Prevent user from copying URL from address bar [closed] - javascript

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I've looked around everywhere and it seems like there's no way of accomplishing what I need to do, but I thought I'd ask to see if anyone could think of a workaround.
I have this portal (intranet) where users can send some posts to their friends and family (job openings, basically), there's a link to send those by email, however users are copying the URL and sending it via email or texts, this URL however contains internal links that we don't want to be visible to others outside the company (yes they need a login anyway, but heads of IT are concerned)
We first thought of hiding the URL but as I understand, all browsers have disabled this option for a while now for security reasons (even IE since IE7).
The only other thing I could think of was to somehow prevent the users from copying the URL, sort of like a "readonly" or "disabled" text input, but haven't been able to find a way... I assume it cannot be done since the address bar is not actually within the site, therefore out of JavaScript control.
Can you guys think of any other workaround?

you can use history.pushState() to set the url bar to something that doesn't give away secrets. for example, run this in the console:
history.pushState(null, null, "/");
After running, it now looks like you're on the stack home page, even though you are still on /questions/26537657/prevent-user-from-copying-url-from-address-bar/. it won't stop hackers, but it will prevent naive users from spilling the beans. you can use this to compose vanity urls as well as short ones. just make sure the server knows what to do with any url you generate because when you return via that url, it uses the server, and thus it will need to produce something meaningful.
edit: as kindly pointed out in comments, history.pushState() create a new history entry. this might not be what you want if this page will papear mid-workflow, as opposed to a popup or other end destination. Uf that's the case, you should use it's non-creating counterpart:
history.replaceState(null, null, "/");
That will just replace your current url in the address bar, without creating a new entry, so that back goes back.
There seems to be some confusion about pushState's implications on security. there is no such thing in client-side code. It bears repeating: "this won't stop hackers", it will just provides shorter bookmark-able URL to your users and prevent them from worrying the IT dept, regardless of the merits of IT's discomfort.

Related

How to pass values from one HTML page to other HTML page using Javascript [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
I have a HTML page (test.html), where i've a text box and a button. I'll enter some text in the text box and Click that button, it should open a new page (say google.com) and paste the value i entered in the previous page and automatically submit the page. I was able to achieve this in VB script which is supported in IE and not in Edge or Chrome. So is there a way we can achieve this using Javascript.
Tried, things like this, but it doesn't work.
const testDiv = document.forms["actionForm"].getElementsByTagName("applicationIdentifier")
testDiv.textContent = 'Hello world!'
JavaScript can only run within the page it is loaded on. Also, HTTP is stateless.
If you want to interact with other pages, they will need to support the interaction by means of their code allowing you to specify their state. For GET requests, this can be done using URL parameters. To take your example, Google supports a query parameter.
https://www.google.com/search?q=mdn+http
Most sites will not document this kind of thing because it is a strange way to interact. They usually expose their interactions via APIs.
open a new page (say google.com) and paste the value i entered in the previous page and automatically submit the page
If you want to actually simulate these user actions, this cannot be done from the browser. At that point, you are describing a WebDriver, for example Selenium or WebDriverIO.
It is even possible to experiment with something like java.awt.Robot here, but I do not recommend it.
If by chance I am off-base and you just want a Google search bar for your site, there are ways to do that.
https://support.google.com/programmable-search/answer/4513903?hl=en
Depending on your goals, <iframe> might also suit your ideas. But using <iframe> is generally not recommended.

