Microsoft Word download from web server issue - javascript

I am trying to troubleshoot the following issue. A client tried to download a word document and is getting the following error.
Your organization's policies are preventing us from completing this action
for you. For more info, please contact your help desk.
I believe this issue is because of cross-domain javascript. However, the file is being downloaded from a pop-up that doesn't stay on the screen long enough for me to do anything. It is an issue with IE8 / 9.
I can not find which javascript is opening the popup let alone which javascript is being run from within the popup. I am using fiddler to try and view the http requests and that is not helping.
Is there a way for me to debug what is happening within that popup? Is there a way to debug javascript to break on a type of condition being met?
EDIT:
I have tried working on this issue on my local environment and the same issue comes up. The popup appears to first come from the same domain https://company.aj.com, then goes to a different domain https://apps.aj.com and the file is being downloaded from the apps domain.

Related

X-Frame ORIGINS in IFRAME

A while ago I created an application whereby clients connect to a server using WebRTC protocols.
The clients screen is made up of two halves. One half is linked to the server and receieves things like messages, and has the web page which has the WebRTC javascript in it. The other is an IFRAME. When the client connects to the server, the server sends the client a web address which is loaded in the IFRAME.
I know that some web pages cannot be loaded in an iframe, examples typically having password screens. Google forms does not appear to have this restriction, which is great.
So now imagine I launch a server and ask 20 people to connect to it. All 20 students connect to the server properly, I know because it comes up with all their details on my computer. Typically, from my testing, 15/20 will be fine. The other 5 will get a white screen. When I investigate in the console it is an XFRAMES ORIGIN problem, its saying the webpage being loaded will not allow itself to be loaded in an iframe. However everybody else (who are using the same browser [chrome], and some the same browser version) are fine.
Now I have one solution which works for some students, there is a setting in chrome which is called:
block third party cookies and site data
If this is enabled it doesn't work, if its not enabled it does work.
Now I have 4 students left who still just see a white screen whom I have no solution for. Chrome and Firefox both support the software but both produce the same issue.
The building setup is that students connect to the internet through a server. They must connect via this server as my nameserver is not local and indeed my website is not local either.
I dont think it is a coding issue as it only happens on a few select computers and everything else works just hunky dory. Thus I think it might be an issue with something else: firewall, security settings, config button etc. If anybody has any suggestions for what i can do to remedy this then I would be very grateful for your help.
I have tried to supply all info I believe to be relevant (hense the length) but anything I have missed please ask.
Thank you.
Alex
If the main site's URL is different than the iframe's URL, you'll get an xframes origin problem. This includes the protocol (http vs. https) and full domain (example.com vs www.example.com). In other words, if a user goes to example.com and the iframe uses www.example.com it could cause an xframes origin error. Or if they go to http://www.example.com and the iframe uses https://www.example.com you might get this error.
OK so for people who encounter this issue in the future I am going to create an update this post here. Basically it is for people who want an answer to the issue of iframes just displaying a whitepage.
With these three solutions I have eliminated all my issues, but as I come up with new ones I will post them here. Hopefully its useful to somebody :)
SOLUTION 1
If your iframe is aiming somewhere that requires the user to log in, it is unlikely to work. Password pages are rarely cross origin for obvious and good reasons. The solution is to ensure before they use your iframe page they log in fully to what they are doing, or provide an error message that gives them this information if it happens. See this post for details: Catch error if iframe src fails to load . Error :-"Refused to display 'http://www.google.co.in/' in a frame.."
Where I am we had dual login, so they sign into google and then into the organisation. Both these login areas will cause your page load to fail.
SOLUTION 2 (Chrome ONLY)
Some services react badly to QUIC mode, and some of my users have had issues due to this.
To fix:
1. chrome://flags
2. change QUIC mode to 'Disabled'
SOLUTION 3
If you are working via a proxy server that requires cookies, users may have issues if they have the 'Block third-party cookies and site data' button enabled. Disabling this had a positive effect on how well the iframes were working.
In chrome:
Settings
Search for cookies
Click 'content settings'

