Harden url passing to another page using parameter - javascript

i want to pass parameter to another page through iframe
example
<iframe src="http://otherserver.com/page?user=user_id"/>
rather than passsing user= id this way, is there any technique so that user will not aware of user=user_id ?

What you could probably do is to load a dummy page to that iframe and then load the correct page using JavaScript. You could use POST request to hide the parameters from the URL. However if a user wants to find what exactly you are posting he can always see that from your JS, although it won't be as obvious as checking iFrame's src attribute.

Related

Set php variable depending on where page is loaded from

I have two ways to get to my chat.php page.
One way is via profile page link and the other is via the menu.
My question is, how can I know in chat.php, where the page is loaded from?
I understand require this information using javascript, if it is the case use referrer
const referrer = document.referrer;
MDN
The Document.referrer property returns the URI of the page that linked
to this page.
Document.referrer

implement post url in IFrame

How can I make a POST request to some URL (see my code below) in Javascript ?
My code so far doesn't work and I actually need to put it into an iFrame (having its with and height set to 0) to prevent the main page to reload.
$(document).ready(function(){
$("button").click(function(){
$.post(
"http://control.msg91.com/api/sendotp.php?otp_length=4&authkey=xxx&message=Your OTP is ##OTP##&sender=OTPSMS&mobile=xxx&otp_expiry=2"
, function(data){
alert(data);
});
});
});
If you want to use an iframe, then do not use XMLHttpRequest (NB $.post is a jQuery that wraps around XMLHttpRequest).
Create a <form>. Set its action to the URL. It's method to POST and its target to the ID of the <iframe>.
Put the data in that form. Then submit it.
If you want to do this entirely with JavaScript, then you can create the form using DOM and with entirely hidden inputs so that nothing shows up in the existing page. Ensure that you append the form to the document as some browsers will not let you submit forms that aren't part of the document.
That said, since you want an iframe with no dimensions, it seems odd to want to use an iframe at all.
You might be trying to work around CORS limitations, but you should be able to use the code you are using to make a request successfully. You just won't be able to tell if it was successful or not (because the restrictions are on reading the response). If you used an iframe, you would have the same limitations.
If you want to suppress the error message that is shown in the console, you could use fetch with mode: "no-cors". You still wouldn't be able to read the response though.
Make sure you are not hitting an issue with CORS. Unless the resource you are hitting allows exceptions to the cross-origin policy, you will not be able to access it if your webpage is not located on control.msg91.com.

How can I pass my referrer from current page to iframe without using php?

I have an iframe in mysite.com/folder/file.php
The iframe is an html page from a subdomain and I want to block all referers except the current page it's embeded in (mysite.com/folder/file.php)
What's the best approach to this, using javascript ?
I tried to define rules in Nginx but the problem is the headers always show subdomain.com as the referer instead of showing current page.
The nginx approach could work. There is an nginx module which can filter by referer.
But the docs for that module state that the header is unreliable. It can be easily modified to show incorrect information by hackers.
But the DOM in the iframe'd html page should give you access to the 'parent' object.
That object could then be used to obtain information from the parent page like url or even some custom data you could set in the parent page.
I am not a javascript expert but I think this is the better approach.

How to manipulate the URL with Javascript and JQuery?

I want to make a page with a lot of Javascript interactions. However, while a user navigates through the page the URL must change too. So, when the user shares the URL or saves it, it can lead him to the actual state he was.
How can I do that?
Examples:
myapp.com/page1
myapp.com/page2
pushState, as seen on github
Answered by this SO question: Change the URL in the browser without loading the new page using JavaScript
The only part of the url (or location) that you can change without reloading the page, is the hash. That is the part behind the #. Many ajax enhanced applications make use of this, including Twitter. You can change this hash on the go, and interpret the hash tag on page load to initialize the page to the correct state.
Set this value: window.location.href
window.location.href = "myapp.com/page2";

Passing form params through iframe with javascript safe?

Background: I have written a bookmarklet (JavaScript) that appends an iframe to the current page you are viewing. This iframe's src attribute is pointing to a form back on my (rails) application. I need to pass a key into the form (from the bookmarklet) by either modifying one of the values of the input fields or by passing the value as a parameter at the end of the url calling the form action.
I don't really see a way how to do the former, and the latter seems like a security catastrophe waiting to happen. I was wondering what the best practice would be here?
Appending a query string parameter to the URL seems reasonable, but you're correct - there are security implications. The value will appear in the user's browsing history and it'll be visible over unencrypted HTTP (but not HTTPS).
There's another Javascript-based way to do this that's not yet widely supported, but is worth considering - window.postMessage. It allows pages at designated domains to send and receive messages using a familiar event-based model. See https://developer.mozilla.org/en/DOM/window.postMessage.
This sounds fairly similar to the AJAX framework I made using iFrames. The easiest way is to have your bookmarklet build up a query string and put that on the iFrame's src. If you need to change anything, you should be able to set the iFrame's src to "#param=value" and have the page in the iFrame register the onhashchange event to deal with it (this would be how you could go about the former)
So your code could either be:
var iframe = document.createElement('iframe');
iframe.src = "http://example.com/mypage?param1=value1&param2=value2";
document.body.appendChild(iframe);
and/or:
iframe.src = "#param1=value1";
// This in the iframe:
document.onhashchange = function() {
// parse location.hash and process form
}
A number of schemes pass secrets in the fragment portion of the URL and then, as then, early in the page load, store it and set the fragment to blank. I think webkeys do this.
On the webkeys page, see specifically
Putting the unguessable permission key in the fragment segment produces an https URL that looks like: https://www.example.com/app/#mhbqcmmva5ja3.

Categories