Facebook Share Dialog/Feed Dialog and custom captions/descriptions

Similar questions have been asked on SO regarding Facebook deprecating caption and description parameters in its Share and Feed modules that makes it impossible to, for example, create a 'Share your quiz score' button on a simple quiz page that uses completely client-side implementation of javascript to calculate user's score based on a number of correct answers.
The only parameters that Facebook seems to take into consideration when sharing a specific URL are Open Graph tags. So my question is, using simple Javascript to modify the Open Graph og:title and og:description tags after a user finishes answering all questions and is presented with the final score, will triggering the Facebook's Share/Feed module parse this newly modified tags and generate the share/feed dialog accordingly or will Facebook's Debugger simply cache the initial Open Graph tags when indexing the page for the very first time and ignore the tag change by Javascript?
Would this be considered an 'appropriate' way to implement the 'share your score on Facebook' functionality when there is no dedicated page for each and every user's score that can be shared?
This is not an answer to the question I asked, however, my end goal was the ability to specify a custom text in the Share/Feed dialog and what makes that possible is Facebook's Share Dialog's quote parameter that I originally missed due to some answers to similar questions on SO saying this parameter no longer works. However, I have just tested it and it works as of 23.02.2020.
So for future readers, you need to specify this parameter in following format:
https://www.facebook.com/dialog/share?
app_id=YOUR_APP_ID
&display=popup
&quote=QUOTE_TEXT
&href=https%3A%2F%2Fdevelopers.facebook.com%2Fdocs%2F
&redirect_uri=https%3A%2F%2Fdevelopers.facebook.com%2Ftools%2Fexplorer

How to check is the form has not been "attacked" [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I have to make some custom forms,
the thing is, I will need to use JavaScript to make them, here is a little image :
It's like a select, but in a carousel, so, I can know what items is selected, the thing is, I need to calculate a price over fields like that, and people can like, spoof the system, and just change the active element, make the element the cheapest with the element they really took, maybe the more expensive you see ?
But how can I ensure that the user didn't changed anything, I guess it will be an Ajax to ensure the information in the server, because they can't change anything on the server, but in the server how can I send the good data if the user spoofed it ? Maybe I could add on the HTML something like : data-server-element: 1, data-server-price = 50. But the data-server-price will only be here to calculate the price with Javascript and I would have an array in my server side which will tell me : data-server-element : 1 ====> 50. So if he change the data-server-price, he will pay the real price. But if he change the data-server-element he can do anything he want, I see how to resolve a problem, but that resolve add some more problems. I am certainly wrong in the process and in the logic, which is why I am calling on you to find out, because I cannot afford to let someone pay less than they should.
Thanks for your help.
(Maybe this question is already here on StackOverflow, but I didn't find out an answer that could help me, If so, I apologize, usually I do some research before I ask a question here)
You can't trust anything that happens in the browser.
If you want a different price for different regions, calculate it on the server and send it back to the browser to show the user.
However do not use this price when the user submits the form. Recalculate the price on your server then use that.
There is no way to stop the user from changing anything or everything in the web page or the data that they send back to you. Never trust anything you get from the browser.
It's great that you've realized this! A lot of people don't, and we get horribly insecure webpages. In fact, you can take the idea even further - an evil hacker will probably not bother with your webpage and javascript at all. They will just make their own HTTP request from scratch with all the fields set to whatever they please.
There really is only one solution to this and you've also come up with it yourself - you need to validate and re-calculate everything on the server side. Just take the basic data (like which choices he selected) and go from there. You can even make your form in such a way that it doesn't bother sending the calculation results that were done client side. You can't rely on them anyway. They're only good for the convenience of the legitimate users.

Uncovering a hidden link [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I'm a complete layman and despite my utmost attempts (involving visiting about 100 different pages), I wasn't able to solve my problem. I'd be really grateful if anyone would be willing to help me out.
Say there is an elaborate website using Javascript, where you register, have your own profile etc. It asks you to register for one of a few time slots. You do it by clicking a hyperlink, which has this annoying feature (discussed elsewhere on this website, see here: how can url be hidden in hyperlink when mouse hover ) that it hides the link. Is there a way to uncover it?
By uncover I mean a way in which I would be able to register for a given time slot without clicking the hyperlink, but rather via copying that hidden link (or typing it in) to the address bar of the browser. I have tried using Firebug and Tamper Data, but to no success. Both programmes provided me with viable candidates for links, but when I copied them to address bar and pressed enter, it didn't result in a registration for a given time slot.
Finally, Tamper Data tells me that 'Content-Type=application/x-www-form-urlencoded', whereas Firebug indicates that 'enctype="multipart/form-data" right above the table with hyperlinks, so I begin to think there is some sort of encryption in place which is meant to prevent me from getting what I want. And I'm sure owners of this website would want to prevent me, but are they able to do it?
So all in all, is it even doable? Apologies if this all sounds too broad, I'll be more than happy to make it (or at least try to make it) more clear.
Thanks a lot and apologies, but I really don't know what I'm doing here.
As Yang Li said: it depends.
If a website is using a lot of javascript to perform on screen changes and network requests, the likelihood of you being able to just use a URL (even if it is the url used by a javascript script) to perform an action is low.
Most websites these days that rely on javascript would have data elements hidden to the user which may affect the way an action is relayed to the server. Think hidden form elements.
And on the server side, who is to say that the order you are trying to use that URL in is correct? You would have to run through the code piece by piece, along with observing the network requests to be certain.
So in answer to your question, it MAY be doable. The more important questions is: is it advisable? I would suggest not tampering too much with the way the website works on your browser, as it was intended to be used in a certian way. You can't be sure of all of the side effects of using it in an unintended fashion.

