Is it possible to access files on the user's computer for use on a website.
For example, if the website notifies the user when a message is received with a 'ping' sound.
Can the user change his account settings to use a 'boing' sound stored on his computer, without the need to upload it to the website?
Generally speaking: No. Browsers block access to file: scheme URLs from http: and https: URLs.
If the file is small enough, you could allow the user to select it with a file input then convert it to a data: scheme URL and then store that in localStorage.
Related
I need to access an image in my Firebase storage without exposing the URL or being only accessed on my website.
The problem is that the image is the background of my website and I can't use Auth to secure it.
I can't afford to repeatedly being accessed by someone and ended up billing me.
I've tried gsReference but when getting the image it uses gsReference.getDownloadURL() and puts it in the CSS file and if I inspect and copy-paste the URL in another tab, it can read the image.
If you generate a download URL for a file in Cloud Storage, it will be accessible by anyone with that URL from anywhere on the internet.
If you need to control access to a file in Cloud Storage, don't use download URLs. Instead, use Firebase Authentication along with the Cloud Storage for Firebase SDK to download files that are protected by security rules that allow access for a given user who is logged in. This is the only way to limit downloads.
How can I authorise my app to be able to access images in my firebase storage without the user having to sign in?
Should I just remove all read protections in the security rules for images, or is there a better way to do this altogether?
For context this is so that the app can load images on the home page that have been uploaded by other users for non authorised users to browse. Like the airbnb homepage for example.
Or is there some way to authorise my app on its own? Thanks in advance!
If you want to provide public access to files stored in Firebase Storage to a web applications, you can request a download URL for each file. Download URLs are fully public until you choose to revoke their access token. No SDK is needed to access these files - the URL is all you need.
To provide security layer on top of loading Web Application.
Scenario:
Implement a .exe file (client side) which will ask for a password -
1) If the password is correct - it will grant the access to Web Application to load on browser whenever the URL gets hit.
2) If the password is NOT correct - it will not allow the Web Application to load ever.
NOTE:
1) Running .exe and feeding password is just the one time process (except formatting the system).
2) Later the group/user only hit URL of Web Application any number of time (Loads only when he has filled the password section correctly - one time process)
3) The purpose of .exe is to provide the access of Web Appication only to those group/user who have this .exe file and have that unique password.
Please explain in detailed view.
THANKS in advance.
Not a very regular use case but let me try if I can be of any help!
First thing is you'll need to connect your exe's output with the web application(I assume it will be browser on the client side).
Once the user launches the exe, get the input and validate them by sending a request to your server. If the credentials are correct you'll need to save a file preferably with some auth token or may be username:password pair in an encrypted form on the disk. This is required so that user can use this while accessing the application using a browser.
Now when user launches the application in a browser, ask her to chose the exe's generated file and read the details there(one time activity). Can be done using How to open a local disk file with Javascript?
Once you get the details, store it in the browser's local storage so that you don't have to ask the user to do this exercise again and again.
From next access onwards, if you have those details in the local storage just pass it the server so that it can authenticate the requests. Local storage doesn't have a expiration time so this should work. However it can be cleared using other means. Besides you'll need to take of the security. I would say it's a huge risk to keep the credentials on your local disk permanently.
I want to check whether a file with particular name and location exists in user's desktop or not when user clicks a url from browser. For example when user opens url example.com it will detect whether c://test.txt exists or not.
Cannot be done. Would be a gaping security hole.
Depending on what you need to do, you could ask the user to upload a file, and then access their selection. http://www.html5rocks.com/en/tutorials/file/dndfiles/. You could even do that without having to actually upload the file, though this would probably be confusing from a UI perspective.
Alternately, you could use the local storage that the browser has if you just need access to some kind of storage.
But the simplest answer to what you're asking is "it's not possible", if you're hoping for it to be automatic with real access to the filesystem. JavaScript in the browser is just not trusted enough to access the user's file system without users taking explicit and obvious actions.
Not possible. Javascript cannot access the client's filesystem. Even if you requested that the user upload a file, you cannot detect the path/to/the/file.txt.
(Even though there was going to be an API for it, it should now be considered dead.)
I want to present some images in my GWT application. These images are stored in a password protected url, external to my site in the general case. I can use the Image(java.lang.String url) constructor, with the user name and the password inside the url. So I can call:
Image img = new Image("http://user:pass#mydomain.com/image.png")
But then the user name and the password will be visible to anyone that views the source code of the page. I want to establish an authenticated connection with that url, and then use the plain url in the constructor:
Image img = new Image("http://mydomain.com/image.png")
I don't want to ask the user for a username and password through a popup, because in the general case he will be different than the one to whom the images belong so he won't have the credentials. The owner of the images gives to me their url, username and password when he registers.
Is this at all possible?
If your user does not have the credentials to view the images, then you will not be able to load them from your user's client. There is no good way to provide the password for them without also letting them see the password.
You could refactor this by sending the image request to your own server. Your own server could then send the request to the external server, password supplied, and pass the response back to your user. This is an extra hop, but you can keep the password completely secret.
If you're asking your users for their passwords to another site, you need to be extremely careful with them. In general, this sounds like a risky endeavor - you're exposing a lot of different ways to gain access to someone else's files. The fewer of those you can create, the better. If the external site supports some indirect authorization method like oauth, you should definitely prefer that over requesting the user's password.
You need to popup a window to that domain, and have the user fill in their username and password. For all subsequent requests to the same domain, you should not get a new popup. One way to do this, would be to create a hidden iframe to mydomain.com. That should trigger the auth popup.