I'm loading a remote resource in a webview, but I want to inject some local content such as images (using preload script) into it. I guess the only way is to use the file protocol, but it won't work without disableWebSecurity set to true. Would that make my application vulnerable?
Edit: I managed to do what I wanted without disabling security by using a custom protocol, for some reason it is allowed. https://github.com/electron/electron/blob/master/docs/api/protocol.md
Related
Description
Is it possible to modify or override the perceived current location and origin in Electron.js?
I am loading a local .html file in Electron, and I need to manually override location.href, document.domain, and all other references to the current location to point to https://example.com/my/page in order for some external libraries (e.g. reCAPTCHA) to work with the local page.
Is it possible to set the current location to be example.com, without actually making a request to the remote URL, so that any javascript on the page thinks that the current URL is that, instead of app://....?
What I've tried
For my tests, I achieved it by running a MITM proxy that intercepts HTTPS requests, and instead of making a request to the origin, responds with a locally generated html page, which therefore I can inject my actual content into.
However, I don't want to go with this approach, and I was wondering if Electron could natively masquerade as a custom URL while loading local files, and report to any content un the page with the appropriate location/origin.
Background Info
I want to integrate a javascript single-page web application with a 3rd party desktop windows application. I'm working with the 3rd party vendor to try to figure out the best way to set up the integration. The plan is to call URIs from the web application, and have the desktop application handle them to perform various actions. Right now, the URI's use the localhost scheme (i.e. they look like "http://localhost:8888/..."
The Questions
1) Attempting to make a get request to the URI from javascript results in the desktop app taking the desired action, but an error is returned to the browser due to cross-origin policy. I assume this is something that can be handled with CORS like any other cross origin request. Is this true? Or are URI requests to the OS "special" in some way?
2) We might instead want to use a custom URI scheme so that our URL can look like "myapp:..." instead of localhost. Will this suffer from the same cross-origin issues as the above? Will it run into any additional restrictions in major browsers? Would users need to manually muck with their browser settings to get it to work correctly, or is it even possible at all? Is there anything different from a browser security/permission standpoint between a "standard" URI using localhost and a custom URI scheme?
I have secured (HTTPS) ASP.Net MVC 4 application that uses unsecured (HTTP) ArcGIS map services. These services are called using JavaScript to get relevant map images.
If I use HTTP for my app, everything works as expected. But if I use HTTPS, IE10 and Chrome do not display the requested map images (IE prompts to display unsecured content) but Safari shows the image, no questions asked.
As an example, say my application is https://app.mydomain.com and my map services are at http://gis.mydomain.com
I run fiddler and see the response as something like (removed some parameters to simplify): http://gis.mydomain.com/arcgis/rest/services/Energy/BaseService/MapServer/export?....&f=image
but the image is not shown. If I enter this URL directly into my address bar, the expected image is shown.
There are no errors reported anywhere, including IIS 7.5 logs. I realize that mixed content is not ideal but I have no option at the moment. I have found lots of references to SilverLight with regard to this type of problem, but I am only using javascript and ASP.Net. I also compared the page source for both https and http - there is no difference.
While browsing a secure site, the browser will not load "nonsecure items" unless you (the visitor) authorize it.
The only way to solve this from server-side is by making the "nonsecure" content secure, by placing it under a https domain aswell.
Update:
By the way, if you don't specify the protocol in the content URLs, for exemple //gis.mydomain.com without specifying if it is http:// or https://, the browser will automatically assume the same protocol that was used to access the website to load this content too.
So if you access with http:// it will load the dependencies using http:// as well, and if you use https:// it will do the same.
Another way of getting around this is to proxy the insecure content via your (https) host. ESRI have some slightly out-of-date docco on this process (including an example ASP.Net proxy page) here, but most/all of it should still hold in the latest versions of the API. From memory, they recently (3.5?) made the proxy configurable on a per-service basis, which is very handy.
You can ignore the token-based authentication stuff in your case, all you're really looking for is to have the insecure content come through a secure host.
On video.js tag builder page (http://videojs.com/tag-builder/), it is stated that "Text files on a different server than the page aren't supported yet, i.e. your own files won't work in the test below but will on your own site."
What's a reason behind it and is there a way to remove that limitation?
PS: The hosting system I'm using stores all the assets files (images, css, js, text, etc.) on a separate server than the actual web pages.
See "same origin policy"
and "ways to circumvent the same-origin policy".
Im looking into creating a web wrapper for a existing web app. I clearly want to make it as quick as possible.
Is it possible to host the JS-files locally, instead of having to download the file, without altering the existing web app?
Using a WebViewClient you can prevent loading the javascript from the web server (edit only in API level 11 and higher unfortunately). Or you can disable JavaScript, load the page, then enable JavaScript again. After the page is loaded you can modify the DOM using javascript: urls to load the scripts from a local url (like file:///android_asset from the top of my head).
You can also change the cache strategy of the WebView so that it will never fetch anything that is already fetched once before, which might also be what you want in this case. These are set in http://developer.android.com/reference/android/webkit/WebSettings.html, you could set it to LOAD_CACHE_ELSE_NETWORK in this case.