I have a service that I provide to different websites. For the website to use the service they implement a javascript that triggers a lightbox with a iframe in it.
The problem is I don't want any website to be able to use the service/iframe. Is there any way I can authenticate the websites using the iframe?
The way I see it, a random website can just take the javascript from a website using the service/iframe and implement it on it's own website.
Authenticating the actual users inside the iframe is no problem, there will be a login form and a register form. It's just the websites using the iframe I want to identify and authenticate.
Any suggestions is appriciated!
You could check document.referrer in JavaScript, and if the referring domain is not within a whitelist you provide (or the referrer is empty), don't display content at all.
But we all know how unreliable the referrer is, and it might exclude users even under wrong conditions.
Another way would only work it the sites embedding your iframe have server-side scripting and so can calculate some kind of hash - f.e. the hash of the current date and a secret keyword - and pass it as a GET parameter in your iframe URL. In your script, you check if the given value is the same as the hash you create with the same data - and display content based on that or not.
Using the current date could be problematic though if time zone settings for your server and the other site are different, and it might also break when a user calls the page around midnight. To prevent such problems, you could have the remote sites include the unix timestamp value used to create the hash as GET parameter as well - then you can check if that timestamp is not to old, and create the hash with that exact value. (Then other sites might try to just copy the parameters and use them on their page as well, but it will only work for a small time window.)
Related
I believe it should be possible to retrieve information from another page as long as it's from the same domain right? There are some information that I would like to retrieve from this page, and to display it on another Wikia page. (So that the information can update on its own regularly).
Unfortunately, I cannot identify which specific id do I need to retrieve on the Wikia WAM page. I simply don't know how to retrieve the Rank/WAM Score information. Since the WAM Score/Rank updates regularly, the arrow image also changes depending on whether you rose or descended in your rankings. This is why I would like to pull the data from the page so that it can update regularly without having to do it manually.
Is there a way to do this using javascript?
P.S. I apologize for the inconvenience, and to have asked without much knowledge on programming (I only know basic javascript).
I believe it should be possible to retrieve information from another page as long as it's from the same domain right?
The same origin, which is about more than just domain. This is defined by the Same Origin Policy.
The two pages you asked about are on different origins, http://www.wikia.com and http://asphalt.wikia.com, because the hosts are different even though the TLD is the same. So you won't be able to use ajax to retrieve information on one from the other unless the one you're trying to get the information from shares it with the one you're trying to get it on via Cross-Origin Resource Sharing and you're using a browser that supports it.
If it does support CORS, yes, you can use ajax to query the content of the page, parse it, and extract the information you need.
If not, you might look at using YQL as a cross-origin proxy. Basically that's calling a Yahoo service that uses a server to get the page (so the SOP doesn't come into it), parses it for you, and lets you query against the parsed results.
When I am using iframes or frames (older sites), as a extra security precaution I use the JavaScript function:
<SCRIPT LANGUAGE="JavaScript1.1">
if (top == self) self.location.href = "../index.cfm";
</SCRIPT>
then another hidden check to see if the page is being called correctly....
<cfif (HTTP_REFERER DOES NOT CONTAIN "referer_page.cfm")
<cfabort>
</cfif>
It works great to keep visitors (hackers?) from opening and/or trying to post to the page.
The problem is that the JavaScript displays in source code and the less they know...
I know the JS is client side but is there anyway to create the function in the server side CF or otherwise hide from prying eyes?
I a running cf9 on my and most of my client sites.
Thank in advance
No, it is not possible for any server side language to tell if the client that requested a page intends on displaying it inside of a frame. The only way to tell that is to ask the browser once your page reaches it.
What's the concern with the Javascript being visible?
There is literally nothing you can do to permanently avoid clients from seeing your source HTML and/or Javascript. Any attempt at security on the client side is in the end futile. You will keep out casual (i.e. non-web developer or programmer) users, but that is all. Anyone with a rudimentary knowledge of HTML and access to Google (or Alta Vista or ask jeeves for that matter) will be able to circumvent your barriers.
