web security: What happens when Content-Disposition is not supplied? - javascript

I am allowing users to download files from my application. For that I am explicitly setting "Content-Disposition" as "inline" or "attachment" based on the type of file. This is kinda manual right now. So, for pdf files i set it to "inline" but for html files I set it to "attachment".
Is there a way to automatically decide the value of "Content-Disposition" in express based on file type ?
If I do not send a "Content-Disposition" header, it seems to me currently that the request is treated like it has "Content-Disposition: inline" . Is this observation correct, or is there something more to it?
If by default browser tries to execute/preview the files (based on point 2), what does it mean for security when you allow downloading html files which can execute javascript?

Is there a way to automatically decide the value of "Content-Disposition" in express based on file type ?
You could write middleware that inspects the response and modifies it.
If I do not send a "Content-Disposition" header, it seems to me currently that the request is treated like it has "Content-Disposition: inline" . Is this observation correct, or is there something more to it?
See MDN which says: "The first parameter in the HTTP context is either inline (default value, indicating it can be displayed inside the Web page, or as the Web page)…"
If by default browser tries to execute/preview the files (based on point 2), what does it mean for security when you allow downloading html files which can execute javascript?
Not a lot unless you are serving up JavaScript that you (the website author) do not trust.
If you need to serve HTML documents which might contain JavaScript you don't trust then serve them from a different origin (to use the Same Origin Policy to sandbox them) and/or implement a Content Security Policy to ban them from executing JavaScript.

Related

Add language path into browser address bar

I'm looking for information about adding extra information into browser address bar. for example language path.
So what type of code should I look for if I wanna change browser address from mysite.com/index.php to mysite.com/EN/index.php
but at the same time, I don't have to make an extra folder for each language file what I add for the website.
It depends on which web server is hosting the application. If apache, a way to get this is using AliasMatch directive. See https://httpd.apache.org/docs/2.4/mod/mod_alias.html#aliasmatch. This applies to httpd.conf (global apache configuration file) or .htaccess (local apache configuration file) and requires mod_alias.
Example:
AliasMatch "^/(EN|FR|PT)/(.*)" "/local/path/$2"
will accept /EN/... /FR/... and /PT/... .
or
AliasMatch "^/([A-Z]{2})/(.*)" "/local/path/$2"
will accept any two upper case letters as prefix.
After getting this working, in order to determine which language to show, you should check $_SERVER[‘REQUEST_URI’] variable in your PHP script.
Just go to the public folder in the hosting and create a new folder in it named EN and copy index.php to the folder EN and try the path mysite.com/EN/index.php .It should work.
You will probably need to handle this on the server side. When a request is made to mysite.com/EN/index.php, the server checks the request URL for the language part EN and serves a webpage with the corresponding language from wherever it resides in the file structure.

What type of tags can I use on my highly secured website to track data (cookie) ?

working on webmarketing, my IT is telling me that Iframe tags are more and more touchy regarding security matters. I am not allowed to use javascript tags either however image tags are too simple to let me piggyback third party tags.(because they do not allow scripts to be executed)
Any ideas of what type of tags or type of code I could use or modify to fulfill both technical and commercial conditions, please?
(a mix of javascript and flash website)
thank you
you could use some server side scripting language (eg PHP) as your image file source. That way, you execute whatever you need server side, while serving the "simple image". And example :
<img src="/images/image.php?img=asdf" />
on the server side, you can have a PHP session, along with any data that's relevant to the request. Depending on what type of data you want to harvest, it might be difficult/impossible without any Javascript.

