there. Am using GWT(2.8) in a production env and we have a requirement to add(vendor service-DOMO reprots) url as an Iframe . I used the below code and its giving me "refused to connect" error in browser, but loading it a new window works fine . Iframe fails due to SOP issue.
protected Widget createWidget() {
final Frame frame = new Frame();
frame.setUrl(domoURL);
VerticalPanel panel = new VerticalPanel();
panel.setWidth("100%");
panel.add(frame);
DOM.setStyleAttribute(panel.getElement(), "backgroundColor", "white");
return panel;
}
I understand that there is a CSP policy issue and GWT/browser is refusing to load the other domain as an Iframe. How do i handle this case ?
How do i whitelist the domain (url) am trying to use it anywhere in GWT ?
I tried the below solutions but it did not help
Added linkers in module.xml
<inherits name="com.google.gwt.core.Core" />
<add-linker name="xsiframe" />
<add-linker name="direct_install" />```
2. Tried overriding the setUrl funtion of iframe.
3.Added csp directives as mentioned in (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src) the http filters.
4.Added meta tag with CSP directives
5.Added CORS policies in tomcat web servers to allow external domains
Related
I am sorry i have much trouble understanding Firebase Dynamic links.
My use case is : a user wants to reset his password from the mobile app (or send an email verification).
The request is made using Firebase Authentication with a custom handler (with custom domain : https://example.com/auth)
The ActionCodeSettings looks like :
final ActionCodeSettings codeSettings = ActionCodeSettings(
url: 'https://links.example.com/auth?email=$email',
iOSBundleId: Constants.iosBundleID,
androidPackageName: Constants.androidBundleID,
androidInstallApp: true,
dynamicLinkDomain: "links.example.com",
);
The user clicks on the link he received by email and gets redirected to the website (hosted by Firebase Hosting under : example.com)
When the user has finished resetting his password, i would expect to redirect him by "launching" the continueUrl that should take him back to the mobile app. continueUrl : 'https://links.example.com/auth?email=$email'
However this doesn't work so i am guessing that i am doing something wrong somewhere.
In my iOS config, i have added the Associated Domains as : applinks:links.example.com.
In the Info.plist file i have added :
<key>FirebaseDynamicLinksCustomDomains</key>
<array>
<string>https://links.example.com/auth</string>
</array>
(and have also tried with : <string>https://links.example.com</string>)
In my Android config I have added this to my AndroidManifest.xml :
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:host="links.example.com" android:scheme="https"/>
</intent-filter>
Fun fact, on Android after the above steps are completed (on website from the smartphone), if i launch the continueUrl it prompts the user whether to redirect back to the app or stay on the browser to open the URL.
I have of course created a sub-domain : links.example.com in the Firebase Dynamic links console as an URL prefix.
Here are my questions :
Is the continueUrl supposed to redirect back to the app ?
In the ActionCodeSettings continueUrl described above is correct? I see in the documentation always using example.com as the continueUrl, but it would be in conflict with the custom domain used for hosting right ? So i have put links.example.com as the continueUrl and the custom Firebase auth handler is example.com/auth to indeed redirect to the correct web page in my website.
What is the Hosting firebase.json configuration for such case ?
The final link looks like this :
https://example.com/auth?mode=resetPassword&oobCode=T0qn8aj_p7TJBWyE5eUh7_7ZwIqwtJ7Q-i8LDf4QrIsAAAF_u6Bi6Q&apiKey=AIzaSyAzPqhZFKAyfQDeN4DGGjI9VCTEBe_mLc4&continueUrl=https%3A%2F%2Flinks.example.com%3Flink%3Dhttps%3A%2F%2Flinks.example.com%2Fauth%3Femail%253Dtestmail12%40gmail.com%26apn%3Dcom.example.android%26amv%26ibi%3Dcom.example.ios%26ifl%3Dhttps%3A%2F%2Flinks.example.com%2Fauth%3Femail%253Dtestmail12%40gmail.com&lang=fr
Do you see anything wrong or missing ? Something that would prevent the mobile app redirection after the operation completes ?
What should I do with the continueUrl param to gets redirected to the app ? Is it automatically done after some event or should the developer writes code to "push" a new web page containing this link and it will see automatically that's not a link to handle in a web page, thus redirect to the mobile app ?
Thanks a lot in advance for any explanations on how this works !
I have finally understood how this works :
The continueUrl must be the one used to handle back in the mobile app so if you use :
url: 'https://links.example.com/auth?email=$email',
This means you have to create a dynamic link prefix URL : https://links.example.com/auth in the firebase console.
You must also add it to your iOS Info.plist file as stated in the question.