The use of HTTP_REFERER is suspect here as well (I know I know... I'm a negative Nellie :). That CGI var is dependent on the browser and web server working together. It will not be reliable overall because it is dependent on the client side. Someone up to no good will have no problem circumventing your barrier by simply constructing requests with the appropriate referrer.
If you want server side security then you are forced to use some form of authentication and session. This is a growing field what with oAuth and the use of Google, FB, Twitter etc as federated authenticaiton services. But plain old usernames and passwords tied to login sessions works too :)
To be clear, #Luke is saying that some users properly using your site, viewing iframe content, may have problems if they have a security setting, like an anonymity program, blocking their data, like cgi variables.
The only real solution is proper authentication and filtering on every page. If a list shows content for a user and loads details into an iframe, the iframe's page must also check that the user has access. At that point, it doesn't matter if they can get at the url.
For instance, if you get a list of user images like this.
<cfquery name="getImageList">
select imageid,imagefilename_mini
from images
where userid = <cfqueryparam value="#session.userid#">
</cfquery>
Which loads an iframe to load full sized images, you still need the and subclause
<cfquery name="getThisImage">
select imagefilename from images
where imageID = ...
and userID = ...
</cfquery>
That way, even if someone changes the image id in the url, it still only lets them see content bound to the userID.
Also, modern browsers make altering the source of a live page all too easy. I don't mean that browsers can alter the server side file, I mean that contents of the DOM as delivered to the browser. It's an incredibly useful tool for developing and debugging, but it does make mischievous/malevolent activity easier.
In chrome and firefox, you can inspect an element, change the attributes and the page will change before your eyes. Here, that works for iframe src's, so it still is within the DOM it expects to be in.
You should regard client side UI as how you'd like the page to be presented, and the way it works best but use server side safeguarding (proper validation) because it's too easy to get around client-controlled data/elements.
I have a web app that has a conversion tracking feature to determine if an activity "A" performed by a website visitor causes them to take action "B".
This conversion tracking works fine if the tracking is all on one domain. Where it breaks is if that happens across two different domains.
This tracking is currently done by storing a 1visitorId1 in HTML5 localStorage (though the solution doesn't have to use localStorage). Then I retrieve that visitorId from another domain... I just need a way to store a recoverable piece of data across two domains.
The conversion tracking is enabled via a JavaScript embed. So my customers will take a JS code snippet and paste it into the page where they want to track the conversions. This is where the problem arises, as I have no control over where they will be embedding this JS snippet.
I hope I've made the problem (and the needed solution clear), if I haven't please leave a comment.
Thanks all! I really appreciate the help from everyone in the StackOverflow community, you guys are all awesome :)
If you have power over both websites, then it's fairly easy (but it might not be the best solution).
If the user is allowed to see the ID, then simply add a GET variable to your URL and redirect the user there. E.g: domain2.com?visitorId=1234
Check this out on reading the variable: http://papermashup.com/read-url-get-variables-withjavascript/
not sure if this will result, but you could try this:
Domain B is where you have created a cookie or localStorage
From HTML in Domain A you will have an iframe pointing to some HTML page of Domain B, wich will be in charge of retrieving the desired cookie.
Then, you could use a postMessage library (like described in here: http://www.onlineaspect.com/2010/01/15/backwards-compatible-postmessage/) to communicate iframe and your current page.
In that way you could have a listener in Domain A to listen for a function on Domain B where you will be passing the cookie or localStorage data.
Hope this aproach helps you. I repeat this is a suggestion. I have worked with postMessage and it works great!
This may be a bit of a tricky one (for me at least, but you guys may be smarter). I need to capture the timestamp of exactly when a reader clicks a link in an email. However, this link is not a hyperlink to another webpage. It is a link formatted as a GET request with querystrings that will automatically submit a form.
Here is the tricky part....The form processing is not handled by PHP or .NET or any other server side language. It is a form engine that is hosted and managed by a cloud based marketing platform that captures and displays the form submission data (So i have no access to the code behind the scenes).
Now, if this wasn't an email I'd say it is simple enough to just use Javascript. However, javascript doesn't work so well with email, if at all (I'm just assuming there are some email clients out there that support javascript).
