I am looking for a way to fool a web page, more precisely a js module in spanking it to believe that it is on another domain name. I documented myself and I came across pkusieur forum which spoke of overwrite the variable window.location.hostname. I unfortunately did not find any answer to my question. Did I orient myself well? Can somebody solve my problem?
Thank you in advance.
EDIT
I can use explorer like firfox or chrome or use a spécifique python module for create a appilcation can do this.
You can directly change window.location.hostname, however doing so will cause the browser to actually navigate to the new URL.
You can't have window.location reflect a value that isn't the actual location of the browser.
Modifying window.location.xy results in page-reload:
console.log(window.location.hostname);
console.log(window.location.hostname="example.com");
console.log(window.location.hostname);
(In the JS console you can see that the value remains unchanged for the snippet itself, but then the page reloads from example.com)
My goal is not to redirect but I want to stay on www.example.com but the js import code is veiled www.fakeSite.com #tevemadar.
I think you would need to change origin for that, and it is the only read-only part of Location exactly for making that impossible. You want to circumvent CORS to my understanding.
I do not suggest using it, but if you desperately need some hack to test something, check https://cors-anywhere.herokuapp.com/
Related
here is my problem: It would be great if users could not only share the link to my website, but also the values they entered there. So far, so good.
First try: simply submit values by GET.
Does not work because: if the URL is
domain.com?param1=a¶m2=b
then simply the part before the ? will be shared (at least on iPhones, but that's bad.) So they just share
domain.com
and no parameters are sent. (Google told me the same without giving me a proper workaround idea.)
Okay. Second try: Some workaround involving .htaccess and history.pushstate. It worked quite well, but history.pushstate does not seem to affect the shared URL on iPhones either.
That's bad so far. Does maybe anyone have an idea what to use to solve my problem? Thank you very much :)
It is correct to share domain.com?param1=a¶m2=b. GET Parameters will be maintained.
btW: I found a solution by myself:
The shared URL is the one set in the
<link rel="canonical" href="domain.com?param1=a¶m2=b">
So if I share, the parameters are ignored if they are not found in the canonical link.
I'm trying to set the value of a textarea on the following page by executing something similar the below javascript:
javascript:alert(document.getElementsByClassName('uiTextareaNoResize uiTextareaAutogrow _1rv DOMControl_placeholder')[0].value='blabla');
This works if I manually enter the code into the address bar on the target page, but I want to pass this argument through a link.. ie...
<a href="/nextpage.php?javascript:alert(document.getElementsByClassName('uiTextareaNoResize uiTextareaAutogrow _1rv DOMControl_placeholder')[0].value='blabla');"
Just wondered if anything like this is possible at all?
You can send the arguments via the url like you would for GET requests. Then have the receiving page parse location.search.
For instance, you can send it like this:
http://example.com/?arg1=foo&arg2=bar
And the receiving page have a script like this:
var queryString = location.search; //?arg1=foo&arg2=bar
You'll have to parse it manually though, removing the ?, split by & then each by =
This is called XSS or Cross-Site-Scripting, and as many comments have already pointed out, it is a security issue. This is why most major browsers do NOT allow it.
However, I believe that some browsers do allow it, for example Opera - although I can't recall exactly which version.
If you are looking to make your own "browser", I would recommend using C# .Net WebBrowser, then use the runtime package XULRunner (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/XULRunner).
Despite all this, I would not recommend doing anything that may be against laws of your current location, or doing anything to displease the site owner.
I'm doing a couple of things with jQuery in an MTurk HIT, and I'm guessing one of these is the culprit. I have no need to access the surrounding document from the iframe, so if I am, I'd like to know where that's happening and how to stop it!
Otherwise, MTurk may be doing something incorrect (they use the 5-character token & to separate URL arguments in the iframe URL, for example, so they DEFINITELY do incorrect things).
Here are the snippets that might be causing the problem. All of this is from within an iframe that's embedded in the MTurk HIT** (and related) page(s):
I'm embedding my JS in a $(window).load(). As I understand it, I need to use this instead of $(document).ready() because the latter won't wait for my iframe to load. Please correct me if I'm wrong.
I'm also running a RegExp.exec on window.location.href to extract the workerId.
I apologize in advance if this is a duplicate. Indeed - after writing this, SO seems to have a made a good guess at this: Debugging "unsafe javascript attempt to access frame with URL ... ". I'll answer this question if I figure it out before you do.
It'd be great to get a good high-level reference on where to learn about this kind of thing. It doesn't fit naturally into any topic that I know - maybe learn about cross-site scripting so I can avoid it?
** If you don't know, an MTurk HIT is the unit of work for folks doing tasks on MTurk. You can see what they look like pretty quick if you navigate to http://mturk.com and view a HIT.
I've traced the code to the following chunk run within jquery from the inject.js file:
try {
isHiddenIFrame = !isTopWindow && window.frameElement && window.frameElement.style.display === "none";
} catch(e) {}
I had a similar issue running jQuery in MechanicalTurk through Chrome.
The solution for me was to download the jQuery JS files I wanted, then upload them to the secure amazon S3 service.
Then, in my HIT, I called the .js files at their new home at https://s3.amazonaws.com.