Also, when you use a custom domain you need to make sure as stated in the documentation that the URL prefix and the domain are different such as :
https://link.example.com/?link=https://example.com/my-resource
And not :
https://example.com/?link=https://example.com/my-resource
This means that by using https://links.example.com/auth as URL prefix, you need to use another domain to deal with the link.
In my case, i have built the url this way :
https://links.example.com/?link=https://redirect.example.com/auth
And added https://redirect.example.com/auth as URL prefix.
This prevent both conflicts between example.com at the hosting level and links.example.com from having both link domain name AND Url prefix identical.
Also, don't forget to add new dynamic links domain as whitelisted domains in the Firebase Authentication Sign-In methods in Firebase console or you will get a domain-denied error.
Hope this will help others to understand better how this works.
I'm building an Electron application (electron builder) and when deploying if I look at the dev tools it just says app:// at the top and also when sending any http(s) requests the origin is app://.
I have a feeling this has been a cause with some cookies not setting and CORS issues and I have been having.
In the createWindow function in background.js theirs a section that runs if in production with default as:
createProtocol('app')
win.loadURL('app://./index.html')
Setting that to my domain and building give just a blank window with the dev console saying chrome-error://chromewebdata
chrome-error when setting what I assumed to be the origin
Comparing this with Discord the top bar in dev tools says the discord website and also all requests have the origin of Discord.com
Discord dev tool header which makes me think this is app level rather than just http request level (axios/fetch)
Any ideas on how to change the origin
After doing some research into creating deep links, I've found that I basically needed my own protocol to do it (makes sense really).
So went to the documentation for Vue CLI Electron Builder and looked at the config section (https://nklayman.github.io/vue-cli-plugin-electron-builder/guide/configuration.html#changing-the-file-loading-protocol)
When electron:build is ran, it pulls in the options from vue.config.js. Adding in:
module.exports = {
pluginOptions: {
electronBuilder: {
customFileProtocol: 'myCustomProtocol://./'
}
}
}
And then also updating the win.loadURL('myCustomProtocol://./index.html') in background.js assigns the custom protocol to the app (all of this is in the documentation linked above)
IS there a way to trick the server so I don't get this error:
Content was blocked because it was not signed by a valid security certificate.
I'm pulling an iframe of an html website into another website but I keep getting the console (chrome) error in the title of this question and in internet explorer it says:
Content was blocked because it was not signed by a valid security certificate.
Your resource probably use a self-signed SSL certificate over HTTPS protocol.
Chromium, so Google Chrome block by default this kind of resource considered unsecure.
You can bypass this this way :
Assuming your frame's URL is https://www.domain.com, open a new tab in chrome and go to https://www.domain.com.
Chrome will ask you to accept the SSL certificate. Accept it.
Then, if you reload your page with your frame, you could see that now it works
The problem as you can guess, is that each visitor of your website has to do this task to access your frame.
You can notice that chrome will block your URL for each navigation session, while chrome can memorise for ever that you trust this domain.
If your frame can be accessed by HTTP rather than HTTPS, I suggest you to use it, so this problem will be solved.
Sometimes Google Chrome throws this error, even if it should not.
I experienced it when Chrome had a new version, and it needed to be restarted.
After restarting the same page worked without any errors.
The error in the console was:
net::ERR_INSECURE_RESPONSE
I still experienced the problem described above on an Asus T100 Windows 10 test device for both (up to date) Edge and Chrome browser.
Solution was in the date/time settings of the device; somehow the date was not set correctly (date in the past). Restoring this by setting the correct date (and restarting the browsers) solved the issue for me. I hope I save someone a headache debugging this problem.
Offering another potential solution to this error.
If you have a frontend application that makes API calls to the backend, make sure you reference the domain name that the certificate has been issued to.
e.g.
https://example.com/api/etc
and not
https://123.4.5.6/api/etc
In my case, I was making API calls to a secure server with a certificate, but using the IP instead of the domain name. This threw a Failed to load resource: net::ERR_INSECURE_RESPONSE.
open up your console and hit the URL inside. it'll take you to the API page and then in the page accept the SSL certificate, go back to your app page and reload.
remember that SSL certificates should have been issued for your Dev environment before.
If you're developing, and you're developing with a Windows machine, simply add localhost as a Trusted Site.
And yes, per DarrylGriffiths' comment, although it may look like you're adding an Internet Explorer setting...
I believe those are Windows rather than IE settings. Although MS tend to assume that they're only IE (hence the alert next to "Enable Protected Mode" that it requries restarted IE)...
Try this code to watch for, and report, a possible net::ERR_INSECURE_RESPONSE
I was having this issue as well, using a self-signed certificate, which I have chosen not to save into the Chrome Settings. After accessing the https domain and accepting the certificate, the ajax call works fine. But once that acceptance has timed-out or before it has first been accepted, the jQuery.ajax() call fails silently: the timeout parameter does not seem help and the error() function never gets called.
