Note: I haven't been able to find question on the site, if it exists close this as duplicate.
For out application we have a browser based client using javascript. Our application follows client server architecture, but is deployed only on premise ie it is not exposed to web.
I am thinking of providing limited scripting support to user (using javascript) somewhat similar to that providing in desktop based application (like matlab)
Is it safe to allow user to script.
What is the safe way to implement (eval, using iframe etc)
From a security perspective: Running scripts on the page is not a problem, A user can already do that by pressing f12 and opening up the console.
The problem is if you allow users to save js into your db which is then loaded on the page by another user.
Imagine if you had a commenting system that allowed script tags, a potential prankster can now perform any of the functions the user can.
Or even anchor tags click on me
If it is just for the user, I would append the scripts to the body.
var scr = document.createElement("script");
scr.textContent = 'alert("hi")';
document.body.appendChild(scr);
Related
In my app, I am currently using a web view to display some content. Then, I use Javascript injection to quickly fill out the form for the user.
The only issue is, Webviews are incredibly slow compared to Chrome Custom tabs. Is it possible to inject Javascript code into these custom tabs?
For example, here is some code I currently use:
myWebView.loadUrl("javascript:document.getElementById('join_first_name').value='" + name + "';void(0); ");
No; that would be a critical security hole.
Since custom tabs use cookies, settings, and password managers from the user's real Chrome instance, you cannot control them at all.
Chrome prohibits you from doing any of that. If this were allowed then it would be a major security flaw since you can modify the page within the app.
Suppose you have an app that has a facebook sign in. If this were possible, one could also steal someone's login credentials.
With Chrome Custom tabs, you don't have much control over the content that is served. You should probably try an alternative, like passing the first name as a URL parameter and then write a script on that page to read the parameter and fill the form out.
you need to do it like that by using data:text/html, as prefix for your script
Try that in your browser tab
data:text/html,<script>alert("hello")</script>
it will fire the javascript and alert , and as well you can print some in html from url
so i guess you need just to open the tab with the script
String suffix = "data:text/html,"
String script = "<script>document.getElementById('join_first_name').value='" + name + "';</script>"
String url = suffix + script
myWebView.loadUrl(url);
It's browser behaviour in desktop and mobile
I haven't try it in WebView.loadUrl and actually still if it's done by WebView.loadUrl it will be a security hole
There's supposed to be no way to inject Javascript to Chrome web browser.
If you can execute the Javascript queries to chrome via some third party apps, thereby you can read all the cookies, clear every sessions, and whatever the javascript is capable of. Which is really a huge security flaw.
What you can do is to load your URL in webview and execute the javascripts there. That's the only possible i've ever heard of. This is the same technique used for EPUB documents, where we load the complete HTML content in webview then we execute external Javascript queries into that view, so you can modify the HTML, CSS attributes.
This is not a question if a web application can be safe/secure to use !!
But if I have a session or encryption key and like to hide it as good as possible on the client side with javascript - what is the best approach?
I wanted to use sessionStorage until I found out that any extension can read this from the content script at least in Chrome. In my view this is a big mistake from the developers as they hide the web pages javascript from the extension but allow it to see web-storage. Everywhere it is stated that the extension can only see the DOM but I do not think most people think that this also include web-storage!
So how can I secure a session key so it is away from reach of an extension? Unable to encrypt it as I then just need to hide the key. The problem is that the session have to be valid for all pages of the site so I can not just keep it in javascript as it is refreshed on each page load.
A cookie is in my view just as bad!
NB: Do not know if this is also a problem for other browsers
An extension, given permission to access your page, can do anything.
A code injected as a <script> tag from a content script into the DOM will execute regardless of your CSP in the context of your page, will full access to your JS context.
That is not to even to mention chrome.debugger API.
So no, you cannot secure your client-side data from extensions that user consented to run on your page, just as you can't secure your data from the browser itself.
I'm not very familiar with browser extensions and before I begin to deeply explore them I have a few questions.
Let's say the extension injects JavaScript in the current website the user is visiting (if that's even possible). That injected JavaScript code will get, let's say the current URL for example purposes, and send it and store it on a database. Next time the user visits the same website, the user will get an extension notification informing that is the second or third or X time he or she has visited the same website.
