how to detect the source of the forwarded url in javascript - javascript

In my web app, I need to detect the source of the forwarded url from the clients, so I can customize the page for different clients. I know this is possible, but cannot find a way. So please help.
Say my (angular) web app is running at mysite.com. While the clients will be using services in mysite.com, they want the address bar to show their own website such as clientxyz.com all the time. This part is easy with DNS forwarding.
The question here is: I (mysite.com) wants to detect the source of the forwarding, so I know the request is from which client, and thus customize the pages/site for them, giving them a false impression everything is their own. This is a legitimate use case.
So how to do this in javascript, or in Angular (typescript)?
Much appreciation!

Related

Protecting iframe src using server side rendering

I have to display a third party site, say site X, upon successful authentication from my existing APIs, as it is, on my web site. But due to certain reasons, I cannot afford to use an iframe, which is the most obvious solution in this case, as that will expose the site X's URL when inspected in browser. So, I landed up on another idea to create a web app whose front end is written in AngularJS and use existing back end APIs written in C#. The application will basically have two pages, login and main page. Upon successful authentication from API on login page, user is navigated to main page. Now main page, I have to show another site. So, instead of using iframe on main page having source as site X, I will display an iframe with source Url as one of my API endpoint, say baseURL/data. So, this API will basically fetch the site X data and do something like server side rendering and return me an exact replica of site X which I will load in my webapp. When user will navigate on site X and route to any path, that route will be sent to same API and now the response will be replica of baseURL/data/route. Even though my API endpoint is now exposed instead of site X url in browser console, I am okay with this because that API is protected somehow and cannot be accessed as it is without proper authentication which I am doing in my case on login page.
I want to get more thoughts on this entire scenario and possible alternatives. Also, if anyone can suggest if/how it is possible to write such an API. I can think about changing AngularJS or C# as technologies in my project but definitely that's not the most go-to-solution for me. Any suggestions and thoughts are welcome!
Edit: I have created a site using a static site generator. I want my users to be able to access that site only if they are 'my users' i.e. authenticated by my APIs. But, that generator is not allowing me to integrate my API and neither I can get the static assets like .html, .css and .js files that I can host on my own server and integrate my authentication API. Hence, I had to think about a workaround like this.

Javascript - get click another site page link?

I want to know if my website user click in a link in another website so I can show him a thank you message.
I want to get this click in another website link. Is it possible? How can I do something like this?
Thank you
Your question doesn't state whether you control the link you are trying to monitor, or if you are trying to monitor a link controlled by a third-party website. I'm going to assume the later, but if you control the link, then see the first comment to your answer.
The short version is that there is no way to independently monitor a user's action on another website from within your own. To allow this would violate some of the fundamental tenants that networking and the Internet are based on. For example, if I host the website www.reallyCoolRocksToBuy.com and I want to know whether or not you just purchased a really cool rock on Amazon after viewing it on my site, there is no way to directly get this data even though both my website and Amazon's are open in your browser at the same time.
The highest level object you can access via Java or HTML normally (there are always some exceptions) is the Window object of your own page. There used to be a way to have some control over a third-party page that was launched in a window that you spawned, but this is no longer possible, and even it it was, you still wouldn't be able to monitor any links from that site.
The only way to achieve what you want is for the third-party site to be involved in the communication. Many sites have APIs for sending and receiving referral or link information. For example, Amazon has an API that you can use when someone clicks on an Amazon link from your site. There are a number of ways this is achieved, but basically your link sends a specially encoded string to Amazon identifying your site as the referrer. Amazon can this use this string to create and share session information from the visitor. Depending on what your relationship was with Amazon, you might be able to use this session information to find out if your user purchased a pretty rock from Amazon, but it would be entirely up to Amazon to share this information.
Cookies and other local data can also be used to achieve similar results, but again, you have to have the cooperation of the site.

How to prevent script sharing from it's users?

I am making a small payment system, basically it's just a point system, you pay say 1 USD and you get 100 points which is used later on in a game project to get bonuses. It's a script for game servers, something like a user panel.
Now, the script system is ready, but I'm afraid to give it away, since than someone will share it and it will spread all over the gaming area. What would be the solution keeping it working only if I give them a permission?
I thought about re-making whole code and make it work on my website but I don't think that people will want to put their SQL data to website that located NOT on their host. Please help me out, at least with some clues, maybe its possible to make some widgets? or maybe some license system?
I'm really lost.
You should implement the logic on the server side as an api REST call and include in the script only an ajax call to the api. You can limit the use of the api through an api key that you'll provide only to qualified sites.
You'd need to implement some sort or serverside authentication/api so that only varified users can use the script. Much like how software checks a licence.
On script load your javascript could make a ajax call to a server passing through the users IP, auth key, username etc etc.
This can then be varified on the server, maybe returning a dynamically generated url containing a javascript file which contains your business logic
(so that urls are dynamically generated for that users session only)
That way people cant hot link the script, and the script you give out is solely the ajax call
(With the business logic script injected on auth)

How do I create a dynamic web environment using javascript to test my iPhone apps?

