Here's the situation: I'm redesigning our company's public facing website using ASP.NET, VB.NET and some javascript/jquery. Some of the features I'm adding require page reloads (which register as popups) and cookies. Works great if everything is enabled. But I've noticed on some browsers (such as Firefox) I still get prompted to ok these actions, retain these cookies, etc. Now I can code some contingencies for simpler pages for users who will not or can not enable these features, but I'd like to find a way to make it as simple as possible to enable the full features. From what I've read, there's no way I can actually force it to happen the way you can force a browsers document mode by settings in the web.config file, but I am hoping there is some way to give them a button to click (or something similar) where it will enable what I need. Is there a way to do this programmatically? what I'm looking for is some code that will make the changes, instead of directing them to go into e.g. Internet Explorer security settings, which most end users find tedious if not incomprehensible.
Advice?
You can avoid using cookies. Use Session or a database backend for things you would normally use cookies for. For popups, use overlaid divs such as Ajax Control Toolkit Modal Popup Extender or jQuery UI Dialog instead of starting a new browser window.
But really, ASP.NET is designed to function with cookies. If you're users aren't using them, tell them they're penalizing themselves.
Certain browser features are ONLY user-configurable for security reasons. You cannot provide a button to change these settings because they would then not user-configurable.
All you can do is warn the user.
JavaScript cannot change a client browser's setting due to security reason. Otherwise, all hell will break loose.
Note: you can if you create an executable program, and a user runs on his/her computer.
However, you should never change a user's browser setting.
Instead you should give the warning and instruction to a user which is a proper way of doing it.
Disable Javascript
Disable Cookie
Related
Is it possible to get around the security and mimick either a full-browser or mobile browser within a webpage?
I had an idea to set the HTML manually, using an AJAX/XMLHttpRequest ("Get" request)
document.querySelector('#myiframe').contentWindow.document.write("<html><body>Hello
world</body></html>");
(from How to set HTML content into an iframe)
Can anyone verify this is possible? I'm guessing you would lose relevant site date (cookies, cache, etc)
Is it possible to get around the security
Yes, many browsers let you start them in a security-off mode, e.g. on chrome you run the program with the --disable-web-security flag. However, you should never ask a client to do this.
An alternative way would be to write a Java applet, or some other third-party plugin, which fetches the resources you want and then passes it over to the browser with your favourite method, from which you can use JavaScript on the data as desired. This method would lose things like cookies, and might be exploitable so I wouldn't recommend it.
mimick either a full-browser or mobile browser within a webpage?
Finally, if you don't mind the "URL bar" displaying the wrong thing when a user navigates, you could just use the default behaviour. This method is totally acceptable and doesn't circumvent any security.
I was playing around with cookies and stuff, until I noticed a website saying that you can easily set cookies via the navigation bar with one simple code;
javascript: document.cookie="SESSID=IDOFSESSIONHERE;path=/"
while doing this, I could login on one computer, copy the cookie data to another computer, and set the same cookie via this code, after a refresh I was logged in with the same user.
(just on a simple webpage I made myselve)
this seems like a security issue to me, I mean, ofcourse they would first need to get the cookie data, but without that, I imagine that you could do alot of damage with the javascript: from the cookies aside.
Is there any way to prevent the usage of javascript: from the navigation bar?
The user is the security issue not Javascript. The user gave you the session id - i.e. do you give out your keys/passwords to others? If you do what can the site do? Send around a blioke to look over your sholder all the time
Javascript is only excecuted client side, (exception is nodejs). So no harm can be done to the server.
Javascript runs in the users browser.We dont have any control over it.
The thing you can do is to obfuscate or hash variable names and/or values.
See here
You cannot prevent JavaScript usage from the navigation bar. I could visit your website and use the Internet Explorer debug tool, Chrome debug tool or FireBug to launch JavaScript code on your page.
Since JavaScript runs on the on the visitor's local computer, you will have no control over it. Only the visitor has control over what cookies will be stored in the browser.
What you need to do is to take measurements of security server-side. But yes, all authentication-processes that depend on a session cookie will have the security issue you are explaining.
I have website that uses Twilio API to make calls. Each time call is made a popup from google chrome comes up saying "http://www.URL.com/ wants to use your microphone. Allow / Deny". On firefox also it comes up in a dialog.
Is it possible to apply CSS to it or somehow customize the way Allow/Deny popup shows up? Or maybe show another custom dialog that has custom buttons of Allow/Deny and when Allow is clicked somehow triggers browser Allow button?
The whole point of these popups is that the browser is warning the user that the site wants to do something which could have security implications. Being able to modify or supress that popup could stop the user from realising the security implications.
Consider a malicious hacker who wanted to listen in to a user's conversation.
If your request could be done, it would be easy for him to pop up a message saying "This site wants to show you something pretty", instead of "wants to use your microphone". User presses "accept" without realising what's happening, and hacker gets to record all their conversations. Ouch.
The short answer, therefore, is no, you cannot modify these popups, for security reasons.
You might be able to convince the user to hit accept and tick the "don't ask me again" box if the browser provides it, but that's as close as you'll get. You definitely will not be able to get rid of the box entirely, nor will you be able to customise it in any way.
It's worth noting that even native apps on mobile devices give you the same kinds of warnings when you install them, so this isn't a browser-specific thing. If you're doing something that the user might possibly have any reason to object to for security or privacy reasons, then the system will warn them before allowing it.
I want to emulate some human(not for spam use) for some my daily works. I don't want to use some curl/wget solution because it will include some works to analyze the HTTP package sent by browser. So, basically:
I will use the browser(eg. chrome) to login the system, so I have login state in that browser.
I open the search page for the system, and by any way I start the script.
The script will input some string into the input, and submit the form.
The browser redirects to the result page, and my script will analyze the result page and get the things I want.
Is there any existing solutions that I can use to write such script? The functionality should include:
fill in some and submit the form
in the result page the script can analyze the webpage and get the desired data.
I was trying to do it in but the domain for my program and the system that I want to run in is not in the same domain.
You may be interested in famous Selenium:
Selenium automates browsers. That's it. What you do with that power is
entirely up to you. Primarily it is for automating web applications
for testing purposes, but is certainly not limited to just that.
Boring web-based administration tasks can (and should!) also be
automated as well.
See its DEMO here.
Or you may be interested in iMacros addon of Firefox depending on your requirements.
I have in my code a window.prompt, which should stop the flow of the code until user put in some value.
Of course IE7 try to protect me from myself and instead of showing the prompt it shows the security tab (top of the page where it alerts to the users that a script wants to open a window).
What is even worse is that the prompt is ignore and the rest of the flow is being done. Regardless to say this can't work as the script is missing data from the user.
What should I do to avoid that security bar, as this script is part of the page/domain.
window.prompt() is no longer usable on the general web for this very reason, since there's no way to get round the security banner in your script. You'll have to use some other mechanism, like any of the many JavaScript UI components that emulate modal dialogs.