Drupal HTML WYSIWY Filter strips "file:///" from hyperlinks even though I have allowed the HTML attribute a[*], what am I missing?
I want to open a local path \myserver\folder\file and thus I added the protocol in the link dialogue and can see in the plain text editor that the href is created properly:
test
but when I preview/save it that gets stripped and thus is not working
test
Filter Protocol module allows adding them, however, I discovered that the file URI scheme (file:\ protocol) to open remote server location is not supported on most browsers for security reasons Linking a UNC / Network drive on an html page
Unfortunately adding a browser extension isn't always a practical workaround.
Related
I am building an app which wraps some content in html. The users will be able to download this html file and view the content (which changes dynamically based on time and a few details fetched from our servers.
I would like to know if there is any settings on browsers that can block https:// requests from file:// urls?
It works by default, I am just concerned if there is any way users can do this. (browser settings, security zones or something like that)
I believe there is no code samples required for this.
There are windows group policy settings that can block browser downloads, but I'm not aware of browser specific settings. Here are a few links:
http://www.grouppolicy.biz/2010/03/group-policy-setting-of-the-week-18-allow-file-downlaod-internet-explorer/
https://serverfault.com/questions/362974/how-can-i-disable-download-from-all-browsers-using-group-policy-for-domain-users
https://superuser.com/questions/578276/can-i-block-all-file-downloads-in-chrome
I've loaded Disquss on my Wordpress website, which is running on HTTPS. The problem is that while the comments are shown at the bottom of the webpage, they are white (and since the background of the page is also white, they are not visible).
If I open Inspector in Chrome, the following error is printed to the Console tab.
Refused to execute inline script because it violates the following
Content Security Policy directive: "script-src https://*.twitter.com:*
https://api.adsnative.com/v1/ad.json *.adsafeprotected.com *.google-analytics.com https://glitter-services.disqus.com
https://*.services.disqus.com:* disqus.com http://*.twitter.com:*
a.disquscdn.com api.taboola.com referrer.disqus.com *.scorecardresearch.com
*.moatads.com https://admin.appnext.com/offerWallApi.aspx 'unsafe-eval'
https://mobile.adnxs.com/mob *.services.disqus.com:*". Either the 'unsafe-
inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required
to enable inline execution.
This happens because of the Popup Blocker Extension in Chrome, but I would like to enable it with content security policy: http://www.html5rocks.com/en/tutorials/security/content-security-policy/ . Basically, the error occurs in the chrome-extension://* scheme, so I need to add an appropriate entry to the Content-Security-Policy to allow chrome extensions.
How should I disable the security policy for chrome extensions?
This isn't something you can (or should) meaningfully solve. It's up to the extension vendor to properly implement themselves. The fact is the extension is attempting to inject inline code and it's being stopped by the Content Security Policy because the CSP is made to block it. As it should, since the extension is indistinguishable from malware from it's perspective.
You could (but should not) simply add rules to your site's Content Security Policy to allow the extension to run...but this is potentially dangerous, incredibly case-specific, and should basically only ever be done in an enterprise context in which everyone has a (poorly coded) browser extension that is required to work with your site. And even then re-coding the extension would generally be preferred.
How should I disable the security policy for chrome extensions?
Not. Additionally you can not.
I need to add an appropriate entry to the Content-Security-Policy to allow chrome extensions.
The CSP of extensions is part of the (local) extension.
while the comments are shown at the bottom of the webpage, they are white
Sounds like a matter of CSS to me ... what about color: black; for your text?
Or short: Websites are not able to mess with extensions. Which is good - I don't want facebook to disable my CSP and send my personal porn preferences (from PornLiner addon) to my profile.
I have a website written in Ruby using Ruby on Rail framwork, everything was fine when using HTTP protocol, but when switching to HTTPS protocol.
Some CSS material can not shown, but some of it can.
The font can not be shown, originally the font was designed, but now it is not.
Anyone know what happen?
Without any specific error I assume browser is probably blocking files loading from mixed content, i.e. using both HTTP and HTTPS. Use your browser developer tools network tab to confirm this.
You can use // instead of http:// so that resources load from the relative protocol that the page content is loading from; Can I change all my http:// links to just //?
