Our clients use our free service using code like this:
<script type='text/javascript'>id='example'; width='640'; height='480';</script><script type='text/javascript' src='http://example.com/example.js'></script>
example.js looks like this:
if (typeof (width) == "undefined") {
var width = '100%';
}
if (typeof (height) == "undefined") {
var height = '100%';
}
if (typeof (p) == "undefined") {
var p = '0';
}
if (typeof (c) == "undefined") {
var c = '0';
}
if (typeof (stretching) == "undefined") {
var stretching = 'uniform';
}
document.write('<iframe allowfullscreen width="' + width + '" height="' + height + '" scrolling="no" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" allowtransparency="true" src="http://example.com/examplefile.php?id=' + id + '&p=' + p + '&c=' + c + '&stretching=' + stretching + '"></iframe>');
The problem is people are leeching examplefile.php. We tried using secure_link with nginx, and it worked great, but only for clients who are able to use PHP code in their sites, generating a random secure token with a key. Some other clients can only embed HTML code. Is there a way to secure the examplefile.php or maybe change the examplefile.php name randomly, and verify it against our server to stop the leeching?
Maybe using jQuery? We need to be able to make sure examplefile.php is begin called by this JavaScript code and not added manually as an iframe from external sites.
You could replace the JavaScript with a AJAX request that sends a custom HTTP Request Header with a token. Upon validating the token your server would respond with the URL for use in the iframe. This solution provides you with the opportunity to control the URL so you could randomise it.
An alternative is to send the request to a URL that indicates your intent to access the resource. It could respond with a session cookie which will be carried by the subsequent request for the iframe link.
Here's some vanilla JavaScript to get you started with the AJAX request.
var myURL = 'https://www.example.com/path/',
myCustomKey = 'Custom-Header',
myCustomValue = 'Custom-Token-Value',
myRequest = new XMLHttpRequest();
// open request so that custom header can be added
myRequest.open('GET', myURL, true);
// set custom header for request
myRequest.setRequestHeader(myCustomKey, myCustomValue);
myRequest.onload = function () {
// Request finished. Do processing here.
if (myRequest.status === 200) {
// Request was successful
// use the response
console.log(myRequest.response);
}
};
myRequest.send(null);
You will have to configure the server to support CORS. See https://enable-cors.org/server.html
If I understand correctly, you want to ensure you're the only one using this resource.
One way to do it is to replace example.js with a generated JS file example.php.
This file will have two responsibilities:
Verifying the request against your server
Output plain JS content, as if it were a JS file (with appropriate header data).
Update
This is my approach to be specific:
By using the example.php file (instead of the example.js), each time a user loads the file, initialize a unique session token for the client, in which you will validate immediately in examplefile.php. This way you can make sure (to some level) the request came from example.php
Related
I am working on a project which I share with someonelse.
I have my host set up as http://dev.foobar which maps to a folder called foobar.com and I have no issues with my code, it all works as intended. However the other person has the same named folder foobar.com, but hasn't set up virtualhost, so he is using http://localhost/foobar.com
So, inside the code I have to send an ajax request to a URL http://dev.foobar/wp-admin/admin-ajax.php" however this won't work for the other guy, since his would be http://localhost/foobar.com/wp-admin/admin-ajax.phpso right now I am using this code to get the host and append the url wp-admin/admin-ajax.php
function get_host() {
if (window.location.hostname == "localhost") {
var host = "https://localhost/foobar.com/";
} else {
var host = "https://" + window.location.hostname
}
return host
}
And I am send request to ajax like this
var ajaxURL = get_host() + "/wp-admin/admin-ajax.php";
The problem with the function is that I am hard-coding foobar.com and I am not sure if there is another way to do this
I want to get text present in a window that I opened using following code
var yy = window.open("http://www.vignanuniversity.org/");
Now I want to get text present in that window for that I used
var responseText = yy.html();
I' getting the error in chrome console as
Protocols, domains, and ports must match.
So I'm using cross domains, then how to get solution to my problem.
There is no way to access another webpage's window contents. However, you could have the javascript make a request to your server on the backend to make the request for you.
Javascript
//Gets the contents of the web page using the backend server
getContents("http://www.vignanuniversity.org/", function(contents, responseCode){
alert("Page received with status: " responseCode);
alert(contents);
});
//Takes the URL as page and a function to handle the result.
//retFunc has one parameter, which is the response
function getContents(page, retFunc){
var myServer = "/php/getRemote.php";
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange=function(){
if(xmlhttp.readyState==4){
retFunc(xmlhttp.responseText, xmlhttp.status);
}
}
xmlhttp.open("GET", myServer + "?url=" + page);
xmlhttp.send();
}
PHP
//Location: /php/getRemote.php
$url = $_GET["url"];
echo file_get_contents($url);
This will allow you to effectively grab get the contents of a website. You just won't be able to access modified content
I have a program where i have a page in the local context and within this page i have got an iframe where the content of it is in the web context. Now I would like to send some data from the local context to the web context. How do i do this.
local
var node = document.createElement("iframe");
node.src = 'ms-appx-web:///pages/mapView/mapView.html?latitude=' + coordinates.latitude + '&longitude=' + coordinates.longitude;
node.style.width = '100%';
node.style.height = '100%';
node.onload = function () {
node.contentWindow.postMessage(JSON.stringify(data), "ms-wwa-web://" +
document.location.host);
}
document.querySelector('#insert').appendChild(node);
in the iframe i do:
window.addEventListener('message', receiveMsg, false);
I have got an ajax call where i got some data, but because i have no access to ajax calls in web context i would like to send some data from this here to mapView.html.
