Is there a way for me in javascript to enable a user to parse a html page as they would see it.
So imagine a button on my website and if they click on it, I get a javascript string which contains the entire html page of e.g. bbc.co.uk, as that user sees it.
Is that possible?
Arbitrary 3rd party websites? No. If you could do that you could read people's bank statements from their online banking, the email from web mail services and so on. This security measure is called the same origin policy.
You can read data from co-operating websites via CORS (for HTTP requests) and postMessage (for frames).
Related
I build an app where user type voucher code into form and then we show them booking widget in iframe (external domain)
My problem is because I don't know does user complete reservation to mark voucher in the database as used.
I know I can't access iframe HTML but is there any way to check when user type something because if type something that means he is on the last step - type personal details.
My question:
Is there any way to find out does user typing something at his keyboard if the form is in an iframe?
I don't want to steal any user data! Is there any other way I can check what happend in iframe? Take Screenshoot option?
Sorry It is not possible,because cross-origin policy.
There are a few alternatives for you. Typically you cannot access the iframe for security reasons, however, if the external domain is owned by you or agrees to cooperate there are ways of making this work.
One option is Cross-window messaging. It allows for you to send messages to the domain and for them to respond. The catch here is that they need to respond and therefore you need them to cooperate. You can read more about it here: https://javascript.info/cross-window-communication#cross-window-messaging
Another alternative is to allow cross-origin iframe elements to be accessed. This can be done with Cross-Origin Resource Sharing (CORS). Again, this is something that the external domain owner needs to implement. You can read more about it here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
I was wondering if there's a way to add html to a webpage (from another domain) before displaying it in a iframe. Basically my idea is to make a website that allows the user to type in a website and choose or add things to the page, like copy a yahoo anwsers page and still have it function (so javascript and all still works) but the background has changed or a button that does a specific thing to the page has been added in. So far I keep running into cross domain policies and I have no idea how to get round these.
No, you cannot, this will be a massive violation of information security codes.
Imagine if someone could access your code, js and html and just alter it and access your information.
even worse, if you have sensitive information stored in the client code (you shouldn't but lets imagine), everyone across the web will have access to that information.
Displaying the webpage is one thing, you have api's for this sort of things (for example, google, twitter, facebook api's) and you pay for them too.
The reason you are running into cross domain policies is because you are not allowed to make that request. Not by JsonP and not by CORS Requests.
If you want access, look for a proper api.
For beginners, here is the Yahoo Api (Yql)
And here is it's Terms of use
Read them before you continue.
You can't do that because, if you could, an attacker could use this to exploit referred page.
Source: https://developer.mozilla.org/pt-BR/docs/Glossary/Cross-site_scripting
I have a website with a great base for a narrow category of data (such as astronomy). Customers interested in my content and they want me to be given them finished blocks (widgets) to paste into their site. API is difficult for them, they need just finished blocks with specific information.
My question is: Is it possible to display the widgets only on the sites of my customers and how to implement it technically? And if some unknown wise guy copied the widget code to his site, he could not see the widget content.
I understand HTTP_REFERER is not suitable, because it is easy to forge. And what are the technologies? I've heard about software tokens, and the ability to sign requests, but do not know if they are suitable for my situation and how to practically implement it. Please suggest?
If I start to work with my customers, then I shall include them into my database and can be stored there any info, associated with them
I accomplished the task due to HTTP access control (CORS). Widget controller manages external requests via database settings:
Customer ID
Customer date range limit
Customer domains which used for "Access-Control-Allow-Origin" header
So unknown customer couldn't render my widgets on their website even if they copied widget code.
Widget content loads dynamically into client iframe from external JS via ajax request. This ensures asynchronous data loading on customer website, and lets only authorized client with known domains to load widget content
External website A offers a form to be filled out only once. When a user has filled it out, the form will be hidden when he calls the website A again due to cookies.
Now I want to detect whether a user has been on website A. Basically, I think, I need to request website A "in the name of" this user and parse the response.
I tried using embedding, iframe, cross domain requesting, cross domain with proxy server. Either the browser restrictions block me or I can request the website, but with another session!