Now that I have gave you the scenario, is the following possible? Injecting JavaScript from a browser extension to the current visiting website. If so, can I make some AJAX communication with the JavaScript and a PHP server?
Yes, you can inject stuff. See e.g. Insert code into the page context using a content script and How to inject javascript into page, from a Firefox add-on, and run it? or one of the many dupes there likely are.
You can then use whatever communication would be available between the site and a server, e.g. XHR, WebSockets, JSONP.
Please also check the policies of the Chrome Web Store and Mozilla Add-ons site regarding content/code injection and privacy rules. E.g. the Mozilla Add-ons will reject your add-on if you injected remote scripts (meaning code that is not bundled, e.g. originating from e.g. http:) and may also reject your stuff if you track users without prior explicit user consent.
I'm sorry if this is a newbie question but I don't really know what to search for either. How do you keep content from a previous page when navigating through a web site? For example, the right side Activity/Chat bar on facebook. It doesn't appear to refresh when going to different profiles; it's not an iframe and doesn't appear to be ajax (I could be wrong).
Thanks,
I believe what you're seeing in Facebook is not actual "page loads", but clever use of AJAX or AHAH.
So ... imagine you've got a web page. It contains links. Each of those links has a "hook" -- a chunk of JavaScript that gets executed when the link gets clicked.
If your browser doesn't support JavaScript, the link works as it normally would on an old-fashioned page, and loads another page.
But if JavaScript is turned on, then instead of navigating to an HREF, the code run by the hook causes a request to be placed to a different URL that spits out just the HTML that should be used to replace a DIV that's already showing somewhere on the page.
There's still a real link in the HTML just in case JS doesn't work, so the HTML you're seeing looks as it should. Try disabling JavaScript in your browser and see how Facebook works.
Live updates like this are all over the place in Web 2.0 applications, from Facebook to Google Docs to Workflowy to Basecamp, etc. The "better" tools provide the underlying HTML links where possible so that users without JavaScript can still get full use of the applications. (This is called Progressive Enhancement or Graceful degradation, depending on your perspective.) Of course, nobody would expect Google Docs to work without JavaScript.
In the case of a chat like Facebook, you must save the entire conversation on the server side (for example in a database). Then, when the user changes the page, you can restore the state of the conversation on the server side (with PHP) or by querying your server like you do for the chat (Javascript + AJAX).
This isn't done in Javascript. It needs to be done using your back-end scripting language.
In PHP, for example, you use Sessions. The variables set by server-side scripts can be maintained on the server and tied together (between multiple requests/hits) using a cookie.
One really helpful trick is to run HTTPFox in Firefox so you can actually monitor what's happening as you browse from one page to the next. You can check out the POST/Cookies/Response tabs and watch for which web methods are being called by the AJAX-like behaviors on the page. In doing this you can generally deduce how data is flowing to and from the pages, even though you don't have access to the server side code per se.
As for the answer to your specific question, there are too many approaches to list (cookies, server side persistence such as session or database writes, a simple form POST, VIEWSTATE in .net, etc..)
You can open your last closed web-page by pressing ctrl+shift+T . Now you can save content as you like. Example: if i closed a web-page related by document sharing and now i am on travel web page. Then i press ctrl+shift+T. Now automatic my last web-page will open. This function works on Mozilla, e explorer, opera and more. Hope this answer is helpful to you.
I am monitoring browser events such as when a new tab is created. My extension needs to display these browser events in the new tab page.
To make versioning easier I would like the extension to be as dumb as possible. That is, all it needs to do is tell me is that a tab has been created and I need to be able to tell the extension to switch to a tab. Then I do not have to worry about what extension versions people have installed.
The new tab page so far is a redirect to my single-page app hosted on my server.
My options seem to be:
Using custom events to send messages between the content script and embedding page: http://code.google.com/chrome/extensions/content_scripts.html#host-page-communication
This seems like a security risk as the page javascript will also have access to the DOM and hence the messages I am exchanging.
Loading the HTML from server into an iframe, pulling application JS from server and injecting it into the iframe as a contentscript. This allows the app's JS to have full access to the chrome extension API which is what I need.
Another consideration is that my project is currently using RequireJS. For option 2, it seems I won't be able to use this.
Can anyone recommend the preferred option keeping in mind the security risks of option 1?
Will I be able to use RequireJS with option 2?
Is there another way to acheive this?