Best way to ask confirmation from user before leaving the page [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
I am currently building a registration page where if the user leaves, I want to pop up a CSS box asking him if he is sure or not. I can accomplish this feat using confirm boxes, but the client says that they are too ugly. I've tried using unload and beforeunload, but both cannot stop the page from being redirected. Using those to events, I return false, so maybe there's a way to cancel other than returning false?
Another solution that I've had was redirecting them to another page that has my popup, but the problem with that is that if they do want to leave the page, and it wasn't a mistake, they lose the page they were originally trying to go to. If I was a user, that would irritate me.
The last solution was real popup window. The only thing I don't like about that is that the main winow will have their destination page while the pop will have my page. In my opinion it looks disjoint. On top of that, I'd be worried about popup blockers.
Just to add to everyones comments. I understand that it is irritating to prevent users from exiting the page, and in my opinion it should not be done. Right now I am using a confirm box at this point. What happens is that it's not actually "preventing" the user from leaving, what the client actually wants to do is make a suggestion if the user is having doubts about registering. If the user is halfway through the registraiton process and leaves for some reason, the client wants to offer the user a free coupon to a seminar (this client is selling seminars) to hopefully persuade the user to register. The client is under the impression that since the user is already on the form, he is thinking of registering, and therefore maybe a seminar of what he is registering for would be the final push to get the user to register. Ideally I don't have to prevent the user from leaving, what would be just as good, and in my opinion better is if I can pause the unload process. Maybe a sleep command? I don't really have to keep the user on the page because either way they will be leaving to go to a different page.
Also, as people have stated, this is a terriable title, so if someone knows a better one, I'd really appreciate it if they could change the title to something no so spammer inviting.
As soon as I saw the words "prevent the user" I started to wail in agony. Never prevent the user, only help them.
If they see your registration page and run off, that's their choice. Pop up a javascript confirm box if they've already filled in some data (because they might be navigating away accidentally) but leave it at that. If they haven't touched the form, leave them alone - they don't want to fill in your form.
Look at other methods of engaging users. If your form is huge and scary, break it into simple manageable chunks or better yet, simplify things so much that the user only gives you data when you need it. For example, you might not need their address until you want to post something to them.
By breaking it into multiple parts you can hook them with a simple form and once they've invested that time, they'll be more likely to continue the process.
But don't harass users. If they don't want to register, pestering them with pop-ups and jaavscript dialogues will just chase them off the site completely.
With that in mind, assuming you're just trying to stop people half-filling-in forms, there are a couple of options to genuinely help people:
Detect if the form has changed and ask them a simple confirm() message.
This is all you can do. A CSS "pop-in" just won't work because you can't control* the window location in the unload event.
*You can put an event listener on all your page's links to fire off something to check the form, but this only helps if the user clicks on one of those links. It won't help if, for example, the user clicks back or closes the window. You could do both CSS and javascript but you end up with a bit of a mess.
Persist the state of the form behind the scenes.
An extension to #1. Instead of squabbling with the user, let them go where they want but save the content of the form either to session or cookie (if it'll fit) and put something on the page (like SO's orange prompt bars at the top of the page) that reminds them that they've started filling in a form and gives them a link back to the form.
When they click that link, you load the data out of the cookie (or session) back into the form and let them carry on. This has the clear benefit of letting them do what they like on your site and keeps the data safe.. ish.
If they don't come back and their cookie/session expire, that's their fault. You can only lead a horse to water. It's not your job to force it to drink.
Don't do it.