How would you go about capturing the timestamp for when the link is clicked without using any type of scripting? Is this even possible?
The best solution i could come up with was to have the link point to an intermediate page with javascript to capture timestamp and then redirect to the form submission. Only problem with that is that it will only capture timestamp of page load and not of the actual click activity.
There is no way to do what you want "without any type of scripting". If no scripting is done, no functionality may be added or changed.
The best option is the very one you suggested: use an intermediary page that records the request time. Barring unusual circumstances (such as a downed server), the time between a link being clicked and the request reaching the server will be less than 1 second.
Do you really need a higher resolution or accuracy than ~1s? What additional gain is there from having results on the order of milliseconds or microseconds? I can't imagine a scenario in which you'd have tangible benefits from such a thing, though if you do have one I'd love to hear it.
My initial thought was to say that what you're trying to do can't be done without some scripting capability, but I suppose it truly depends on what you're trying to accomplish overall.
While there is ambiguity in what you're trying to accomplish from what you have written, I'm going to make an assumption: you're trying to record interaction with a particular email.
Depending on the desired resolution, this is very possible--in fact--something that most businesses have been doing for years.
To begin my explanation of the technique, consider this common functionality in most mail clients (web-based or otherwise):
Click here to display images below
The reason for this existing is that the images that are loaded into the message that you're reading often come from a remote server not hosted by the mail client. In the process of requesting that image, a great deal of information about yourself is given to that outside server via HTTP headers in your request including, among other things, a timestamp for the request. Thus the above button is used to prevent that from happening without your consent.
That said, its also important to note how other mail client providers, most notably gmail, are approaching this now. The aforementioned technique is so common (used by advertisers and by other, more nefarious parties for the purpose of phishing, malware, etc) that Google has decided to start caching all mail images themselves. The result is that the email looks exactly the same, but all requests for images are instead directed at Google's cached versions.
Long story short, you can get a timestamp to note interaction with an email via image request, but such metric collection in general, regardless if its done in the manner I've outlined, is something mail clients try to prevent, at least at some level.
EDIT - To relate this back to what you mention in your question and your idea of having some intermediary page, you could skip having that page and instead you would point an image request towards a server you control
is there a function in ColdFusion that detects whether or not a browser window is the top window? (Similar to (if (window == window.top)) in JavaScript)
The reason I ask is because I would like to make certain page elements present when the page is directly accessed by the user, and not present if my page is iframed.
CFML code runs on the CF server, whereas any considerations about browser windows obviously run on the client. CF is completely unaware of the UI configuration of the client system, all it sees is "a request". Indeed the requests don't even come from the client, they come from the web server which acts as a go-between for CF-serviced requests: CF has no interaction with the client itself.
The only information the web server gives to CF that in any way relates to the client browser is some of the stuff in the CGI scope, and obviously that's limited. And none of it relates to the configuration of browser windows / iframes.
You will need to solve this with Javascript (which I will add to the tags of your question).
To trigger different code to execute on CF given a certain browsing situation, you are going to need to use Javascript to add some information to the request to identify the situation to CF. This could be adding a parameter on the query string, or something like that.
If someone was 'wrapping' one of my products I'd want to know who and how so I could improve the experience for the user and the site owner. With that in mind, what I would do is automatically break out of any frames by default. I would then create a simple api and provide instructions to other webmasters on the proper way to include your content. Display different content once you've determined if your content is PROPERLY being included in another site. For webmasters that want to include your content:
Provide recommended height/width for the iFrame so you can
include your logo or ads with the content.
Provide anything you want them to include in the query string to help track usage.
You could even add fun stuff to your api to make your content look more integrated into the including website like reacting to url.bgcolor or url.bgimage.
You could go as simple as looking for and recording the value of some url variable like url.remoteSiteAddress or as complicated as registering the site and providing unique key. Of course there are other considerations to take into account to enforce the key. Being that you don't really care that the content is being displayed on a remote site, I suspect just recording a simple url variable is more your speed.
If a different website is putting your page in an iframe on their website, then you could use the CGI.HTTP_REFERRER variable to check if the website domain is yours or not, and load content as desired.