How can this be done?
Without the co-operation of the other website: it cannot. Browsers are designed to make that sort of invasion of privacy impossible.
If the other site is willing to expose that information, you could use Ajax via JSONP or CORS, or you could redirect to user to a URL on the other site which, in turn, redirects back to your site with a query string that indicates if the form has been filled out.
I have got a 3rd party website, which my customer wants to me to login into in order to download some data periodicaly.
The data is customer specific, and password protected.
I have the username/password, and I have searched for ways to do the login automatically so that I can pull data, but so far with no success.
This is a method that I have tried:
http://crunchify.com/automatic-html-login-using-post-method-autologin-a-website-on-double-click/
When I look into the login page of the website which I am trying to login to (view source), I don't see the login form, but if I click on "inspect element" in chrome on the fields of the page it does show that there is a login form hiding in there.
Any suggestions
Edit:
Here is the website which I need to autologin to: http://portal.dorad.co.il/#/Login unfortunatlly it's not in english. The first field is the username, the second field is the password and the button is the login
Edit2:
Taking pomeh's advice, I was able to find the jQuery code that is being triggerted when the text boxes are being modified. Now I want to run this script manually using element.DomContainer.Eval
(function(n,t){function vi(n){var t=n.length,r=i.type(n);return i.isWindow(n)?!1:1===n.nodeType&&t?!0:"array"===r||"function"!==r&&(0===t||"number"==typeof t&&t>0&&t-1 in n)}function ne(n){var t=li[n]={};return i.each(n.match(s)||[],function(n,i){t[i]=!0}),t}function uu(n,r,u,f){if(i.acceptData(n)){var s,h,c=i.expando,a="string"==typeof r,l=n.nodeType,o=l?i.cache:n,e=l?n[c]:n[c]&&c;if(e&&o[e]&&(f||o[e].data)||!a||u!==t)return e||(l?n[c]=e=tt.pop()||i.guid++:e=c),o[e]||(o[e]={},l||(o[e].toJSON=i.noop)),("object"==typeof r||"function"==typeof r)&&
...
(t=n(this);r=r.not(t),t.removeData(f),r.length||clearTimeout(c)},add:function(t){function s(t,u,e){var s=n(this),o=n.data(this,f);o.w=u!==i?u:s.width(),o.h=e!==i?e:s.height(),r.apply(this,arguments)}if(!u[o]&&this[e])return!1;var r;if(n.isFunction(t))return r=t,s;r=t.handler,t.handler=s}}}(jQuery,this)
I am not sure how to activate it and give it the relevant data.
If you have the right mix of technical requirements then you want Single-Site-Sign-On (SSSO).
Not all of my clients have SSL and I don't want my user name and password on all of their sites. They are however all on the same server. Since my site supports SSL I can log in to my own site securely.
What you need to do conceptually speaking is log the IP of the administrator account along with the data/time stamp. Then if you visit your client's website (again, on the same server) from that same IP you can have your scripting language check the file. I require a short time-span (anywhere between 30 seconds to two minutes tops) and the same IP address. You can add additional technical requirements to strengthen security of course though your options will be limited as the domain name will be different. If the IP matches the criteria emulate the user being authenticated (static obviously since you likely won't/shouldn't have your administrative account information on their site) and you can be automatically signed in.
Maybe you could do this using a web scraping framework like:
Goutte for PHP (https://github.com/fabpot/goutte)
Scrapy for Python (http://scrapy.org/)
node.io for Node.js (https://github.com/chriso/node.io)
request for Node.js (https://github.com/mikeal/request)
WatiN for .Net (http://watin.org/)
In any case, I think a client side solutions will bring a lot of problems to do this. Maybe you can login into it using a form tag which points to the page, but you won't be able to manipulate the page afterwards. Also, you may not be able to use AJAX due to CORS restriction. You could embed the target page as an iframe but you can't either manipulate the page because of differents domains used (you can do that under certains conditions but it's hard to achieve this imho). So a server side solutions sounds better to me.