But if you want, try this. Record mouse positions and detect a quick upward thrust -- the user is reaching for the BIG X or the top left or top right. Now might be your chance for an unobtrusive box in the screen.
I've seen this implement on the web and it is evil.
If you want to trap links, you could rewrite the links in the page to go to a "you really want to leave?" javascript function, passing the destination URL as an argument.
If you wanna keep users from using their "Back" button, or keep them from putting another URL in the address bar, stop. Stop now. (1) Browsers were made to prevent exactly that kind of obnoxious behavior, and (2) Even if they allowed it, see the last two words of (1). It's freaking rude. Your site is not that special, no matter how cool you think it is.
window.onbeforeunload = function() { return "Message"; };
Use a JavaScript like this to display a leave confirmation message.
Here are just a couple of approaches I could think of but they are not without flaw:
Whatcha Gonna Do technique
Detect the mouse position going towards the edges of the browser as the user might be going to close the tab, window, go back, navigate elsewhere among other things. If so, immediately prompt them that that may be a mistake and they are going to lose out on something very valuable. However, the catch here is that you don't know for sure what their intentions were and you might piss them off with that popup. Also, they might use a bunch of shortcuts such as Ctrl+W etc to do the same.
You've Got Mail technique
If you've managed to get hold of the user's email address before they closed the page, you've hit a jackpot. As soon as the user types anything into the email box and then leaves it, immediately send it to the server using AJAX. Save the state of the page into localStorage or on the server using a cookie or something so it can be recreated later. Every couple of hours send them an email giving them a direct link to the previously saved form, and maybe with special offers this time.
History Repeats Itself technique
Then there's the infamous history manipulation where you keep stacking the current page into the document history so the back button renders effectively worthless.
Don't Put All Your Eggs In One Basket technique
Another technique off the top of my head is to create multiple windows in the background with the registration form and keep them all in sync when any the fields in any one changes. This is a classical technique and really puts the "don't put all your eggs in one basket" saying into real-life usage.
Another advantage of this awesome technique is even if the user closes one of the windows, and later comes across an identical cloned window with all the fields they filled up-to-date populated, they might get confused and think that they never closed the page. And guess what, this time they might just go ahead and fill out the registration form. But you have to be cautious with this as anything more than 2 or 3 clones will make it obvious as to what's going on.
You're Winner technique
Another technique is to tell every user they they are the Xth visitor on the site and use a good rounded number for X such as 1000, 10000, 50000, etc. Tell them that they can claim their prize once they register on the site. Imagine how special each user feels when they land on your site. The prize doesn't have to be anything tangible, it can simply be free coupons that you find on the intertubes.
Where Do You Want To Go Today? technique 1
This is basically a rip-off of your answer. Use document.location.href = 'some url' inside your onbeforeunload callback to navigate to a different page before it is unloaded.
1 Firefox only.
Note: there is no silver bullet solution here unless you write your own browser with your own security policies, but these are all optimizations that you can do to make it utterly impossible for users to leave.
Not all browsers support a modal popup, without which your page would go ahead and navigate anyway.
This is real awful requirement. The sort of requirement that is reasonable in a desktop application but entire unreasonable feature of a web site. Imagine being unable to leave a website.
The answer is either use the horrible confirm box and lump it. Or don't ask the user to enter too much data per page. Use a step by step wizard style data entry, the loss due to accidental navigation is minimised.
You can change the Value of the url using document.location.href = "www.website.com"
I can accomplish this feat using confirm boxes, but the client says that they are too ugly.
If the problem is the ugliness of the standard JS popup boxes, try something like this: http://www.sohtanaka.com/web-design/inline-modal-window-w-css-and-jquery/
Apart from that I second what most people are saying: do this with extreme caution if you don't want to lose users.

Categories