How to store an ID field across domains with HTML / JavaScript? - javascript

I have a web app that has a conversion tracking feature to determine if an activity "A" performed by a website visitor causes them to take action "B".
This conversion tracking works fine if the tracking is all on one domain. Where it breaks is if that happens across two different domains.
This tracking is currently done by storing a 1visitorId1 in HTML5 localStorage (though the solution doesn't have to use localStorage). Then I retrieve that visitorId from another domain... I just need a way to store a recoverable piece of data across two domains.
The conversion tracking is enabled via a JavaScript embed. So my customers will take a JS code snippet and paste it into the page where they want to track the conversions. This is where the problem arises, as I have no control over where they will be embedding this JS snippet.
I hope I've made the problem (and the needed solution clear), if I haven't please leave a comment.
Thanks all! I really appreciate the help from everyone in the StackOverflow community, you guys are all awesome :)

If you have power over both websites, then it's fairly easy (but it might not be the best solution).
If the user is allowed to see the ID, then simply add a GET variable to your URL and redirect the user there. E.g: domain2.com?visitorId=1234
Check this out on reading the variable: http://papermashup.com/read-url-get-variables-withjavascript/

not sure if this will result, but you could try this:
Domain B is where you have created a cookie or localStorage
From HTML in Domain A you will have an iframe pointing to some HTML page of Domain B, wich will be in charge of retrieving the desired cookie.
Then, you could use a postMessage library (like described in here: http://www.onlineaspect.com/2010/01/15/backwards-compatible-postmessage/) to communicate iframe and your current page.
In that way you could have a listener in Domain A to listen for a function on Domain B where you will be passing the cookie or localStorage data.
Hope this aproach helps you. I repeat this is a suggestion. I have worked with postMessage and it works great!

Related

Getting page location in ColdFusion

When I am using iframes or frames (older sites), as a extra security precaution I use the JavaScript function:
<SCRIPT LANGUAGE="JavaScript1.1">
if (top == self) self.location.href = "../index.cfm";
</SCRIPT>
then another hidden check to see if the page is being called correctly....
<cfif (HTTP_REFERER DOES NOT CONTAIN "referer_page.cfm")
<cfabort>
</cfif>
It works great to keep visitors (hackers?) from opening and/or trying to post to the page.
The problem is that the JavaScript displays in source code and the less they know...
I know the JS is client side but is there anyway to create the function in the server side CF or otherwise hide from prying eyes?
I a running cf9 on my and most of my client sites.
Thank in advance
No, it is not possible for any server side language to tell if the client that requested a page intends on displaying it inside of a frame. The only way to tell that is to ask the browser once your page reaches it.
What's the concern with the Javascript being visible?
There is literally nothing you can do to permanently avoid clients from seeing your source HTML and/or Javascript. Any attempt at security on the client side is in the end futile. You will keep out casual (i.e. non-web developer or programmer) users, but that is all. Anyone with a rudimentary knowledge of HTML and access to Google (or Alta Vista or ask jeeves for that matter) will be able to circumvent your barriers.
The use of HTTP_REFERER is suspect here as well (I know I know... I'm a negative Nellie :). That CGI var is dependent on the browser and web server working together. It will not be reliable overall because it is dependent on the client side. Someone up to no good will have no problem circumventing your barrier by simply constructing requests with the appropriate referrer.
If you want server side security then you are forced to use some form of authentication and session. This is a growing field what with oAuth and the use of Google, FB, Twitter etc as federated authenticaiton services. But plain old usernames and passwords tied to login sessions works too :)
To be clear, #Luke is saying that some users properly using your site, viewing iframe content, may have problems if they have a security setting, like an anonymity program, blocking their data, like cgi variables.
The only real solution is proper authentication and filtering on every page. If a list shows content for a user and loads details into an iframe, the iframe's page must also check that the user has access. At that point, it doesn't matter if they can get at the url.
For instance, if you get a list of user images like this.
<cfquery name="getImageList">
select imageid,imagefilename_mini
from images
where userid = <cfqueryparam value="#session.userid#">
</cfquery>
Which loads an iframe to load full sized images, you still need the and subclause
<cfquery name="getThisImage">
select imagefilename from images
where imageID = ...
and userID = ...
</cfquery>
That way, even if someone changes the image id in the url, it still only lets them see content bound to the userID.
Also, modern browsers make altering the source of a live page all too easy. I don't mean that browsers can alter the server side file, I mean that contents of the DOM as delivered to the browser. It's an incredibly useful tool for developing and debugging, but it does make mischievous/malevolent activity easier.
In chrome and firefox, you can inspect an element, change the attributes and the page will change before your eyes. Here, that works for iframe src's, so it still is within the DOM it expects to be in.
You should regard client side UI as how you'd like the page to be presented, and the way it works best but use server side safeguarding (proper validation) because it's too easy to get around client-controlled data/elements.

