is p3p response information accessible from javascript? - javascript

As I understand, the webserver will send p3p information to the browser, but will the browser then present that data to the javascript engine via some API?

No -- P3P information is not exposed to JavaScript, and generally has very little effect on browser behavior in general, other than a few weird edge cases on MSIE.

Related

Delphi TWebBrowser JavaScript Errors and Cookies

I have been stuck on this for a couple of weeks now and this is a follow on from SO question Delphi REST Debugger Returns Error 429 Too Many Requests but Browser Returns JSON as Expected
I was wanting to get the content of a url response using the TNetHTTPRequest and TNetHTTPClient components. I was continually getting 429 errors “too many requests”. When using Firefox Inspect Element to look at network and storage, I discovered that I needed to receive cookies and then send those cookies with my request. Unfortunately, one of the cookies essential to the website content seems to be dependent (I think) on the execution of javascript. I went back to first principles and dropped a TWebbrowser on a form (VCL) and sure enough browser shows a javascript error “Expected Identifier”.
When I use the TWebbrowser in FMX it does not throw an error it just does not return the website contents at all and remains blank. I need FMX as I will be in a cross platform mobile environment.
The URL is https://shop.coles.com.au/a/national/home
I use Delphi Community Edition 10.3.3 Rio.
The URL returns perfectly in commercial browsers Firefox, Safari, Chrome and even CEF4Delphi. Unfortunately, I can’t use CEF as I need cross platform.
I would like to know how to get the website content returned to the browser (or even better NetHTTPClient) without script errors and how to access the browsers current cookies.
Any help will be most appreciated.
Thanks,
John.
URL returns perfectly in commercial browsers ... without script errors and how to access the browsers current cookies
If you'd inspect the network traffic (F12 > Network, then requesting your URL) or use uMatrix (to block everything that doesn't belong to the domain by default) you'd see the JS does at least one XHR to amazonaws.com. Your HTTP transfer alone (as done by TNetHTTP*) works fine and you get the same resource that each internet browser gets.
However, you don't operate with what you got (in contrast to the internet browser, which also automatically parses the HTML, sees JS resources, and executes them). TWebbrowser does not what you take for granted most likely due to security settings (try to get an error console in there, preferably F12 again). You need to do the same: parse the HTML resource for JS URIs, requesting those and executing what you get, while still providing the same cookie environment.
For executing JS you could use Chakra or mORMot or BESEN. It's challenging at first, but the more you understand about HTTP (including cookies) and a JS engine, the more you'll see why "things work" in one situation and not in another. There's a reason why an internet browser is a very complex software and not just a downloader.
As per this forcing IE11 Quirks mode might cure your problem already when using TWebBrowser:
TBrowserEmulationAdjuster.SetBrowserEmulationDWORD(TBrowserEmulationAdjuster.IE11_Quirks);

How can I send character to usb port?

Is there any way to send ASCII symbol/character to USB via webpage (HTML)?
We have a local PC with a webpage running in kiosk mode. The webpage have a button that should send that symbol/character to USB. How it can be done?
Thanks for any help.
No.
Code running in web pages is sandboxed and has no direct hardware access in general and definitely no direct USB access.
It may actually be possible, though only by using an experimental feature that's only available in some browsers.
More specifically, there exists a draft specification of the WebUSB API which aims to give access to USB devices from the browser, albeit with some limitations for security reasons. For instance, Chrome requires the page to be served over HTTPS.
This feature is currently implemented in newer versions of Chrome and, according to MDN, Opera.
There is some more information about it on Google's blog.
Question is:
Is there any way to send ASCII symbol/character to USB via webpage
(HTML)?
I don't know if Electron Apps is what you call a webpage, but it is to me. If Electron App enters your usecase, you can access the NodeJS API, and therefore your machine.
This could be the answer you are looking for, if the only limitation you have for your question is the use of web languages (HTML, CSS, Javascript). If your limitation is give access to the world through a classic web browser, as #Quentin sayed in his answer, it is not possible.
Thanks god it's not possible.

Ignore X-frame-header using javascript

I would like to ignore X-frame header on my website so that iframe can load external websites. There are chrome extension like
this one which works perfectly. How can I implement same concept through javascript?
You can’t use frontend JavaScript code running in a browser to cause the X-Frame-Options response header to be ignored. X-Frame-Options is a security feature designed in part as a defense against clickjacking attacks. If any site could just use some JavaScript code to cause browsers to ignore X-Frame-Options, that would pretty much make it completely useless.
That’s the reason why the only way you can cause it to be ignored in your own browser is by intentionally opting-in to insecure browsing by installing an extension as mentioned in the question.
But you can’t use JavaScript to force insecure browsing on other users by bypassing security features like X-Frame-Options that browsers have built-in support for.

what is the Difference between Cross Browser/site/Domain scripting?

