I have an FPGA that is hosting a website with an html and javascript front end and a C backend (ugh).
Is there anyway to send a file from the C backend to the client? I'm talking to the backend via an html form (since the back end is hosted on an FPGA I'm unsure how it will handle AJAX).
Some tricky points, the website is hosted in read only memory (hence the desire to send the client a file).
I'm going nuts, is this impossible?
No, this is possible. You just need to ensure the relevant HTTP headers are set in the GET response. Specifically Content-type and Content-Disposition. e.g.:
Content-type: application/pdf
Content-Disposition: attachment; filename="downloaded.pdf"
It is certainly possible via CGI, see for example: http://www.cs.tut.fi/~jkorpela/forms/cgic.html
Related
Is it possible to create a download link for a remote file in plain HTML, or with JavaScript or jQuery?
The download attribute doesn't seem to work for remote files in Chrome 73 or Firefox 66.
<a href="//amazon.com/ads.txt" download>ads.txt</a>
No, the file URL must be on the same domain as the containing document, unless it's a blob: or data: URL:
This attribute only works for same-origin URLs.
Although HTTP(s) URLs need to be in the same-origin, blob: URLs and data: URLs are allowed so that content generated by JavaScript, such as pictures created in an image-editor Web app, can be downloaded.
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#Attributes
As far as I know it's not possible. I would recommend using some sort of proxy-script on your server to overcome the cross-domains issues, like a simple PHP script. You can check referrer, add custom headers for content disposition etc
You can't do this client side.
The server hosting the resource you want to download can provide a Content-Disposition response header which will trigger a download.
Content-Disposition: attachment; filename=ads.txt;
How can I download an XML file when I call a REST endpoint (which responds in XML format) with AngularJS?
So the flow is simple, I have created a button on the UI which makes a call to a REST endpoint (which has a response in an application/xml format) and its response should come as a download on the UI.
If I understand the question correctly (use the browser's download functionality when the user clicks the link), then this is not a question about angular really.
In order to cause a file to download you need to do two things:
Attempt to navigate the browser to the URL that returns the XML (i.e. don't make an AJAX request for it).
e.g. <a href="http://myserver.com/my/REST/endpoint>Click here</a>
Ensure the XML content is being served with headers that would force a download. If you don't do this, the browser may attempt to render the XML itself rather than downloading it. You could try either setting the Content-Type header to be applicaton/octet-stream or look into using the Content-Disposition header:
Content-Disposition: attachment; filename=someFileName.xml;
Forged POST requests can be constructed by untrusted websites by creating a form and posting it to the target site. However, the raw contents of this POST will be encoded by the browser to be in the format:
param1=value1¶m2=value2
Is it possible for untrusted websites to construct forged POSTs which contain arbitrary raw content -- such as stringified JSON?
{param1: value1, param2: value2}
Put another way: Can websites cause the browser to POST arbitrary content to third-party domains?
The POST body of an HTML form’s request is always either application/x-www-form-urlencoded, multipart/form-data, or text/plain as these reflect the valid values for the enctype attribute. Especially text/plain one can be used to form valid JSON data. So form-based CSRF can be used here, however, it requires the server to accept it as text/plain.
Additionally, XHR-based CSRF can be used as the XMLHttpRequest API allows so send arbitrary POST data. The only remaining obstacle with this is the Same-Origin Policy: Only if both have the same origin or your server supports Cross-Origin Request Sharing and allows resource sharing, such valid POST requests can be forged.
Yes!, a POST request is nothing more than text with a specific format sent to a web server. You can use IE or Chrome developer tools to look at what each requests looks like.
So yes, you can create a forged POST request and change whatever you want, however if the request is not well-formed most web servers will reject it.
https://www.rfc-editor.org/rfc/rfc2616
The client side code of a web site would have difficulties to forge a request like that, but the server side code could very easily do that.
As your web site can't tell if the request comes from a browser or a server that behaves just like a browser, the limitations in the browser is no protection.
You can create valid JSON via a regular form post. It's just a matter of creatively naming the form parameters. In particular, parameter names can contain quotes.
http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html
In the case of pure HTML forms, yes it will always be encoded according to the spec. But there are other encoding schemes such as MIME multipart. There is also the question of Javascript and XMLHttpRequest. Encoding is specifically mentioned in only one case. This strongly implies that there is no encoding applied in the other cases.
Should be done with the site number 1 request to the site number 2. Let the number one site will be localhost, and the site number 2 - the real server on the Internet. At site 2 there is a file result.php, which takes GET-requests:
$var = #$_GET['q'] ;
$s = $_GET['s'] ;
$typefile = $_GET['type'];
If the page result.php make a request, then we obtain the URL: result.php?q=%F4%FB%E2&type=1&search=%CF%EE%E8%F1%EA%21
How better to make a request? Can someone show me some examples to help? For 4 days I suffer, does not realize.
If somewhere is not clear written excuse my bad English with.
I'm assuming you mean with Ajax? You can't make cross-site domain requests through normal ajax due to the same origin policy. As such, a script hosted on localhost, can only make requests to localhost.
Now, you can get around this with JSONP, or JSON with padding. This allows you to append a script file to the dom from any source so the code can execute on your site. Personally, I've actually never used it and I understand you have to trust the origin of the script, you don't want arbitrary code being run on your site.
So in a nutshell, if you want localhost to make a request to 'site-2' you need to host a script on 'site-2' that gets loaded by your localhost and makes the request.
After reading what brad just said, what i would do is to add another chain to the request.
I'll be calling a local serverside script (cross domain proxy) that will request and process the data from the other server.
References
Cross-Domain Proxy
Same Origin Policy
Is there a way to 'force' the browser to download a file instead of opening that?
Download this file
I've tried the method via js using the window.open("file.txt", "Download");
but no success.
Thx.
Updating:
I've done a php file as follow;
<html>
<a href='dl.php?bid=3'>
<php>
$sql="select barquivo from bibilioteca where bid=$_GET[bid]";
$row=mysql_fetch_assoc(mysql_query($sql));
header("Content-Disposition: attachment;filename=biblioteca/$row[barquivo]");
And it download a file "biblioteca_" with 0 bytes.
You should do this server-side.
If you send a
Content-type: application/octet
or
Content-disposition: attachment; filename=file.txt
header then the user will be prompted to download.
Not at the javascript level. You can have a good deal of control on what the user agent (browser) will attempt to do, by changing the the Mime Type of the content served - that can be done from the web server or server side application.
That means, your ".txt" file is sent to the browser with a
Content-Type: text/plain
http header.
If instead it is served with:
Content-Type: application/octect-stream
http header instead, most likely the user will be prompted to save the file
(regardless of the file name or extension)
Can't be done in pure Javascript as far as I know. You have to send the appropriate headers server side.
If you can use Apache´s .htaccess settings (much easier) or PHP (more complicated because you'd have to parse txt files through PHP, or introduce a PHP script to pass through the files), you can refer to the accepted answer given here.
It's up to the server to send the appropriate header.
Content-Disposition: attachment;filename=schmoo.mp3
For those looking to d/l files trhough a link heres the best solution
PHP: Force file download and IE, yet again
by cballou