer some "click here to allow access ..." solution above everything else. Can I directly install an extension from the server process that would do this (after the user clicks accept?)
Is it possible to do this with a Java applet/Flash? That would be the easiest solution, and clients are guaranteed to have Flash installed (as it is bundled in Chrome...)
You can create Java applet for tasks like this and self-sign it. User will have to allow it to run, but then you will be able to access applet's function that will return file path string via Javascript.
Clearly file io on the client's system is forbidden from JavaScript. If this wasn't the case it would be absolutely trivial to hack every web browser that visits your website.
Battlefiled 3 is controlled though the browser. To do this EA wrote a browser extension for the top three browsers. But that's resource intensive. If you just care about chrome you can use an addon, and for that i suggest using the NPAPI.
And as MOleYArd said, Java is a good solution and probably more common than an extension or addon.