Tips on how to make code 'secure' by chrome's standards are here:
http://developer.chrome.com/extensions/contentSecurityPolicy.html
This isn't a direct answer to your question, but our lab has been successful at circumventing (read hack) this problem by asking workers click on a button inside the iframe that opens a separate pop-up window. Within the pop-up window, you're free to use jQuery and any other standard JS resources you want without triggering any of AMT's security alarms. This method has the added benefit of allowing workers to view your task in a full-sized browser window instead of AMT's tiny embedded iframes.
I am bulding a webpage using xPages and I am making constant changes to script and design, this include both server and client javascript , stylesheet and image changes.
Each time I change a javascript or stylesheet I want to see my changes in the webbrowser and I also want my users to get the latest changes when they access the webpage.
I know I can use Shift-Reload, or CTRL-reload and clear my webbrowser cache. and I also know that I can change the objects expiration date, but I want a smoother and better controlled way to do this.
Looking for any kind of best practice for doing this.
Thanks
Thomas
In the xsp.properties file for the application or on the server for server wide use you can set xsp.application.forcefullrefresh=true. The xsp.properties file documentation says:
# Application refresh
# When this property is set to true, then a full application refresh is requested when
# the design of a class changes (means that all the data are discarded in scopes).
# xsp.application.forcefullrefresh=false
The new XSP Portable Command Guide says "This property was introduced in Notes/Domino 8.5.3. It is set to false by default and is particularly useful during the development phase of an XPages application."
I have not fully tested this behavior but it sounds promising. You could/should of course only set it to true WHILE you make the changes. once stable, set it back.
/Newbs
Adding to Ferry's answer and your comment;
Instead of "?dummy=randomvalue", you can use "?version=2.1". So it will be cached but when you change design, you can just increase the version.
There's a problem with this approach as some proxy servers won't cache anything with query params. Better to rename the file directly, adding date or version number to it. It will always work.
To disable caching temporarily use Fiddler2. It's easy to enable and disable in one place across any web client. As well as added benefits for the http request tracking features.
To fully disable any caching add url + '"?dummy=" + #Unique();' to every url to javascript or image files...
The way I am reading this question is that you want every change you make to appear immediately on the client's browser or client. Are you really sure you want to do this? It sounds like you are not doing any testing so any typos, bugs, crashes, etc will be passed on to your users. Sounds like a bad plan to me. I hope I am wrong and that you are using a template and pushing only your fully tested changes up to an production version instead of making the changes in the production version.
I would just put out a schedule of when changes are going to be pushed up to production and let the users reload their browser or client at that time. Either that or do it during off hours and when they next log on, they get the newest changes.
Adding to Ferry's answer and your comment;
Instead of "?dummy=randomvalue", you can use "?version=2.1". So it will be cached but when you change design, you can just increase the version.
maybe you could look at how domino can control caching of url's.
http://www.ibm.com/developerworks/lotus/library/ls-resp_head_rules/
NEwbs answer is a good one but it is useful to note that in Firefox there is a very useful plug in called "web developer" from Chris Pederick that allows you to disable the cache.
http://chrispederick.com/work/web-developer/
The other really useful one is Firebug which is just amazing - It makes any HTML work much easier
https://addons.mozilla.org/en-US/firefox/addon/firebug/
I did found another solution by putting my css and js in a theme it is easy to just rename the files.
as described here
http://goo.gl/vFTii
Why do not we use the window.location.reload()...
Which does the same like ctrl+F5
It reloads the page, which is similar to context.reloadpage
I'm thinking that the reason I can't do this is because it might be a huge security hole, but here goes...
I want to have a bookmark on my browser (FF3, preferably) that is only a snippet of javascript code. It would merely construct a URL based on the current date and then do a window.location = on that URL.
I know that I could make a page and keep it on my local machine and just refer to it that way, but I was just wondering if you could bypass that step and actually have the "location" of the bookmark really just be javascript. I could have sworn that this was possible years ago, but I can't find anything that tells me either way now.
What you want is a bookmarklet they are easy to create and should work in most major browsers.
Edit: Stack overflow seems not to allow creating bookmarklets in the context of the site, basically you can create a new bookmark and type the following in the location field
javascript:window.location='http://www.google.com/search?q='+Date()
to get a bookmarklet that searches google for the current date.
It is worthy of note that you can put that in a function wrapper as well. imranamajeed nicely illustrated that for us... but apparently I'm too new to the site to up his post. :P
so for clarity:
javascript:(function(){
location.href = location.href + "#";
})();
(the carriage returns did not affect performance in chrome and IE)
One minor catch. IE can only handle a 508 character URL in this format. If you save it in IE with a url longer than this, it will truncate without warning and thus fail.
If you need a really complex script, you'll need to use a "hosted" bookmarklet, where you have a short bookmark that injects a script tag into the page, to "call" your hosted bookmarklet.
It isn't as nice/portable, but its the only workaround.
Google Bookmark
javascript:(function(){var%20a=window,b=document,c=encodeURIComponent,d=a.open("http://www.google.com/bookmarks/mark?op=edit&output=popup&bkmk="+c(b.location)+"&title="+c(b.title),"bkmk_popup","left="+((a.screenX||a.screenLeft)+10)+",top="+((a.screenY||a.screenTop)+10)+",height=420px,width=550px,resizable=1,alwaysRaised=1");a.setTimeout(function(){d.focus()},300)})();
Well, I just created a bookmark in FF3, went back and updated it and added the following test:
javascript:alert('Wacky%20test%20yo');
Low and behold, after I saved and loaded, I was able to get my alert.
I'm sure you can work up something similar for your needs.