On some websites (hosted on servers within China) I am displaying some tencent videos in iframes. Tencent video is a similar service like youtube but works in China.
to display a video on your website you get a little code snipped similar like this:
<div class="video-container"><iframe class="video" src="https://v.qq.com/txp/iframe/player.html?vid=XXXXXXXXXX" frameborder="0" allowfullscreen="allowfullscreen"></iframe></div>
If I now open the frontend of the website and the video iframe is displayed I can see the following error in the console:
GET http://127.0.0.1:11066/getversionjpg?hash=YYYYY net::ERR_CONNECTION_REFUSED
For me it looks like "within th iframe" it is testet, if on Port 11066 "localhost" answers to a request for a file which was hashed to a a number. Are they checking if a user is registered? or actually checking if someone is logged in? Or what kind of browser player is workinig? are they checkiing on "their localhost"? That does not make sense, or? but to do on the hosting webserver (where I am hosting the website) makes no sense either. So not on the visitor's client, or? Is tencent video doing this "accidently"? I can't believe that.
Or is tencent doing something nasty here?
Can anyone explain what probably is going on here?
Related
I recently moved to HTTPS. I am currently have a local time displayed on the site using the following code:
<iframe class="current-time" src="http://free.timeanddate.com/clock/i35r7kr2/n47/tlau/fs12/fcfff/tct/pct/ahl/th2/ts1" frameborder="0" width="54" height="14" allowTransparency="true"></iframe>
However now we are on HTTPS it does not show because its loaded from a http:// site so browsers don't display it.
Can someone advise a method of display our local time as http://free.timeanddate.com does not have an SSL certificate
ADDITON INFORMATION AS REQUESTED:
When we load the site that is now secure the place where the time was once displayed is blank and the browser indicates that some insecure content has been blocked. See https://www.reeffree.com.au/ to see a secure site - the missing part is under "Call Us Mon-Fri 7am-9pm & Sat-Sun 8.30am-7pm Brisbane, Australia (AEST). At ReefFree it's currently " that can be found on the right top of the page below the slider.
To see what it looked like before see the following link: http://www.extremefree.com.au/
Using this website you can see that it is the date and time script that is stated above that is causing the issue - I need to replace it with one with HTTPS: https://www.whynopadlock.com
The free service you're using supports HTTPS. Simply go back to http://www.timeanddate.com/clocks/free.html and when you get to the "Get HTML" step, choose "Secure Web Page" This will generate an <iframe src="https://... Note the URL is https instead of http
I use a site that has SSL with Extended Validation enabled. In other words, when a user accesses my site, the address tool bar becomes green with the name of my company showing that it's secure. If my page gets any resources from HTTP page, I lost the green status and it becomes an ugly orange with exclamation mark.
The problem is that my page has a Vimeo video embedded (with iFrame). When you access it, the address tool bar is green but if you pass your mouse over the video, it becomes orange! After some investigation, it was detected that a http site is called (http://pdl.vimeocdn.com/...).
Searching google show me the following answer from Vimeo:
https://vimeo.com/forums/topic:98803
In other words, it's NEVER going to be fixed :(
Is there any way we can BLOCK this call from this embeded video?
That call is the actual video file, so you wouldn't want to block it. We are working with our CDN to get HTTPS video delivery working, and we're very close.
You seem to have covered most of the question - in the absence of Vimeo fixing the problem, the only practical way to avoid this is to proxy the vimeo access via your own site and rewrite the content passing through to change the URLs to point to your (HTTPS) proxy - which is hardly a very appropriate solution.
I'm building an emailshot tracking function in my ASP.NET site which will serve up a linked image when the email is opened, so allowing me to count the email opens.
It's all above-board, opted-in etc, etc, and I've tried two methods:
calling a .aspx page that serves (direct to the Response stream) a Base64-encoded image stored in a database
calling a .ashx HTTP handler that serves an image from a physical folder
Both of these techniques work absolutely fine - the image is served, and I can process the hit in the page code - if I use my POP email or my Gmail accounts.
However, Hotmail blocks them both. It doesn't even give the option of displaying images - there's no trace of the original link if I View Source on the browser email display.
Links to images only seem to display correctly in the Hotmail browser window if I:
Use an actual domain name in the link (rather than an IP address or localhost for testing) AND
Link to physical files (rather than pages that serve them) using <img src="http://domain/imagefilename.ext"/>.
Is there an alternate approach that will at least give the option of viewing the image? I'm not trying to conceal the tracking in any way - there will usually be other linked images in the emails anyway.
Nor does the thing being served have to be an image - is there anything else that can be served (and hence counted) that isn't treated as suspicious by over-zealous mail servers such as Hotmail?
Cheers.
