Recently I created my first website (self-taught), which is hosted on Firebase.
Now that I added Firebase Email/Password authentication for my users here:
https://ottigan.com/dailyChecking/main.html
Whenever anyone, using Chrome browser, inputs a password that they use anywhere else, Chrome instantly marks my website as Dangerous: screenshot of the issue.
Chrome setting which triggers the issue: Settings => Privacy and security => Security => Enhanced Protection
I have checked my site for security/malware issues (nothing came up) on:
transparencyreport.google.com
sitecheck.sucuri.net
Could this be related to me having poorly constructed login form? Considering most of authentication is handled with the Firebase API in my client side .js? When creating my login form, I did try to follow Firebase documentation and the suggestions provided: https://developers.google.com/web/fundamentals/security/credential-management/save-forms
During the past couple of months, there have been numerous threads on https://support.google.com/chrome/
People complaining about a similar issue, but it seems like it never goes anywhere.
Some examples:
https://support.google.com/webmasters/thread/28400888?hl=en
https://support.google.com/chrome/thread/42621564?hl=en
https://support.google.com/webmasters/thread/38218347?hl=en
In addition there is a closed Chromium Bug report seemingly related to the issue I am struggling with:
https://bugs.chromium.org/p/chromium/issues/detail?id=1068202
I would appreciate any help that I could get! My first stackoverflow post... CHECK! :)
I have this web application login page that calls FB.GetLoginStatus() from the Facebook JavaScript SDK after the document is done loading. This worked perfectly fine on all browsers (mobile included) and that was the happily ever after.
BUT, one day, out of plain nowhere, I notice that the SDK is failing to get the login status data of the Facebook user when the page is done loading. I take a look in the console and I see something around the lines of
Load denied by X-Frame-Options [massive link generated by the SDK]
does not permit framing.
Here's what bugs me: this works perfectly fine in Safari. I was introduced to the error when I opened the web app on Chrome (same error as quoted above, slightly different wording). I tried on Firefox and got the same thing. I spent a few hours trying to find a cause but failed and went to sleep.
I wake up the next day and miraculously it's now working on Chrome (?) without me having done any changes (?!). But, for some reason, the error persists only in Firefox now.
Does anyone have a clue what this might be? Something that Firefox does differently that Safari and Chrome don't?
A clue here is that I'm using a tunneling service (ngrok) and I don't have a signed certificate for it, thus I get the casual (you're entering an 'unsafe' website, blah blah blah). Perhaps Firefox is blocking the SDK because the connection is not secure?
Any insight on this would be marvelous. Thanks 🙂
OK, after fighting this for a few hours I finally found out what was bothering Firefox: the website site URL field in the app's Facebook Dashboard settings.
The issue wasn't even with ngrok or a missing signed certificate, it was the fact that the website in the settings had the production domain (.app) instead of the ngrok one I'm currently using for development (eu.ngrok.io).
The only reason I managed to pinpoint this back to the dashboard settings is because I have 2 Facebook apps, and the other one was working fine, so I imagined it might be a misconfiguration in the settings that was causing the issue (Facebook has a shitty standard in place for explaining/handling errors — it's like shooting in the dark until you hit something when using their SDK's).
What I don't understand here is why the heck only Firefox seems to have a problem with this setting being misconfigured or why the issue disappeared out of nowhere from one day to the next for Chrome. Anyways, if I managed to help anyone else fix anything similar with this thread than this headache has been worthwhile.
Peace out ✌🏽
I'm trying to make a custom browser with some buttons to instantly switch to the websites I visit most often and have click button logins etc. (ease of access)
wb.Navigate("http://www.________.com");
So the problem is when I get on the website I have some script errors pop up, I have activex to silent them but when it logs in as the website proccesses my login request it comes back with "You need javascript enabled".
Now I have read a lot and the only things that seem to be relevant was to change the registry for the program or to relax my internet options both which have failed and all the other information is from like 2007 which references are no longer available.
Any ideas how to wb.IsScriptsEnabled = true;?
After spending all day on this I discovered there is
HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
SOFTWARE
Microsoft
Internet Explorer
Main
FeatureControl
FEATURE_BROWSER_EMULATION
yourapp.exe = (DWORD) version
Nobody has mentioned (HKEY_CURRENT_USER) So I tried it and it appears to be working now. Will update if not so.
I am currently developing a website under IE10 (on Windows 8), using WebSockets in JavaScript. It runs fine under Firefox 18 and Chrome 25, but on IE10 I get a SecurityError when I establish the connection.
What I am doing seems pretty straghtforward :
websocket = new WebSocket('wss://hello.dev.mydomain.net');
But IE doesn't like it :
SCRIPT5022: SecurityError
The script is on "https://test.dev.mydomain.net" (not the real address obviously).
What bothers me is that if I just double-click the file on my local computer (e.g. file://...) it just works. Even worse: if I use fiddler to monitor HTTP traffic... it also works. Whereas there seems to be no connection at all without fiddler, as detailed in the API's specs. (See below.)
Judging by websocket spec, the exception should also appear on Chrome/Firefox... but it does not. So I doubt it has anything related to HTTP/HTTPS. In any case, I am using a wsS socket on a httpS page... Moreover: when I replace the wss address by another valid server found on an online example, it works.
