We are working on using a 3rd party's ActiveX control within a web page. Our page includes JavaScript to access and manipulate the control. Part of the control's functionality requires it to access files on the local filesystem.
If we generate the page programmatically, this functionality fails - the ActiveX control appears unable to access the filesystem. If we take the generated page source, copy it into a static file, and serve that file from the same web server, everything works as expected - the ActiveX control gets the info it needs from the filesystem, and we go merrily on our way.
I have used a JavaScript debugger to walk through the two different pages, and verified that the calls to the ActiveX control have identical parameters. I have verified that both the static page and the dynamic page are listed in the "Local Intranet Zone" in IE so they should have the same security constraints.
I have used SysInternals' ProcessMonitor to see what the ActiveX control is doing in the system, and what differs. Interestingly, when the calls to the control succeed, there are ProcessMonitor traces showing where the control is querying the registry for filenames, and accessing the filesystem. When the process fails, it's not the case that there are failures accessing the filesystem, but rather, the control never queries the registry to find the filename, and never tries to hit the filesystem.
The vendor of this control is mystified, and I've run out of ideas of what to try. Is there something that I ought to be checking? Some difference between dynamically-generated pages and static pages that IE or an ActiveX control might be able to detect, that would cause behaviors to change? The URI is different, the static page has a ".html" extension.... There's not much else that's different, as far as I can tell.
Any ideas would be welcome....
We figured out what was wrong, and effectively uncovered a bug in the 3rd party's ActiveX control.
They have a feature where they can optionally validate the URL of the page on which the control is loaded, or they can configure the control with a wildcard that is supposed to match any URL. The vendor had worked with us and configured the control with the wildcard, and assured us that this could not be the problem.
When we replaced the wildcard URL in the control's configuration with our actual URL, the control started working. As far as we can tell, we were fighting all day yesterday against a bug in the control's wildcard handling.
Related
I am creating a HTML page where I need to display the names of the files present in the specific local folder, example - C:\Users\User1\Documents\folder1 . I tried to write the code in java script but have not succeeded yet. Most of the question threads mention about "ActiveXObject" to be used but that itself does not work for me.
Reference: JavaScript: Read files in folder
Can anyone help me in achieving this?
In general, you can't do that. Web pages do not have access to the local filesystem.
Chrome can access the contents of a directory that is selected using a file input field. However, other browsers, such as Internet Explorer and Firefox, have not implemented this feature at this time, nor is there currently any way to access a directory that was not selected by the user.
In theory, it is possible to read arbitrary files using a signed Java (not Javascript) applet. However, this requires the user to approve a series of extremely scary warning dialogs — and requires Java! — so it's really not a viable solution.
I'm afraid I may be the bearer of bad news for your design: The action you are requesting expressly violates the security model as specified in the File API spec. The client implementation of FileReader() must make sure that "all files that are being read by FileReader objects have first been selected by the user." (W3C File API , 13. Security Considerations: http://www.w3.org/TR/FileAPI/#security-discussion).
It would be a huge security risk of browser scripts could just arbitrarily open and read any file from a path without any user interaction. No browser manufacturer would allow unfettered access to the entire file system like that.
Thinking about it however, if it is all being run locally, you could use ajax to query a server side script that could return the directory you request.
I am creating a HTML page where I need to display the names of the files present in the specific local folder, example - C:\Users\User1\Documents\folder1 . I tried to write the code in java script but have not succeeded yet. Most of the question threads mention about "ActiveXObject" to be used but that itself does not work for me.
Reference: JavaScript: Read files in folder
Can anyone help me in achieving this?
In general, you can't do that. Web pages do not have access to the local filesystem.
Chrome can access the contents of a directory that is selected using a file input field. However, other browsers, such as Internet Explorer and Firefox, have not implemented this feature at this time, nor is there currently any way to access a directory that was not selected by the user.
In theory, it is possible to read arbitrary files using a signed Java (not Javascript) applet. However, this requires the user to approve a series of extremely scary warning dialogs — and requires Java! — so it's really not a viable solution.
I'm afraid I may be the bearer of bad news for your design: The action you are requesting expressly violates the security model as specified in the File API spec. The client implementation of FileReader() must make sure that "all files that are being read by FileReader objects have first been selected by the user." (W3C File API , 13. Security Considerations: http://www.w3.org/TR/FileAPI/#security-discussion).
It would be a huge security risk of browser scripts could just arbitrarily open and read any file from a path without any user interaction. No browser manufacturer would allow unfettered access to the entire file system like that.
Thinking about it however, if it is all being run locally, you could use ajax to query a server side script that could return the directory you request.
I am trying to load another website from a webpage I am running locally. While it does load, I can not seem to reference anything inside. I keep getting
Blocked a frame with origin "null" from accessing a frame with origin "http://theWebsiteImAccessingWithTheIFrame.com". The frame requesting access has a protocol of "file", the frame being accessed has a protocol of "http". Protocols must match.
I get that this is a security feature, but there must be a way to reference the stuff inside if it is loading it anyway, no?
Any help is greatly appreciated!
Edit:
I have created a map of the office I work in, using SVGs, with everyone's information(office location, their photo, extension, etc). We also just got a bunch of IP Phones that are managed and hosted by LightPath. On the webpage they have, it lets us manage our phones and even make them call others(using javascript but I have no idea how since their code is insanely complex).