First, about me: My language is objective-c, c++. I have built websites in the past, but have never created any true web applications or have ever gone into the trenches with javascript.
What I am trying to do: is create a web server for the purpose of testing iPhone applications. The server will:
Host a page
In which visitors can login with facebook
Upon facebook OAuth
Server will query facebook for visitor metadata (email and full name)
And store metadata (in some format, I don't know)
The server will also host an API (my iOS-app can talk to)
Which accepts iOS-app queries
And return stored metadata via JSON.
So my question is: How does this all work within an html document?
e.g. I can only query facebook after I know the visitor has logged in, to facebook. How do I (dynamically) let the html document know, "hey the visitor has verified with facebook OAuth, now call this inline javascript function"?
Any information you can point me to that tells me how javascript functions are called/interacts in an dynamic web environment would be greatly appreciated.
Thanks SO
Look into G-WAN. It's a powerful web application server which uses C, C++ and Objective-C scripts natively. It's probably the best web server out there, and you'll be on familiar ground.
As far as your question goes, you'll call these in your script tags. They can be anywhere, but with JavaScript, if it's in the head, you're going to want to wait until the DOM is fully loaded, otherwise you won't have access to nodes which haven't yet been rendered. That means if you're trying to access a DIV that hasn't been rendered, you'll get an error.

Facebook Connect help

According to the Facebook API documentation, most of the work is handled through javascript.
That means that all the processing is done, and then the front end checks if the user is connected to Facebook/authorized. right?
My question is:
Suppose a user goes to my site for the first time ever.
He clicks on "facebook connect". The javascript verifies him as authentic, and it "redirects" to another page on my server. From then on, how do I know that the user is actually authenticated to my website, since everything is done on frontend?
I think this is correct, but aren't there some security issues..:
-After user clicks Login, Facebook redirects to a page on my site. AND they also create a cookie with a specific "Facebook ID" that is retrieved only from this user. My backened will "read" the cookie and grab that ID...and then associate it to my userID.
If that is correct...then it doesn't make sense. What if people steal other people's "facebook ID" and then forge the cookie? And then my backend sees the cookie and thinks it's the real user...?
Am I confused? If I am confused, please help me re-organize and tell me how it's like.
Facebook Connect uses a clever (or insane, depending on your point of view) hack to achieve cross-site communication between your site and Facebook's authentication system from within the browser.
The way it works is as follows:
Your site includes a very simple static HTML file, known as the cross-domain communications channel. This file is called xd_receiver.htm in the FB docs, but it can be named anything you like.
Your site's login page includes a reference to the Javascript library hosted on Facebook's server.
When a user logs in via the "Connect" button, it calls a function in Facebook's JS API which pops up a login dialog. This login box has an invisible iframe in which the cross-domain communications file is loaded.
The user fills out the form and submits it, posting the form to Facebook.
Facebook checks the login. If it's successful, it communicates this to your site. Here's where that cross-domain stuff comes in:
Because of cross-domain security policies, Facebook's login window can not inspect the DOM tree for documents hosted on your server. But the login window can update the src element of any iframe within it, and this is used to communicate with the cross-domain communications file hosted on your page.
When the cross-domain communications file receives a communication indicating that the login was successful, it uses Javascript to set some cookies containing the user's ID and session. Since this file lives on your server, those cookies have your domain and your backend can receive them.
Any further communication in Facebook's direction can be accomplished by inserting another nested iframe in the other iframe -- this second-level iframe lives on Facebook's server instead of yours.
The cookies are secure (in theory) because the data is signed with the secret key that Facebook generated for you when you signed up for the developer program. The JS library uses your public key (the "API key") to validate the cookies.
Theoretically, Facebook's Javascript library handles this all automatically once you've set everything up. In practice, I've found it doesn't always work exactly smoothly.
For a more detailed explanation of the mechanics of cross-domain communication using iframes, see this article from MSDN.
Please someone correct me if I'm wrong - as I am also trying to figure all this stuff out myself. My understanding with the security of the cookies is that there is also a cookie which is a special signature cookie. This cookie is created by combining the data of the other cookies, adding your application secret that only you and FB know, and the result MD5-Hashed. You can then test this hash server-side, which could not easily be duplicated by a hacker, to make sure the data can be trusted as coming from FB.
A more charming explaination can be found here - scroll about halfway down the page.
Same issues here, and I think Scott is closer to the solution.
Also Im using "http://developers.facebook.com/docs/?u=facebook.jslib-alpha.FB.init" there open source js framework. So things are a little different.
For me, via the opensource js framework, facebook provides and sets a session on my site with a signature. So what I am thinking is to recreate that signature on my side. - if they both match then the user is who he says he is.
So basically if a user wanted to save something to my database, grab the session signature set up by facebook and recreate that signature with php and validate it against the one facebook gave me?
if($_SESSION['facebookSignature'] == reGeneratedSignature){
// save to database
}else{
// go away I don't trust you
}
But how do you regenerate that signature? preferably without making more calls to Facebook?

Categories