How to debug when javascript doesn't load

I have 2 sites using the same theme. (http://www.kentishtowner.co.uk and http://here-is.com/kentishtowner-old/ )
They are WP multisite subsites, both using the exact same child theme (same template files exactly).
However, the former website is not loading javascript, causing the masonry layout and mobile menu to not work!
I assume this is something to do with when I mapped the domains, or changed the URL from something like here-is.com/kentishtowner-new to here-is.com/kentishtowner, before domain mapping...
As I am not a JS person, can someone give me some insight as to how I can go about debugging this?
I haven't slept a wink last night and it's now 11am - am getting an hour's shuteye, and would hugely appreciate any responses!
Thanks!
In Chrome's console you'll see
Resource interpreted as Script but transferred with MIME type
text/html:
"http://here-is.com/?dm=c078877dcf0e3101dc20cc337a8e4214&action=load&blogid=13&siteid=1&t=1522670393&back=http%3A%2F%2Fkentishtowner.co.uk%2F".
In fact, further digging shows that here-is.com is returning an empty response to that request.
The page is actually referring absolutely to a number of resources on here-is.com and that works fine when you access it via that domain, but has issues when you access via www.kentishtowner.co.uk. I don't know enough about your setup to say for sure how to resolve it but you probably need to configure the base URL of the project to tell it where it's being deployed, or if you can tell it to use relative links that would work too.
(In Chrome's developer tools you can hit ctrl+shift+F and type here-is.com to see the references)
Browsers have consoles where javascript errors are thrown. They will tell you what error was thrown, and where it was thrown from. Once you know that, you can google around to see if there is anything obvious to fix.
My guess, though, is that somewhere the site that isn't working is trying to use a script that was hosted on the working site. If that's the case, you just need to update the script paths.
--edit--
Fortunately for me (from what I hear), I have never used Wordpress. Unfortunately for you, I don't know how to tell you where the .js files would be located, or how they are organized at all.
I usually debug in Chrome, so this is how you can check to see if your page is able / unable to get an external script.
When you are focused on the page you're having a problem on, hit F12 to open up the dev tools in Chrome.
Click on the Network tab, and then hit F5 to refresh the page.
Click on the Type table header, and look for files that say text/javascript. Those will be the external script files your site is requesting.
Look at the Status column for each of those rows. If it doesn't say 200 OK., then your page isn't able to access the corresponding script.
From there, you would need to find where those scripts are supposed to be located. Once you know that, just find the scripts from the other site, and copy them into the correct location of the broken site.
Good luck!

Relative Links Not working on HTML page

There is an issue I am facing in HTML page.
I have included a javascript code in that page due to which ActiveX warning message is thrown each time the HTML page is uploaded on local system.
To stop this warning being shown to the users, I have used MOTW (Mark of the Web) and included this code snippet at the top of the HTML Page:
<!-- saved from url=(0016)http://localhost-->
This line of code prohibits the warning prompt message.
But now the relative URLs on the page have stopped working.
Please help me find me a solution so that neither the ActiveX warning arises nor the relative links on the page should stop working.
Thanks in advance.
The ActiveX warnings should only arise when you are accessing your site from the local file system, for security reasons. When you access it through a (local or remote) web server the warnings should be gone.
Can you not use Apache (included in XAMPP), or something similar, to serve your pages (even locally, through http://localhost/)?
Edit:
Alternatively, you could disable that particular security setting in Internet Explorer (which I assume you use, because you mention ActiveX). Or you could try a different browser: Firefox, for example, does not have these restrictions.
Have you tried using a <base href="ENETERBASEURLHERE" />

Advert javascript not being served correctly to the browser unless called directly?