My plan was that if a user clicked on someone's office, they could then have a button that would ask them to enter their number and pin to log in(how it works on the lightpath website), it would connect their 2 phones. I intended to use their number and pin to log in for them, and have the call connect that way, by just controlling the forms on lightpath's site, while it was in an iframe. This way, they wouldn't see Lightpath's site's clutter(because I could hide the iframe), and it would just get done. Essentially, it would happen as if they had gone to the website themselves and done it that way, except in a much more approachable format, and with less distractions.
LightPath does offer a "call me" feature which creates a dedicated button for calling a specific person, but it creates a token for them, and only that person has the ability to create it, not to mention I would have to enter each persons' unique token into the site, and run the risk of it failing should their extension get changed, or they leave the company. So I was hoping for something a little more dynamic.
This is a security feature from the browsers.
You can't access iFrames which are not from the same origin.
So the file has to be local.
They have to be on the same server. In chrome you aren't allowed to access any other file in the file:// protocol.
So to access remote files you may want to look into other ways of accessing it.
But either way, you need — at least in Google Chrome — to be on the http:// protocol.
I'm an iOS dev looking into some security aspects of a native iPhone app that loads local html pages into a UIWebView (that's the iOS class that give browsers functionality to a native app).
If the app loads a local html file and that file contains a link to an external html file then is it possible for that external file to download a file to the client (another html file or a javascript file)? My knowledge of html/javascript isn't detailed enough in this area.
E.g. If A.html is file physically present on the phone and A.html contains a href to B.html where B.html is on a server then is it possible for B.html (using whatever means) to move a file (C.html or D.js etc.) from the server onto the device?
What you probably mean is : are HTML pages able to download (and potentially execute or overwrite) content/code on the device? I'm just going to assume that in the following.
First, the browser isn't supposed to be able to download anything without the user consent. That's especially true on iOS, where the browser actually can't download anything at all. (Well, you can actually download images by long-pressing on them, but they are only going to go to the Photo Roll. Any other download will just fail.)
HTML pages (and JavaScript, images, ...) are of course downloaded to the device before the browser or UIWebView displays them, but they can't access anything on the filesystem.
What's more, due to the same-origin policy, a web page cannot access anything that's outside of its domain (cross-origin requests allow this, but they require the server to send a particular header).
Say your page is on http://mywebsite.com : you can't make a request to http://blah.org if it's not setup properly, or even (much more dangerous) to file:///etc/passwd (which you have no way to setup properly).
I'm not sure about local pages, but (at least on Chrome on the desktop) local web pages cannot download anything at all.
Of course, all of these are the expected behavior.
There have been cases of vulnerabilities (this one for instance) where Safari allows unprivileged access to the filesystem, but in most cases they have been patched quickly by Apple and you won't have to (and are not supposed to if you want to avoid unnecessary headaches) worry about them.
I am all too aware of the fact that even with the new FileAPI it's not possible to access the local path of a file added using a file input field or drag-and-drop. Whether or not this is good, bad or ugly is not the issue here. According to the FileAPI specs local file access is not to be implemented, and so I'm not holding my breath.
But let's just pretend I'm in a situation with the following fixed parameters:
Developing an HTML5 application only to be used internally at a company
.NET used for backend (needed due to interop with APIs)
Can specify/control exactly which browser and version should be used with the application
Need to access files that are usually located on a network share, but possibly also locally at a user's workstation
And by access I don't mean access file data, but rather be able to relay a file drag-and-drop/select event to some other API by feeding the third party the file's local path, so that the third party can pick up the file and do some sort of work on it. This can be likened to using an input[type=file] field as you would an OpenFileDialog in .NET - i.e. the point is to feed the application a file path, not an actual file.
I realise that out of the box this is probably not possible. But I also think that there must be some sort of solution to the problem.
Some ideas I've been toying with are:
Using browser specific methods for allowing "secure features"
Not sure if possible - tired using some of these features to no avail
Would limit the app to a specific version of a browser as the functionality could potentially be removed in the future
Something like a Chrome extension could possibly do the trick
Using some sort of companion application installed locally on a clients computer that takes care of all on-disk file handling, possibly communicating with the HTML5 client using websockets or the like.
A potentially pretty messy solution
Would probably confuse the users a bit at first
Submitting the selected file data to the server, storing it at specific path and sending this new path to the third party.
Would constitute a lot of sending files over the company network, some 100+ MB in size
Would not be able to do any in-place changes to a file a user has selected
... and that's about it.
Any snazzy suggestions? Wise words? Helpful links? Snarky comments?
Thanks.
Edit: For anyone curious about it, this was very simple using Silverlight as per jgauffin's suggestion below.
From the Silverlight codebehind (using elevated privileges):
private void fileBtn_Click(object sender, RoutedEventArgs e)
{
//prompt file select dialog in Silverlight:
var dlg = new OpenFileDialog();
dlg.ShowDialog();
//call JavaScript method and feed it the file path:
HtmlPage.Window.Invoke("onFileSelected", dlg.File.FullName);
}
You'll probably have to use something that runs in the browser like flash or silverlight.
Since it's an internal app I would use silverlight as everything else is in .NET. It should be enought to only make the file access part in the plugin.
Here is an article about local file access: https://www.wintellect.com/silverlight-4-s-new-local-file-system-support/
does the server hosting the site have access to the network of pc's?
you could just list all the files that way.. build a small ajax script like a file dialog that will have php or whatever sending back the structure
no plugins needed, works on all browsers... :)