Display popup without security warning - javascript

I use Silverlight and I'm trying to get some data to the user side. I can easily display PDF file with an <embed> tag in the browser.
However, I also have to be able to save files form the server. I tried the SaveFileDialog from Silvelright but it doesn't allow setting the file name (which is an issue).
I tried setting a hidden <iframe> source to the URL from the server but that triggers a security warning and it's not good either (there would be too many clueless users calling because it doesn't work).
I tried calling window.open to trigger a new popup set to the URL. That works OK but again there's a security warning.
Is it possible to get rid of that security message? I know it's possible in Javascript.
An exampel is on the site
http://livetecs.com
(go to the live demo, then project manager and open a report in a new window: no security warning!)
How do they achieve that behavior?
If there's any other way to get my reports saved Silverlight I'd be very interested to hear about them.
EDIT: The warning I'm talking about is the Pop-up blocked. To see this pop-up or additional options click here.. banner appearing on top of the page.
Cheers.

There is no way around the pop up blocker when you open up a window without a user action. If there was a way around that, than the pop up blockers would be useless.
Only way to avoid the security message is to have the users add your site to their safe list.

OK, after much fiddling I came accross the Silverlight built-in pop-up window that I couldn't use before.
The only limitation is that it can only be triggered by a user action (which is fine in this context() PopUpWindow at MSDN
It fits the bill perfectly and I couldn't use it before because I wanted to pre-generate the report files before opening the pop-up (and thus I wasn't in a user event context anymore).
I'm going to create a report generation page that will display a status message and then show the report (I haven't worked out yet how I'll do that though).

Related

Ways to notify/alert the user in Firefox's WebExtensions

I'm developing cross-browser extension using WebExtensions API. It's focused on monitoring some HTTP request and blocking potentially malicious ones. I need to get user input for each blocked host (because it could have been falsely blocked and user might want to unblock it right away). Originally I wanted to use popup, but then I found out, that popups are only allowed to be thrown up in User Action event handler, which is a problem, I need to to that independently on the user's action. After that I found second option - the Chrome's notification API. But again, found out, that Firefox does not implement buttons in notifitacions (even though Chrome does). OnClicked event is supported for notification, but that's not enough (mainly because of users accidentally clicking on the notification to close it).
TL;DR - Looking for a way to alert/notify user and get the input from him by clicking on one of two presented buttons. Popups and Notifications does not seem like sufficient way.
Can you suggest ways to implement desired behaviour?
Possible solutions:
1) Injecting content script that implements popup window and communicates via messages with bacgkround script.
2) Simulating animation of extension's icon to draw user's attention.

Is it possible to make custom "allow" popup in browsers like chrome & firefox?

I have website that uses Twilio API to make calls. Each time call is made a popup from google chrome comes up saying "http://www.URL.com/ wants to use your microphone. Allow / Deny". On firefox also it comes up in a dialog.
Is it possible to apply CSS to it or somehow customize the way Allow/Deny popup shows up? Or maybe show another custom dialog that has custom buttons of Allow/Deny and when Allow is clicked somehow triggers browser Allow button?
The whole point of these popups is that the browser is warning the user that the site wants to do something which could have security implications. Being able to modify or supress that popup could stop the user from realising the security implications.
Consider a malicious hacker who wanted to listen in to a user's conversation.
If your request could be done, it would be easy for him to pop up a message saying "This site wants to show you something pretty", instead of "wants to use your microphone". User presses "accept" without realising what's happening, and hacker gets to record all their conversations. Ouch.
The short answer, therefore, is no, you cannot modify these popups, for security reasons.
You might be able to convince the user to hit accept and tick the "don't ask me again" box if the browser provides it, but that's as close as you'll get. You definitely will not be able to get rid of the box entirely, nor will you be able to customise it in any way.
It's worth noting that even native apps on mobile devices give you the same kinds of warnings when you install them, so this isn't a browser-specific thing. If you're doing something that the user might possibly have any reason to object to for security or privacy reasons, then the system will warn them before allowing it.

How can I gently "bust" UIWebview?

Recently, a few developers have started creating apps which do nothing more than point at state-owned content (free, public property) through UIWebViews. This wouldn't ordinarily be a problem, except the apps are all ad-supported and some are even paid. Essentially, they're making money on state-owned content.
My question is this: how can I force the site to open a new Safari window rather than display in the UIWebview (which is wrapped in their app's branding)? I am able to detect UIWebview using the following, but am unable to do anything besides simply hide the content. I'd prefer it to provide a link to our content which then opens in Safari.
This is how I'm detecting UIWebview:
var is_uiwebview = /(iPhone|iPod|iPad).*AppleWebKit(?!.*Safari)/i.test(navigator.userAgent);
unfortunately its fairly trivial for a developer to force the User-Agent string to anything they want, so your attempts to thwart these developers might only be temporary. You can't force your content to be viewed in a browser. A user could use a tool like CURL to view your content also...
Once you detect that you're in the UIWebview, you need to fire a window.open() to put your content in a fresh window.
This talks about some quirks that make it a little tricky (but not impossible): Opening popup links in UIWebview. Note that the question there is the reverse of yours, but the accepted answer does show how to get UIWebview to pop a new window via Javascript.
This has been a concern ever since the Web began. You can't stop people from scraping your content, but you can make it hard to reframe it.
Edited to add
Unfortunately for you, the app can intercept window.open(): UIWebView respond to Javascript calls
I suppose you could always give up and show a banner that says something like "you paid for this data with your taxes, you shouldn't pay for it again with ads. Just open a browser and go to ... "
You can find out if it is a WebView or Mobile Safari, as seen in this thread. The problem is, that you could only open Safari via a custom URL scheme, but think, only http://, https:// etc. work. Even if there would be something like safari-http://, the programmers of the apps with the UIWebView could catch that request and redirect it back into the web view. So, I'm sorry to say: That's not possible.

Why would IE7 ask my approval( the user) when there is a window.prompt?

I have in my code a window.prompt, which should stop the flow of the code until user put in some value.
Of course IE7 try to protect me from myself and instead of showing the prompt it shows the security tab (top of the page where it alerts to the users that a script wants to open a window).
What is even worse is that the prompt is ignore and the rest of the flow is being done. Regardless to say this can't work as the script is missing data from the user.
What should I do to avoid that security bar, as this script is part of the page/domain.
window.prompt() is no longer usable on the general web for this very reason, since there's no way to get round the security banner in your script. You'll have to use some other mechanism, like any of the many JavaScript UI components that emulate modal dialogs.

Can I use javascript to add a bookmark that is not a http url?

I have this bookmarklet, i.e. it does not start with 'http:' but with 'javascript:'. No issue with that, it works correctly.
The problem occurs when I want to deploy this to users. I'd like to present them a link they'll just click to add to their favorites. Whatever methods I use (examples found on the web, or JQuery with jFav), I end up with a javascript error 'permission denied' when clicking the link, though it works perfectly when the link to bookmark is a classic 'http' one.
I believe that's some security in browsers, but is there a way to avoid this?
It is indeed a security measure. If a user could be tricked into bookmarking and running a javascript: URL, that's pretty much global cross-site-scripting.
About all you can do is present the user with a javascript: link, and ask them to bookmark it via right-click-bookmark or drag-to-bookmarks. You should also write the link out so it can be copy-and-pasted and manually bookmarked, because some browsers won't present right-click-bookmark for a JavaScript link, and others may not have a bookmarks bar visible.
You can ask your users to drag and drop the bookmarklet to the their bookmarks or toolbar.

Categories