You can add a querystring value at the end of the url. And then configure IIS to handle that extension.
WELL what are you asking is a nightmare for email server.this same technique is used by spammers to get valid emailid out of junk emailids. For now i can assure you tracking opening of email is impossible using any white hat or gray hat techniques on any reputiable servers.
plese see these links for more details:-
http://emailuniverse.com/ezine-tips/?id=502
https://webapps.stackexchange.com/questions/22662/way-to-ensure-that-my-sent-email-was-read
However dont take myword 'impossible' for granted, there are some protected techineques available but i am not sure about it
http://mailchimp.com/
good luck
I have a client that, due to specific reasons, needs to place an IFRAME pointing to an HTTPS page on an HTTP page. The HTTP page is hosted on a different domain and server than the HTTPS page, but are both owned by the same client.
Putting aside the reasons why this should not be done, I am finding it difficult to implement in practice.
As one can see on this page: http://www.clevelandutilities.com/obppay.htm there is a HTTPS IFRAME on an HTTP page without any warnings from the browser (Firefox OR IE). However, if I try the same method, both Firefox and IE complain about the certificate.
Any ideas on why that is? I've examined the source at that sample site and can see nothing special being done, yet if I try the same thing I get squawking. Further, if I put the domain that they are using (https://www.paybill.com/cu/), it doesn't complain - if I put our domain it, it complains. Are all SSL certificates created equal?
To boil it down, this works without warnings:
<iframe src="https://www.paybill.com/cu/" width="100%" height="600" scrolling="auto"></iframe>
this does not:
<iframe src="https://www.myclientdomain.com/somepage.php" width="100%" height="600" scrolling="auto"></iframe>
Further, we use an IFRAME-style Facebook app to pipe in to this same HTTPS page, and THAT works with no complaints about the SSL certificate. Huh?!
After digging a bit, we uncovered that the certificate is specific to www.myclientdomain.com, and the developer in charge had used ...src="https://myclientdomain.com"... in the IFRAME. This was causing the following "Connection is untrusted" error screen:
The common practice for the host domain is to never use 'www' in the URL (enforced with .htaccess), whereas the standard for the source domain (the one with the certificate) is to always use it (enforced with .htaccess). That's what lead the other developer to leave it off - that's what he is used to for his site.
If one clicked "I understand the risks" even once for the source domain and added the certificate exception, any visit thereafter would have made it to the htaccess and be redirected to www-, which is why on my (and the other developer's) computer the page would load fine and check out normal in Firebug while our boss got the warning. We had both (apparently) added the exception for one reason or another in the past.
When we put it together, it was a real facepalm moment. Thanks to anyone who had given this question thought, sorry to have not checked the details carefully enough. :)
I do not believe this is possible, but I figure there are people out there way smarter than me, so why not check ..
I would like to have an HTTP image that is viewable from within a page when used w/in an img tag, but NOT visible if the img src link is called directly. Does that make sense? Viewable in page, but not if called directly.
Quick edit .. acceptable alternative is to embed image in page in such a way as url is not human readable / able to be extracted and typed into browser.
Update 2 ... .NET IIS7 env.
Note that "security" products such as Norton Internet Security and Norton Personal Firewall prevent the HTTP Referer: (TBL's spelling mistake, not mine) header being sent by default. As these products are widely used, referrer blocking will break things for an awful lot of people.
FWIW, if I was keen to get your image other than by viewing your page (although I can't imagine why I should be) I would just grab the bits as they came over the network when I viewed your page, using something like Charles or Fiddler. It's completely impossible to make content available over the web but prevent people from making a copy.
I believe that you can achieve something like this by relying on the referrer header supplied by the browser - when the referrer is a web page on your own site, you serve up the image, but not otherwise.
It's not 100% reliable (as passing the referrer isn't mandatory in the HTTP spec) but works well enough for some sites.
This is achieved through configuration of your webserver; you therefore might have more luck asking this on ServerFault.
Yes, there are lots of articles on how to setup mod_rewrite rules in apache to try and prevent direct access to files.
http://www.cyberciti.biz/faq/apache-mod_rewrite-hot-linking-images-leeching-howto/
It depends on how it gets built. You can always make sure your referrer is the page that you expect it to be hosted from and lock down requests there.
If you have some notion of authentication, you could bury the image under some type of php/ruby script or asp.net http handler that requests the image from the server or database (in a place that is not publicly viewable but is reachable by your server-side code) and that handler could check for your authentication status before returning it.
Frankly, I re-worked my solution so I didn't really have to worry bout it ... know that's a cop out, as it doesn't REALLY answer the question, but there it is. My concern that users would be able to defraud the "game" I was creating if they could figure out the sequence that was being used to name the images. Quick and dirty solution .... don't make image file names sequential / predictable.