The problem is. I would send some values via Get Parameter, but I have too much data for that.
any help?
Try switching this line:
node.contentWindow.postMessage(JSON.stringify(data), "ms-wwa-web://" +
document.location.host);
... to this:
node.contentWindow.postMessage(JSON.stringify(data), "*");
If that works, you should be ok doing that here in a Win 8 app (wouldn't do that in a web app for security reasons), but if you want to lock it down more I think you'd just need to change the second parameter to be one of:
"ms-www-web:///" (note the triple slash)
"ms-www-web:///pages/"
Enviroment: Visual Studio 2012, MVC4, Razor, Internet Application.
I'm working with eBay API and I want to show the search results (JSON).
I have a view page with code...
<script>
function _cb_findItemsByKeywords(root)
{
var items = root.findItemsByKeywordsResponse[0].searchResult[0].item || [];
var html = [];
html.push('<table width="100%" border="0" cellspacing="0" cellpadding="3"><tbody>');
for (var i = 0; i < items.length; ++i)
{
var item = items[i];
var title = item.title;
var pic = item.galleryURL;
var viewitem = item.viewItemURL;
if (null != title && null != viewitem)
{
html.push('<tr><td>' + '<img src="' + pic + '" border="0">' + '</td>' +
'<td>' + title + '</td></tr>');
}
}
html.push('</tbody></table>');
document.getElementById("results").innerHTML = html.join("");
}
</script>
This line in ".js" file:
var url = "http://ebay.com?..."
How can I execute this url from ".js" file automatically, when I openning this View Page? (This url sending request to Ebay server and receiving data, which will be showed on this View Page.)
I will change a question a little...
If I'm running this code from the View page, everything works fine:
<script src=http://ebay.com?... </script>
How can I receive this part("http://ebay.com?..." as a variable) from ".js" file? Is it possible?
If you just want to send the request, you could add an image to the DOM with that as the src, for instance.
If you want to receive data from the request, you're going to have to do an AJAX call. This is handled quite differently in different browsers, so here's a good idea to use a framework, such as jQuery.
Since the URL is on a different domain than yours, however, you won't be able to access it with a regular AJAX request. You'd have to refer to what is called a JSONP request. This requires that the document you're fetched is formatted in a specific manner to allow this. If it isn't, JavaScript simply won't allow this interaction, due to the Same-Origin Policy.
JSONP requires that the remote document has the following format:
someCallbackFunction(javaScriptObjectWithData);
If it does, you'd be able to include a script file to the DOM with that URL as the src, the content of the document, once fetched, will be immediately executed in your browser. You should by then have specified a callback function with a name matching the callback being made in the document (this is usually something you can specify with through querystrings in the original request).
If none of these options are available for you, because of the format of the remote document, then you're going to have to request the document from server side. If you don't have access to a serverside environment yourself, in order to do this, there is the option of using somebody elses server. Yahoo's custom query language – YQL – can be used for querying the content of remote documents, and YQL is available through JSONP, so you could possibly relay your request through them.
See this post on using YQL with JSONP
Update, now that you've added more data, eBay API is available for JSONP, and I think that's the solution you're looking for.
Resolved...
<script src="/Scripts/ebay.js" type="text/javascript"></script>
<script>
s = document.createElement( 'script' );
s.src = url;
document.body.appendChild( s );
</script>
I'm trying to write a plugin. I can not use any libraries or frameworks.
At any website (domain) I would like to start a script from my own domain.
For example:
In the code of the website under domain A I put a code starting the script from domain B
<script src="http://domain-b.com/myscript.js" type="text/javascript"></script>
The code of JavaScript (myscript.js)
type = 'GET';
url = 'http://domain-b.com/echojson.php';
data = ‘var1=1&var2=2’;
_http = new XMLHttpRequest();
_http.open(type, url + '?callback=jsonp123' + '&' + data, true);
_http.onreadystatechange = function() {
alert(‘Get data: ’ + _http.responseText);
}
_http.send(null);
Script from http://domain-b.com/echojson.php always gives the answer:
jsonp123({answer:”answer string”});
But in a JavaScript console I see an error (200) and AJAX doesn’t get anything.
Script loaders like LAB, yep/nope or Frame.js were designed to get around the same-origin policy. They load a script file, so the requested file would have to look like:
response = {answer:”answer string”};
If you use your code like you have posted it here, it does not work, because you are using apostrophs for the data variable!