Today i got confused when i was asked What is Cross browser scripting. Here as per my understanding Cross browser Scripting is related to Browser compatibility, Cross Site Scripting is related to java-script hacks & Cross Domain Scripting is related to Ajax calls.
I tried to google it also but not getting clear concept of cross browser scripting.
Please help me to understand the difference.
If a script is cross browser, it works comparably in all browsers. JavaScript engine in different browsers tend to vary in some minor details.
Cross domain scripting is either an attack that tries to hijack user sessions (malicious) or it's a way to communicate with another domain. Cross Domain Scripting aka Cross Origin Resource Sharing is quite tricky to set up.
"Cross-browser Scripting" is a somewhat archaic term (you'll see the article linked is dated 1997) meaning writing scripts that work across browsers. More recently this is usually called "browser compatibility".
"Cross-site Scripting" is a type of attack that involves making malicious scripts a part of someone elses page in order to deliver some payload that compromises their visitors.
"Cross-domain Scripting" is generally synonymous with "Cross-site Scripting".
If you have a cross-site scripting attack that works across all browsers, you might be inclined to call it a "Cross Browser Cross Site Scripting" attack, or XBXSS.

Replace remote JavaScript file with a local debugging copy using Greasemonkey or userscript

While debugging a client app that uses a Google backend, I have added some debugging versions of the functions and inserted them using the Chrome Developer Tools script editor.
However there are a number of limitations with this approach, first is that the editor doesn't seem to always work with de-minified files, and when the JS file is 35K lines long, this is a problem.
Another issue is that all the initialization that is done during load time, uses the original "unpatched" functions, hence this is not ideal.
I would like to replace the remote javascript.js file with my own local copy, presumably using some regex on the file name, or whatever strategy was suitable, I am happy to use either Firefox or Chrome, if one was easier than the other.
So basically, as #BrockAdams identified, there are a couple of solutions to these types of problem depending on the requirements, and they follow either 1 of 2 methods.
the browser API switcharoo.
The proxy based interception befiddlement.
the browser API switcharoo.
Both firefox and chrome support browser extensions that can take advantage of platform specific APIs to register event handlers for "onbeforeload" or "onBeforeRequest" in the case of firefox and chrome respectively. The chrome APIs are currently experimental, hence these tools are likely to be better developed under firefox.
2 tools that definitely do something like what is required are AdBlock plus and Jsdeminifier both of which have the source code available.
The key point for these 2 firefox apps is that they intercept the web request before the browser gets its hands on it and operate on the other side of the http/https encrpytion stage, hence can see the decrypted response, however as identified in the other post that they don't do the whole thing, although the jsdeminifier was very useful, I didn't find a firefox plugin to do exactly what I wanted, but I can see from those previous plugins, that it is possible with both firefox and chrome. Though they don't actually do the trick as required.
The proxy based interception befiddlement This is definitely the better option in a plain HTTP environment, there are whole bunch of proxies such as pivoxy, fiddler2, Charles Web HTTP proxy, and presumably some that I didn't look at specifically such as snort that support filtering of some sort.
The simplest solution for myself was foxyproxy and privoxy on firefox, and configure a user.action and user.filter to detect the url of the page, and then to apply a filter which swapped out the original src tag, for my own one.
The https case. proxy vs plugin
When the request is https the proxy can't see the request url or the response body, so it can't do the cool swapping stuff. However there is one option available for those who like to mess with their browser. And that is the man-in-the-middle SSL proxy. The Charles Web HTTP proxy appears to be the main solution to this problem. Basically the way it works is that when your browser makes a request to the remote HTTPS server, the ssl proxy intercepts the request and from the ip address of the server generates a server certificate on the fly, which it signs with its own root CA, and sends back to the browser. The browser obviously complains about the self-signed cert, but here you can choose to install the ssl proxy root CA cert into the browser, befuddling the browser and allowing the ssl proxy to man in the middle and make replacements and filters on the raw response body.
Alternative roll your own chrome extension
I decided to go with rolling my own chrome extension, which I am planning to make available. Currently its in a very hardcoded to my own requirements state, but it works pretty good, even for https requests and another benefit is that a browser plugin solution can be more tightly integrated with the browser developer tools.

Categories