Difference in *.JS files opened with cURL and in Browser

If I open this .JS file (link text) in Browser I get back following in browser window:
var PHONE_CNT=2;var PHONE_CNT2=0;var PHONE_CNT3=0;var EMAIL_CNT=2;var SHOW_CNT=1795;var PH_c="";var PH_1=0;var PH_2=0;var PH_3=0;
PH_1 = "JUQyJUFCJThDJUM5JThFJUQzJTgzeSVDMiVEQyVCQ2ElQkUlREQlQzglOUUlOTR6JUE2bSVCN3ElOUIlRTglQzQlQkYlODUlRDklQjIlQzglQjclQUE=";
If I open the same file using cURL or ?php (file_get_contents) then the content differs:
var PHONE_CNT=0;var PHONE_CNT2=0;var PHONE_CNT3=0;var EMAIL_CNT=0;var SHOW_CNT=1;var PH_c="";var PH_1=0;var PH_2=0;var PH_3=0;
PH_1 = "JUQyJUFCJThDJUM5JThGJUMyJTg0JTlBJUJBJUM3JUJEdSVDMCVDRCVDOCVFNSU4RiU3RiVBNiVBOSVCOCU4MyU5MCVEOA==";
The difference is PH_1 value.
I tried to set different options for cURL but nothing helps. Any idea how to get .JS file content using cURL same as what I get when using browser.
Thank you in advace.
The server must be generating a different PH1 value based on some request parameters. You'll have to trace out the HTTP headers from both requests to see what causes the difference, e.g. setting up a local proxy such as http://www.fiddler2.com/fiddler2/ and making both requests through that.
It could be some combination of the user agent, accepts headers, cookies or the IP or country you're connecting from that's makign the difference - without knowing what the server logic is (or understanding what the different PH1 values mean) we can't really help you sorry.
Curl just gets the data from the server, it does not interpret javascript. If you want to interpret the javascript from the webpage, you'll have to use a javascript engine as spidermonkey.

Detect the file size of a link's href using JavaScript

Would like to write a script to detect the file size of the target of a link on a web page.
Right now I have a function that finds all links to PDF files (i.e. the href ends with '.pdf') and appends the string '[pdf]' to the innerText. I would like to extend it so that I can also append some text advising the user that the target is a large file (e.g. greater than 1MB).
Thanks
Some web servers may give you a Content-Length header in response to a HEAD request. You could potentially use an XmlHttpRequest to send the HEAD request and see what you get.
Here's what one of my IIS servers says about a PDF file:
HTTP/1.1 200 OK
Content-Length: 127791
Content-Type: application/pdf
...
However, anything that's not delivered directly by the web server (a file served by PHP or ASP.net, for example) won't work unless the script specifically handles HEAD requests.
You should be able to do a HEAD request using XMLHttpRequest, assuming the files are under the same domain.
This is however something that should really be done on the server side. Doing it with extra requests has no benefit whatsoever.
You can't do this, or at least - not in any practical-cross-browser way.
If you know the filesize beforehand, for example when generating the document linking to the files you could hard-code the sizes into the HTML document.
large_file.pdf

Force download through markup or JS

Lets assume I have a file on a CDN (Cloud Files from Rackspace) and a static html page with a link to that file. Is there any way I can force download this file (to prevent it from opening in the browser -- for mp3s for example)?
We could make our server read the file and set the corresponding header to:
header("Content-Type: application/force-download")
but we have about 5 million downloads per month so we would rather let the CDN take care of that.
Any ideas?
There’s no way to do this in HTML or JavaScript. There is now! (Ish. See #BruceAldrige’s answer below.)
The HTTP Content-Disposition header is what tells browsers to download the files, and that’s sent by the server. You have to configure the CDN to send that header with whichever files you want to browser to download instead of display.
Unhelpfully, I’m entirely unfamiliar with Rackspace’s Cloud Files service, so I don’t know if they allow this, nor how to do it. Just found a page from December 2009 that suggests not thought, sadly:
Cloud Files cannot serve a file with the 'Content-Disposition: attachment' HTTP header. Therefore, a download link that would work perfectly in any other service may result in the browser rendering the file directly. This was confirmed by Rackspace engineers. :-(
http://drupal.org/node/656714
I know that you can with Amazon’s CloudFront service, as it’s backed by S3 (see e.g. http://blog.cloudberrylab.com/2009/06/how-to-set-custom-http-headers-for.html)
You can use the download attribute:
<a href="http..." download></a>
https://stackoverflow.com/a/11024735/21460
However, it’s not currently supported by Safari (7) or IE (11).
Yes, you can do this through the cloudfiles API. Using the method stream allows you to stream the contents of files in - setting your own headers etc.
A crazy idea: download via XMLHttpRequest and serve a data: URL with the content type you want? :P

Categories