I'm searching a way to communicate between two client in Javascript/HTML5, without using a server-side script. I can't use NodeJs for this.
Is there a way to connect two clients?
What exactly are you trying to do? Can you use dependency injection?
I've had to do some workarounds in the past where I've opened windows or iframes into a target page using a url configured like a GET request, complete with a "?key=value" tacked onto the end. The target page has some vanilla javascript in it that looks for these faux GET requests, parses them, and either performs the requested action (fill out and submit a form or click a button or whatever) or uses the window.postMessage to send the requested information back to the original page.
Related
I am currently working on a JavaScript chrome extension and would like to be able to send all the redirects for a given link that matches a certain criteria. I would like to do this client side invisibly and send the data back to an endpoint. There are several ways to do this in other server-side languages (I would like to basically have the functionality of the following python script)
import requests
response = requests.get(domain)
redirects = list()
for r in response.history:
redirects.append(r.url)
Is there anyway to extract this sort of information invisibly on the client-side, preferably using JavaScript/some JS library?
Thanks in advance for your time!
This is not possible from the client side using JavaScript. You can send a HTTP request to a certain URL using XMLHttpRequest, but it will automatically follow redirects down to the final destination. There is not way to retrieve the redirection history. Also, browsers prevent sending requests to different origins as per the Same-origin policy.
This is my situation:
I have a third part that uses a software called microstrategy which is able to generate documents and allow to export them as PDF or Excel files. They provide me only web api of this product, and I haven't any web service to work with.
The url is like:
http://<third_part_domain>/microstrategy/asp/Main.aspx?Server=<third_part_domain>&Project=<project_name>&evt=3069&src=Main.aspx.3069&executionMode=3&promptAnswerMode=1&documentID=<doc_id>&uid=<username>&pwd=<password>&<other_parameters_for_request>
I have try to obtain the file (that I must save on server side) by java code, but the response of the link that we use is an HTML page with some code Javascript that does more than one redirect, so I can not interpreted correctly the response and I should use a browser to obtain the PDF.
So I have thought to put the page into a iframe and after a while (usually the server takes 20 second) take the PDF object by javascript code and send to my server. But obviously the third part have another domain and the CORS policies block everything. To make matters worse, I can not use the final url to obtain the file because the microstrategy respond me with an internal page of the administration console.
So, that's my question:
Is there a way (that is not on the microstrategy server side) to obtain directly the PDF from microstrategy?
Or exists a way from client side to bypass the problem of origin control? I have evaluated to implement a proxy for solution but it's too expensive.
Thanks to all!
You need two things in order to download a PDF from MicroStrategy using a URL:
In the document property set that default visualization as PDF. This is pretty trivial and I think any of your MicroStrategy savvy colleague can help you with this.
Disable the waiting page, this is more complicated. When MicroStrategy generates a documents, usually it needs some time, meanwhile the server is working it will show you a waiting page. Useful if the request comes from a human (the human can go on StackOverflow), not that much if the call arrives from API.
The instruction to disable the waiting page are here: TN34124: How to Disable the Wait Page in MicroStrategy Web using the MicroStrategy Web SDK 9.x.
But I read from your question that you have no control on the third party MicroStrategy application. In that case there is little you can do. You can try to ask them to implement the customization to remove the waiting page or allow you to use taskproc API, but that's a story for another day.
Some options:
Ask the third party to schedule the PDF generation on their side and send it via mail to you. Or place it on a shared folder that is shared between you.
Ask for a different URL Tuareg from the file-share menu options. This will give a URL with 'subscriptionid' in it.
I want some content of my website to be dynamically loaded after login. A $.post(...) interacts with a servlet which validates the user's credentials, and then a $.load(url) loads the content from a separate page into a <div>. I noticed that, as long as I know where to fetch the content from, I can force this behavior from the chrome javascript console, bypassing validation.
How can I prevent a user from doing this?
You can't.
Once a document has been delivered to the user's browser it is completely under the control of the user. They can run any JS they like.
The URLs you present on your webserver are the public interface to it. Anyone can request them. You can use authentication/authorization to limit who gets a response, but you can't make that response conditional on the user running specific JavaScript that you supply.
The server needs to authorize the user each time it delivers restricted data. You can't do it once and then trust the browser to enforce it.
You can add a secret parameter to the url you load. By defining a random variable in the users session (server side) or in the database, and then return this variable once the validation is successful so your javascript code can use the variable in the next load call. In the load url you can check at the server side if the secret parameter had the correct value or not.
Hope its clear.
The simple answer is: You Can't.
JavaScript runs within the browser and therefore a user or application can run their own code whenever the feel like. This could be as simple as adding new CSS or running their own JS codes.
The main thing you can do to disable this is to ensure all of the requests are validated on your server side before being run as well as allowing only entry for certain types of information (like only allowing integers as numbers to stop strings coming through).
Something close to this sort of problem is XSS or Cross-Site Scripting. A 3rd party will try to inject some malicious code to a trusted website, usually some form of POST, to affect different users. Here is some more information on the matter
Cross-Site Scripting - Wikipedia
CSS - OWASP
I'm building a Tornado based server that basically allows the user to upload an image, does some processing on the backend and returns some updates during and after the processing.
I've implemented a basic server using Handlers, which works nicely.
The problem is that the handler interface doesn't allow me to communicate with the client, but only to re-render the entire page.
I've considered using WebSockets, but from what I see they shouldn't be used for image uploading, so it kind of kills this option.
Is there any other way to communicate with a specific client from an Handler (i.e render only part of the page, trigger some js event and so on).
Thanks :)
Are you using POST and GET methods in your handlers?
If you're using a GET method to receive the image from your client, you can communicate with the client by returning data using the self.write(json_data) method. (http://tornado.readthedocs.org/en/latest/guide/structure.html) However, once the GET method returns the request is considered to be finished, so you might not be able to send multiple updates.
Also, can you also configure the client side? I'm assuming you're using a JSON GET method to make a call to the tornado server, and in that case you can just link certain responses to different js functions in the client-side code.
There is this 3rd party webservice. One of the public webmethods available is a GetDocument() method. This method returns a Document object. The Document object has properties for File(byte[]), ContentType(string) ect.
My Question : Can I subscribe to this service using javascript(mootools) + ajax + JSON, return the document object, in this case an excel document, and force the file download?
It is true that typically you cannot initiate a download from JavaScript, but there is a flash component, Downloadify that does enable client side file generation.
So you can serve files for download from HTML/JavaScript.
With that problem solved, you still have the problem of how to get the data that you wish to serve from the source web service.
3rd party implies XSS (cross site scripting) which is a no-no using XmlHttpRequest (Ajax).
A possible solution to this problem could be to use a common hidden IFrame technique to get the data.
Simply have an appropriate (hidden?) form that correctly posts to the web service and point it's action to an hidden IFrame element upon which you are trapping the Load event and parse the data returned.
But current browsers have different levels of security measures that limit your ability to access IFrames with an external source so you are actually stuck here. Sorry to get your hopes up.
The only practical robust way to accomplish what you would like to do is to have a local server side script that can act as a proxy between your HTML/JavaScript and the external web service.
Using such a proxy, you can simply go back to using Ajax to get your data to serve up with Downloadify.
But then, since you are using a server script to get the data, why not just serve the data from the script for download?
These are just my observations on the problem domain you present.