Authenticate websites that are using my service through iframe

I have a service that I provide to different websites. For the website to use the service they implement a javascript that triggers a lightbox with a iframe in it.
The problem is I don't want any website to be able to use the service/iframe. Is there any way I can authenticate the websites using the iframe?
The way I see it, a random website can just take the javascript from a website using the service/iframe and implement it on it's own website.
Authenticating the actual users inside the iframe is no problem, there will be a login form and a register form. It's just the websites using the iframe I want to identify and authenticate.
Any suggestions is appriciated!
You could check document.referrer in JavaScript, and if the referring domain is not within a whitelist you provide (or the referrer is empty), don't display content at all.
But we all know how unreliable the referrer is, and it might exclude users even under wrong conditions.
Another way would only work it the sites embedding your iframe have server-side scripting and so can calculate some kind of hash - f.e. the hash of the current date and a secret keyword - and pass it as a GET parameter in your iframe URL. In your script, you check if the given value is the same as the hash you create with the same data - and display content based on that or not.
Using the current date could be problematic though if time zone settings for your server and the other site are different, and it might also break when a user calls the page around midnight. To prevent such problems, you could have the remote sites include the unix timestamp value used to create the hash as GET parameter as well - then you can check if that timestamp is not to old, and create the hash with that exact value. (Then other sites might try to just copy the parameters and use them on their page as well, but it will only work for a small time window.)

ColdFusion - Detect top window

is there a function in ColdFusion that detects whether or not a browser window is the top window? (Similar to (if (window == window.top)) in JavaScript)
The reason I ask is because I would like to make certain page elements present when the page is directly accessed by the user, and not present if my page is iframed.
CFML code runs on the CF server, whereas any considerations about browser windows obviously run on the client. CF is completely unaware of the UI configuration of the client system, all it sees is "a request". Indeed the requests don't even come from the client, they come from the web server which acts as a go-between for CF-serviced requests: CF has no interaction with the client itself.
The only information the web server gives to CF that in any way relates to the client browser is some of the stuff in the CGI scope, and obviously that's limited. And none of it relates to the configuration of browser windows / iframes.
You will need to solve this with Javascript (which I will add to the tags of your question).
To trigger different code to execute on CF given a certain browsing situation, you are going to need to use Javascript to add some information to the request to identify the situation to CF. This could be adding a parameter on the query string, or something like that.
If someone was 'wrapping' one of my products I'd want to know who and how so I could improve the experience for the user and the site owner. With that in mind, what I would do is automatically break out of any frames by default. I would then create a simple api and provide instructions to other webmasters on the proper way to include your content. Display different content once you've determined if your content is PROPERLY being included in another site. For webmasters that want to include your content:
Provide recommended height/width for the iFrame so you can
include your logo or ads with the content.
Provide anything you want them to include in the query string to help track usage.
You could even add fun stuff to your api to make your content look more integrated into the including website like reacting to url.bgcolor or url.bgimage.
You could go as simple as looking for and recording the value of some url variable like url.remoteSiteAddress or as complicated as registering the site and providing unique key. Of course there are other considerations to take into account to enforce the key. Being that you don't really care that the content is being displayed on a remote site, I suspect just recording a simple url variable is more your speed.
If a different website is putting your page in an iframe on their website, then you could use the CGI.HTTP_REFERRER variable to check if the website domain is yours or not, and load content as desired.

Tracking the use of my Javascript

Is there a way to track if my javascript code is being used on another site?
I work for a software development company and although I'm not a developer as such I do get involved with some of the more simple Javascript requests we get from our customers.
However, sometimes our customers want to see the Javascript working before agreeing to pay for it. My problem here is that although they are not going to be very technical they may have enough knowledge to look at the page source and effectively 'steal' the script.
Can I either prevent them from doing this or add some kind of tracking to my code somewhere so if they do a simple copy / paste then I can receive notification somehow of the script being used on another site?
Thank you
A few things you can do:
Obfuscate your code so it'll be harder to find out what to copy for non technical people.
Add a line that checks the domain name of the page and throws an exception or does some other trick to terminate if the domain is not your demo server.
Add an Ajax query to your server to validate that the script is allowed to run and terminate if there is no validation.
All said here will only protect against non-technical people. Javascript is an interpreted language and as such the entire code is sent to the browser. A skilled programmer will know to go around your blockings.
it is not easy to track your script over all www but there are ways to protect your js codes. there are plenty of sites for encoding and obfuscation like the site below:
http://javascriptobfuscator.com/default.aspx
They would still be able to use your codes but you can hide some protection codes in obfuscated version like trial timeout values or even posting some values like site url to your server for tracking.
our customers want to see the Javascript working before agreeing to pay for it.
You can achieve a good level of security by setting up a demo machine. Have the users remote into a session to provide a demo of the product. Ideally, a shared session where you can "walk them through it" (aka watch what they are doing).
Similar to a video conference, but this way they can use the browser. Don't make the site public, run the webserver local only (close port 80 on the firewall). Take the remote desktop server down after the demo and change the password.
Use the DOM API to a <script> tag that points to a server-side script on your server and append it to the <head>.
Using jQuery:
$.getJSON('http://yourserver.com/TrackScript', { url: document.location });

Is it possible to make a form on one page and have it post to a different domain?

I have been thinking for a while. And i have an idea i would like to have a sanity check on. The idea is this. I have a website www.mysite.com and you have a website www.yoursite.com I have a service on my site where you can "buy" a contact form (name, mail description) to your site. The trick is that it is still hosted on my page and i have the database the maintenance etc. but you have the functionality of a contact form on your page. Is this possible? How about an iFrame? Javascript? X-domain rules etc.
Will it work?
Yes, it's possible. There is no limit to where a form can point.
The only thing to be careful with is switching protocols.
When you submit from a HTTPS form to a HTTP target, you will get a warning in some browsers.
When it's the other way round, the HTTP_REFERER will not be set, so you can't use that to determine the incoming page. (But you will want to use a form variable for that anyway.)
Other information that might be helpful from a nearly identical question posted today.

Categories