As such, my code never receives a success() or error() call and therefore hangs. I believe this is a bug in jquery's handling of this error. My solution is to force the error() call after a specified timeout.
This code does assume a jquery ajax call of the form jQuery.ajax({url: required, success: optional, error: optional, others_ajax_params: optional}).
Note: You will likely want to change the function within the setTimeout to integrate best with your UI: rather than calling alert().
const MS_FOR_HTTPS_FAILURE = 5000;
$.orig_ajax = $.ajax;
$.ajax = function(params)
{
var complete = false;
var success = params.success;
var error = params.error;
params.success = function() {
if(!complete) {
complete = true;
if(success) success.apply(this,arguments);
}
}
params.error = function() {
if(!complete) {
complete = true;
if(error) error.apply(this,arguments);
}
}
setTimeout(function() {
if(!complete) {
complete = true;
alert("Please ensure your self-signed HTTPS certificate has been accepted. "
+ params.url);
if(params.error)
params.error( {},
"Connection failure",
"Timed out while waiting to connect to remote resource. " +
"Possibly could not authenticate HTTPS certificate." );
}
}, MS_FOR_HTTPS_FAILURE);
$.orig_ajax(params);
}
This problem is because of your https that means SSL certification. Try on Localhost.
::UPDATE:: LINKS DO NOT EXIST ANYMORE!
Very strange indeed, this is definitely a bug! I did a test with app_id from another application and it worked.
See for yourself:
https://apps.megalopes.com/megabraziltv/test.php (app_id correct)
https://apps.megalopes.com/megabraziltv/test2.php (app_id from another application)
---/---
I found several people with the same question and all the answers are equal:
Site URL is not same as REQUEST_URI (Redirecting URL)
My app setting are:
Secure Page Tab URL: apps.megalopes.com/megabraziltv/...
App Domain: megalopes.com
code:
<div id="fb-root"></div>
<script src="http://connect.facebook.net/pt_BR/all.js">
</script>
<script>
FB.init({
appId:'123456789', cookie:true,
status:true, xfbml:true
});
FB.ui({ method: 'apprequests',
message: 'Here is a new Requests dialog...'});
</script>
This simple code is not redirecting to any other url. I tested on the js console getting the same results. Sometimes works and sometimes I get this error message:
API Error Code: 191 API Error Description: The specified URL is not
owned by the application Error Message: redirect_uri is not owned by
the application.
Regardless of being page tab or canvas, you must identify the website Site URL in https://developers.facebook.com/apps
How I fixed:
App Domain: megalopes.com (domain)
Site URL: / Secure Canvas URL: / Secure Page Tab URL: https://www.megalopes.com (subdomain)
I think I have run into something similar before.
In the summary page of your app ensure both the Secure Canvas URL and Page Tab URL are populated.
The URL in my redirect_uri should have "http://" in the beginning. It was missing the protocol information, thus leading Facebook not to recognize my website and throw this annoying 191 error. I finally found out after one hour pulling the hair I (still) have left.
You have to create a channel page, which allows "cross domain communication in certain browsers"
This is an html page (saying /channel.html) on your server, which only contains :
<script src="//connect.facebook.net/en_US/all.js"></script>
And make the Javascript SDK aware of it :
FB.init({
appId: 'xxxxxx',
cookie: true,
channelUrl: location.protocol + '//' + location.host + '/channel.html'
});
More about this :
https://developers.facebook.com/docs/reference/javascript/FB.init/
https://developers.facebook.com/docs/reference/javascript/
It's because of domain URL that you mentioned in facebook's mistake. Domain URL wont be like www.site.com
Update your domain url like subdomain.site.com.
Now it surely work.
I get a really strange security error when trying to load data from one URL to another. Essentially my facebook canvas URL points to http://www.tonyamoyal.com/stuff/path/ and that has an fb:swf tag which points to http://www.tonyamoyal.com/stuff/path/Quiz.swf. The facebook app loads fine but when I try to call a service that resides on another URL, I get a security error:
http://www.tonyamoyal.com/stuff/path/Quiz.swf cannot load data from http://www.somedomain.com/path/path/service.aspx
The cross-domain on tonyamoyal.com is set up to allow all domains to pass. The cross-domain on somedomain.com has a line specifically allowing calls from www.tonyamoyal.com:
<allow-access-from domain="www.tonyamoyal.com" />
Any idea why there would be a security issue here?
At application startup try to load the policy file by doing:
Security.loadPolicyFile("http://www.somedomain.com/crossdomain.xml");