I hope this is the right place to ask this question - I did have a look at the rest of the sites in the network but this looked like the most appropriate place.
We are having issues serving third party adverts on our websites. For various reasons our ad setup is a bit complicated - we serve third party javascript tags (AppNexus) through our own ad server (OpenX) through iframes. Currently, the third party javascript tags are not showing correctly, although they have worked just fine in the past.
Debugging this in Safari I have discovered a few things which seem to me to be a bit unusual, and I'm struggling to work out what's going on. Using the web inspector to check the third party's javascript, it appears in the web inspector as a blank file. Additionally, if I check the network tab, the headers are shown and look fine, but there is no 'content' tab with which to check the returned content. The network tab shows the request for the file as complete, and with suitable status codes (200/302):
http://cl.ly/401C1D3Y3u2G2k2k3s0x
However, if I load the file directly in the web browser, it loads fine:
http://ib.adnxs.com/ttj?id=694021&cb=[CACHEBUSTER]&pubclick=[INSERT_CLICK_TAG]
FWIW, the javascript file uses document.write to spit out either an image or another iframe. It's also worth mentioning that there are no related errors in the console - there is one relating to Google Ads, but the problem persists if I load the Ad server's iframe directly without the rest of the site.
Has anyone seen this behaviour before, where a file loads just fine directly, but is (blank / not retrieved / not parsed / whatever's going on) when called as part of another page? If so, would you be able to help me fix this?
Thanks in advance for any help you can give me - I hope this makes some sense and will be happy to provide any further information that might help me get to the bottom of this!
Ollie
I'm guessing that the third party site is filtering output from their servers based on the HTTP referer being sent in the request (a technique employed by many web hosts to thwart hot-linking content). Try putting the link to the javascript file in a clickable link on a web page on your server and click it and then see if it loads or if you get a blank page. You could also try loading a browser extension which lets you forge the HTTP Referer (such as RefControl for Firefox) and then change your refer to be your site instead of the third party's and try pasting in the URL to the browser and see if it loads.
This isn't your fault if it's what turns out to be the actual problem. It's up to the third party to configure their web host to allow for this.

Looking for doc on why IE "yellow bar" shows when opening a HTML file that contains JavaScript

I have a site, from which you can download an HTML file. This HTML file contains a form with hidden fields, which is right away posted back to the site using JavaScript. This is a way of allowing users to download to their own machine data that they edit on the site.
On some machines, you get an IE "yellow bar" when trying to open the file you saved. The "yellow bar" in IE is warning that the HTML is trying to run an Active X (which it is not, there is only JavaScript doing a submit() on a form). However if you receive the exact same HTML file by email, save it, and open it, you don't have this problem. (It looks like IE is putting some more constraint on what can be done in a HTML file you saved from web site.)
My question is: where can I find documentation on this IE security mechanism, and possibly how can I get around it?
Alex
The yellow bar is because your page is executing in the Local Machine security zone in IE. On different machines, the Local Machine security zone might be configured in different ways, so you can see the yellow bar on some machines and not see it on other machines.
To learn more about the IE's URL Security Zones, you can start reading here: http://msdn.microsoft.com/en-us/library/ms537183.aspx
Look here for details on the MOTW - Mark Of The Web
If you add this to your locally served pages, IE will not show the yellow bar.
http://msdn.microsoft.com/en-us/library/ms537628(VS.85).aspx
I am not usre about any specific documnet, but if you open the properties for the file in windows explorer on the general tab is the file blocked? if so click unblock and try again and see if you gte the same issue. This is typical security for files downloaded fom the internet.
Other than that i am afraid i dont know what else to suggest.
I don't 100% follow what your JavaScript is submitting to, but if you're submitting back to the original site from the downloaded copy you'll have a problem using JavaScript as all browsers treat cross-domain JavaScript as a security violation.
JavaScript isn't allowed to read or write to any site not on the current domain
As Franci had said it is becaue you are in the local machine security context and this allows scripts to create objects and execute code that could do harm to your PC. For example you can create a File System Object and perform tasks that an untrusted page shouldn't perform generally because it could be malicious in nature.
Have you tried changing the file name from yourname.html to yourname.hta to see if the security problem goes away?
More on HTML Applications (.HTA files): http://msdn.microsoft.com/en-us/library/ms536496%28VS.85%29.aspx

Categories