I have a web page which will load an external javascript processed by PHP. In Chrome and Firefox if I want to get the initiator of the js file through PHP, I just need to get it by the superglobal variable $_SERVER["HTTP_REFERER"]. However, this would not work in IE if I visited another web page before browsing this web page. How can I get the initiator web page even in IE?
PHP is not processing JavaScript. Your Browser is processing JavaScript.
The HTTP headers are known to be unreliable, everyone can change their fields to whatever you want in the request. You cannot fix your problem by using $_SERVER["HTTP_REFERER"] nor anything in JavaScript related. Some browsers have turned off the refererrer or offer the possibility to turn it off, as some add-ons will also remove the referrer.
The only reliable way is to generate security tokens, which you will use only once per JavaScript call. Save it in a session, compare them when calling the html/php and when calling the js/php.
Related
This is not a question if a web application can be safe/secure to use !!
But if I have a session or encryption key and like to hide it as good as possible on the client side with javascript - what is the best approach?
I wanted to use sessionStorage until I found out that any extension can read this from the content script at least in Chrome. In my view this is a big mistake from the developers as they hide the web pages javascript from the extension but allow it to see web-storage. Everywhere it is stated that the extension can only see the DOM but I do not think most people think that this also include web-storage!
So how can I secure a session key so it is away from reach of an extension? Unable to encrypt it as I then just need to hide the key. The problem is that the session have to be valid for all pages of the site so I can not just keep it in javascript as it is refreshed on each page load.
A cookie is in my view just as bad!
NB: Do not know if this is also a problem for other browsers
An extension, given permission to access your page, can do anything.
A code injected as a <script> tag from a content script into the DOM will execute regardless of your CSP in the context of your page, will full access to your JS context.
That is not to even to mention chrome.debugger API.
So no, you cannot secure your client-side data from extensions that user consented to run on your page, just as you can't secure your data from the browser itself.
I am working on a web page development using netbeans IDE and use Firefox for debugging/testing. Whenever i do changes to Javascript, these changes are not getting reflected on the web page,the source code reveals the obsolete code.
Everytime i make changes, i ensure to restart my nginx server before opening browser, PHP seems to work fine this way, but Javascript is not in sync with my changes to the code.
Pls provide me a solution to encounter this problem.
The problem is that your browser is caching your files, you can clean browser caching or set the browser to stop caching files.
Another way to avoid browser caching is append something (timestamp or id) with a '?' at the end of your HTML file reference.
<script src='script.js?0001'><script>
Any time you want the browser request your file again, just change this value.
For avoiding the caching of files, its better to handle it programatticlly by adding proper headers like Cache-Control and max-age. However, these headers are different for different browser like IE ,firefox etc.
Best way is to trick browser by adding the randow query parameter so that browser will belive this is different request.
<script src='myScript.js?dummyParam=12001>
Here,12001 should be generated different after every change by using timestamp or someother random value.
I'm not very familiar with browser extensions and before I begin to deeply explore them I have a few questions.
Let's say the extension injects JavaScript in the current website the user is visiting (if that's even possible). That injected JavaScript code will get, let's say the current URL for example purposes, and send it and store it on a database. Next time the user visits the same website, the user will get an extension notification informing that is the second or third or X time he or she has visited the same website.
Now that I have gave you the scenario, is the following possible? Injecting JavaScript from a browser extension to the current visiting website. If so, can I make some AJAX communication with the JavaScript and a PHP server?
Yes, you can inject stuff. See e.g. Insert code into the page context using a content script and How to inject javascript into page, from a Firefox add-on, and run it? or one of the many dupes there likely are.
You can then use whatever communication would be available between the site and a server, e.g. XHR, WebSockets, JSONP.
Please also check the policies of the Chrome Web Store and Mozilla Add-ons site regarding content/code injection and privacy rules. E.g. the Mozilla Add-ons will reject your add-on if you injected remote scripts (meaning code that is not bundled, e.g. originating from e.g. http:) and may also reject your stuff if you track users without prior explicit user consent.
On my page i have some javascript and ofcourse IE has prevented the page from running scripts or activex controls. if they click to allow the scripts to run can i store that in a cookie?
I am willing to read and write the cookie in which ever language that would allow this.
IE normally only prevents javascript and activex controls when running the file locally. Once you put the file on a server somewhere you will not be prompted for run permission.
Cookies are data, you can store executable code in them but they can't execute the code themselves. You can, for example, store JavaScript in a cookie and eval it on a subsequent request, but you probably shouldn't.
I have a CGI application written in C. When I POST (delete data) to the cgi app from the html form, the action is correctly executed on the server but the page does not refresh after the POST. It does flicker, but displays the non-updated page. I then have to hit the browsers refresh to see the correct updated html page (showing data has been removed).
Is this the web server? Javascript? or just a browser setting? (I am using GoAhead web server, cgi app in C, javascript, html and Fire Fox.)
Any help is appreciated.
It's your browser cache that is playing tricks on you.
Check the HTTP headers you get when GETting (or POSTing) the page to see if there are anything about cache, if there is it's your webserver that is causing the cache otherwise it's the browser. Try with a different browser, or make the webserver send the page with a negative expiration date.
Are you sure you're returning an updated page in response to the POST?
In order to be sure what is happening, you need to sniff the local network (using Wireshark).
Wrieshark shows you the traffic and also can filter a specific stream.
After you capture you can understand what exactly was sent to the server and what was the respond.
If you are using Firefox you need to install the Firebug plugin and it will show you if your pages are being cached or being retrieved from the server correctly in the "net" panel.