Also read; How to fix a website with blocked mixed content
in order to find the server spec. i've created a file in the root dir in my website called spec.htm and entered this content as i was offered by another user:
<html>
<head>
<title></title>
</head>
<body>
#ServerInfo.GetHtml()
</body>
</html>
but i only get a copy of the code in my browser and it doesn't run it,
what the problem might be?
EDIT: i think that the problem is that i'm not using IIS.
is there a way to do so without using IIS?
thanks
Please see the following article
http://www.asp.net/webmatrix/tutorials/14-introduction-to-debugging
The ServerInfo helper is a diagnostic tool that gives you an overview of information about the web server environment that hosts your page. It also shows you HTTP request information that is sent when a browser requests the page. The ServerInfo helper displays the current user identity, the type of browser that made the request, and so on. This kind of information can help you troubleshoot common issues.
Create a new web page named ServerInfo.cshtml.
At the end of the page, just before the closing tag, add the following highlighted code.
#ServerInfo.GetHtml()
Note, it appears as though this is designed to run in IIS only and not on Linux / Apache servers.
Note, this is a RAZOR syntax so your system needs to be able to run Razor by installing the WebMatrix
#ServerInfo.GetHtml() is a Razor view engine syntax. Try saving your file as .cshtml or .vbhtml
The problem is that your webserver is not set up to serve HTML files through the ASP.NET interpreter. Change the extension to .aspx (i.e., use the same code, but call it spec.aspx).
Are you setting the Content-Type header correctly. If not set to text/html or similar, the browser or framework may set the content-type to text/plain which will not render the html at all.
You can check this in Firebug in the Net tab, expanding the response that is associated with the page you are serving, and looking in the Headers tab. If the Content-Type header is anything besides text/html or text/xhtml, then you need to find a way to make your web server set that header properly
let me guess its just showing up "#ServerInfo.GetHtml()" on a webpage. This does nothing if you put it simply in a body tag of a html page. If you are running IIS make sure you are saving as .aspx and not .html
See "yourhtmlsource.com/myfirstsite/myfirstpage.html"
I hope I am understanding the question and this helps. I found it on the web page given above.
When you double-click a file on your computer’s desktop, the computer knows what program to open the file in by checking the file’s “extension”. A txt file will open in a text editor.
You need to give your document a file extension of ”.html”, which will tell it to open the file in your web browser, such as Internet Explorer, Firefox or Safari.
Right now you should be editing your HTML page in a text editor, which normally saves files with the extension “.txt”. We want to make it save in “.html”. In your text editor click File → Save As…. If you use Microsoft Windows, there will be a box labelled “save as type”; change it to “all files .”. This means that you can save the data (in this case, some text) into any format. Now type in the name index.html for your file and click save. Ex: file.txt becomes file.html.
I work in an area where the business users heavily depend on bookmarks to access their work-related web applications. Our standard browser is Internet Explorer v6. We have a new Flex application - when you add the site to Internet Explorer Favorites, then later try to access the site with the Favorites link, we get the following error message: "internet explorer cannot open the internet site http://our url. Operation aborted". If we then bring up the properties for the link and remove the trailing "#' from the url, the link works.
What is this trailing "#", and can it be removed? Is there a way to have Internet Explorer bookmarking to work for this site (other than manually editing the bookmark)? The problem doesn't occur in Firefox (but not everyone has access to that browser).
The trailing # is used to provide information to your client-side framework. It was originally meant to provide the ability to link to anchor points in an HTML document. It has been "hijacked" by JavaScript frameworks to provide state information to Flash and Flex applications.
The primary benefit of using # to navigate is that the browser doesn't navigate off the current page - meaning you only need to load your framework once. Traditional URLs would force an entire page reload.
Most likely you can't remove it. You should be able to provide a means for a secondary URL scheme that encodes what you need in a query string (?foobar=1).
You will need to configure server-side processing to either redirect the user to the hash URL or load the necessary information via a JavaScript hook to your Flex framework.
You might also look into the new Google Chrome plugin for IE.
You can turn this off in the compiler parameters in Flex Builder. Go into the project settings, then in "Flex Compiler" uncheck the box that says "Enable integration with browser navigation".