finding the URL of the document that loaded the current document - javascript

finding the URL without server activity and
without the func() document.referrer.??
it should be secured.

Over secure connections no referrer header is sent.
Clients SHOULD NOT include a Referer header field in a (non-secure)
HTTP request if the referring page was transferred with a secure
protocol.
Source: http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html (about a third of the way down the page)

Related

Is it possible to remove the port from the origin of an ajax get request?

I'm trying to set up a site to access CORS-enabled data on my server. My server has an access-control-allow-origin header of www.mysite.com, while the request is coming from a source with an origin header of www.mysite.com:444. The request is a GET request that's trying to fetch some data from my server, which has been set up to serve data to a portion of my app running in an iframe elsewhere on the site.
This request is getting blocked, unfortunately. How can I successfully make this request? Is there a way for me to take the port number off of my origin header, or do I need to modify the access-control-allow-origin header on my server? (And if that's the case, how should I go about doing so?)
You can't edit that header on the client side, that would defeat the point of this security header.
Why not just allow www.mysite.com:444 fully on the server ?
All you need is this on the server:
Access-Control-Allow-Origin: http://www.example.com:444

Load external website in iframe but without sending HTTP_REFERER

Is it possible to load an external website in iframe but without sending HTTP_REFERER ? I just don't want be tracked.
If it is possible then how and if not then is there any workaround using divs or anything else ?
For anchor tag with external link jQuery("a").attr('rel','noreferrer'); is working, but for iframe I've failed to make it work.
Is there any script( js or jQuery ) to make it work ?
Here's a very simple solution.
Use this in you document <head> tag and you are good to go :D
<meta name="referrer" content="none">
The meta referrer tag is placed in the <head> section of your HTML,
and references one of five states, which control how browsers send referrer information from your site.
The five states are:
None: Never pass referral data
None When Downgrade: Sends referrer information to secure HTTPS sites, but not insecure HTTP sites
Origin Only: Sends the scheme, host, and port (basically, the subdomain) stripped of the full URL as a referrer, i.e. moz.com/example.html would simply send moz.com
Origin When Cross-Origin: Sends the full URL as the referrer when the target has the same scheme, host, and port (i.e. subdomain) regardless if it's HTTP or HTTPS, while sending origin-only referral information to external sites. (note: There is a typo in the official spec. Future versions should be "origin-when-cross-origin")
Unsafe URL: Always passes the URL string as a referrer. Note if you have any sensitive information contained in your URL, this isn't the safest option. By default, URL fragments, username, and password are automatically stripped out.
Reference: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
I came across this on MDN stating that setting the referrerpolicy attribute to no-referrer would accomplish this.
Example:
<iframe src="https://www.whatismyreferer.com/" referrerpolicy="no-referrer"></iframe>

How does Google sets HTTP Referrer after a search result click

For example, the first search result on this page leads to the older SO question, with the following HTTP request:
GET /questions/4402502/how-does-google-set-the-http-referrer-when-someone-clicks-on-a-search-result-lin HTTP/1.1
Host stackoverflow.com
Referer https://www.google.ru
Note, that:
Only the domain is included in the Referer header, no query string.
Google is open via HTTPS, while SO is open via plain HTTP - nevertherless, the Referer header is sent by the browser.
There are no server-side redirects involved, the first HTTP query to open after the click is to the target site.
The question is, how do they achieve this?
Google makes use of Referrer Policy.
They include the meta tag in the page:
<meta name="referrer" content="origin">
This tells browsers to use "Origin Only" policy, that is, to send domain only information in the Referrer header in any subsequent request.

Cross domain cookie with script tag?

I was working on jsonP to send data from a cookie, from a domain A to a domain B. It works well, but my question is not here. I just realize that if I only put a script tag on my domain B pointing to my domain A, all the cookies of my domain A are set on my domain B.
Example: I put this tag on my domain B :
<script src="http://mydomainA.com/"></script>
Only with that, all the cookies of my domain A are set on my domain B.
My question is, is it normal? I thought cookie need some hacks to be cross domain, but i didn't think it was that easy.
Sorry for my bad english, and apologize if my question is stupid or if it has been asked before.
Thanks in advance.
Cookies are simply headers in HTTP requests. When the browser requests
GET /foo
Host: a.com
it receives a HTML document, which contains a <script> tag hosted on another domain. So it fires another request:
GET /script.js
Host: b.com
Cookie: foobarbaz
and it can certainly append cookies for domain b.com, if any. This means that the last time the browser contacted b.com, the HTTP response contained an header like
...
Set-Cookie: foobarbaz
...
and so subsequent requests to the same domain will maintain the session. When the browser requests another resource to a.com such as
GET /bar.jpeg
Host: a.com
the cookie foobarbaz set by b.com will not be sent along with the request, so the scripts on a.com don't have access to data from b.com.

Load an external html to string in javascript

Is it possible to load for example google.com to a javascript variable?
var html = "the html of google.com"
Is this possible?
Update:
What about in an air application?
Not unless you send the source from the server.
From javascript, it will violate the Same Origin Policy. You can send the request, and you'll get a response, but the response will be empty.
If it's a page in the same domain you're in, then yes. Otherwise, not without some special URL provided by the target domain that sends you pages based on some form of special request.
You can always have your own server fetch the page and forward it to your client.

Categories