I don't know if this is relevant, but the IP from test.dev.mydomain.net is 10.14.x.x where hello.dev.mydomain.net is 194.247.x.x. I don't know if it could trigger some kind of security on IE only...
One more thing: I have a certificate for *.dev.mydomain.net, IE does not seems to have problems with it. The script originally resides on a server called my.name.dev.mydomain.net, but since I am accessing it from another URL (I got a redirect since we first thought it could have been some kind of Same Origin Policy issue), I don't see how it could matter. At least I hope it does not...
Any idea is welcomed.
EDIT: adding the sites to the trusted zone does not work either.
It looks like IE throws a SecurityError if you're trying to open a websocket on a local (intranet) domain. To overcome this, you may disable IE's automatic algorithm for recognizing local sites. This can be done in Tools > Internet Options > Security > Local Intranet > Sites.
Uncheck all checkboxes (or only a particular one, if you know how exactly your domain did end up in intranet ones).
Note that IE uses (among other things) its proxy settings to determine local sites: if your domain is listed as excluded from proxying in proxy settings, then it will probably be treated as intranet one. This is why WebSockets work if you enable Fiddler: it modifies IE proxy settings and thus the list of intranet sites changes.
I had this problem in Windows7/IE11 after applying a security patch. For Windows10/Edge is the same story.
As this is a local websocket (ws://localhost) you have to add ws:\\localhost\ to Internet Explorer configurations (Tools > Internet Options > Security > Local Intranet > Sites > Advanced).
In Windows 10/Microsoft Edge you will find this configuration in Control Panel > Internet Options.
UPDATE
The address of your webapp (https://test.dev.mydomain.net) must be added to the local intranet zone too. Note that in the image the webapp address should be added.
Well, my question wasn't that successful, so I'll post the "workaround" I found.
I got another address for the website, in 194.247.. too. This, magically, solved it. Guess IE doesn't like mixing local and external stuff and watches the IP.
Anyways, I hope this may come in handy to anyone who's got the same issue.
If you have a solution to solve the "real" issue by configuring IE, let me know :)
Cheers,
Browsers has a websocket limitation. For example Internet Explorer has default limit of websocket connections set to 6 per host header name. the same limitation is set for WinForms WebBrowser component.
The solution is to add values under key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_MAXCONNECTIONSPERSERVER in registry. Just add DWORD value with executable name , for example iexplore.exe (or your application executable name if you use Web browser component) and set value from range 2..128
Second option how to solve SecurityException is to create multiple subdomains.
The client hostname/IP Address should be same as server IP/Hostname thats listening to otherwise you would get the above error.
1) Make sure whether server hostname configured to listen at IP/localhost etc andif not explicitly specify the hostname ast server
2) use the same hostname in the client. THis will solve the issue. It worked for me...
I encountered the error (although it did not say the SCRIPT5022 part, rather it just reports "ScriptError"). I got around the issue by clicking on "Trusted Sites" and then adding the machine hosting the remote websocket. Note, to add to trusted sites,
I had to supply the address without the "ws://" part (like just mymahcine.mydomain.com)
I had to uncheck the box that says "Require server verification https:// " option.
After I was done adding the domain, I re-checked the box "Require server verification (https://). I would recommend everyone to do the same. Unchecking the box is only a workaround to add sites that don't begin with https (rather ws:// in my case)
I had the same issue at one of my customer's environment.
It turned out that they had a proxy configuration that did not allow the connection to the WebSocket endpoint directly and did not support the WebSocket protocol.
The temporary solution was to disable using the proxy and everything started working. The long term solution is to edit the proxy's configuration (.pac file) to exclude the address of the WebSocket endpoint.
To disable the proxy, go to: Internet Explorer Options > Connections tab > LAN settings button > un-check Automatically detect settings.
Hope this helps someone.
In addition to making sure that the internet zone is not localhost (as in above answers), ensure that if https is used, then wss should be used.
This is not an issue in other browsers, but IE is abit more finicky.
During facebook iframe application integration I ask for publish permissions - I have HTML which loads JS Connect library and asks for permission dialog..
FB_RequireFeatures(["XFBML"], function(){
FB.Facebook.init("_MY_API_KEY", "MY_PATH/xd_receiver.htm");
FB.Connect.showPermissionDialog('publish_stream');
However in IETester with IE7 i get weird errors
SecurityError: Error #2060: Security sandbox violation: ExternalInterface caller http://b.static.ak.fbcdn.net/rsrc.php/zDVWA/hash/bqv7w2jc.swf cannot access ..(MY APP PAGE)
at flash.external::ExternalInterface$/_initJS()
at flash.external::ExternalInterface$/addCallback()
at flashutils::PostMessage()
at XdComm()
As far as i understand xd file is intended for flash proxy that uses this ExternalInterface to communicate with facebook and show dialog. After i click OK, everything seems to work further.
Can anyone clarify what can cause this?
IETester isn't perfect, simply because it cannot fully emulate a proper IE environment. When things get tricky, it starts to give weird errors. And there isn't much trickier than a cross-domain Facebook iframe application.
I would find a real installation of IE7 and check if the problem exists there. If it doesn't, it's probably not worth your time. Microsoft provides a Virtual PC application that is excellent for this kind of thing, as well as many XP and Vista test images containing various versions of IE. They are large downloads, but I highly recommend them over IETester.