I'm facing a security issue where my users can see all url from where i pull content from,
I use a third party dashboard app with 4 html pages showing system status for each company .'www.xyz.com/dashboard/x.html'
I would like to create new 'aspx' file and display the 'x.html' inside as plain text , while preventing the user to see where the x.html is downloaded from , because he should not have access to the other 'html' files under the same domain.
here, the user should not see the xhr and where they come from
In other meaning , I need to create an asynchronous server side request that brings the 'x.html' and displaying it's content inside my aspx as it was my page.
Updated answer:
If you have an ASP.NET Dashboard app with multiple pages and you want to restrict access, you need to implement ASP.NET Identity role-based authorization so that your clients who login only have access to the areas of the site you want them to access.
On the other hand if you are trying to take someone else's HTML page and display it as your own, that goes against our community guidelines and you should instead consider openly redirecting your users to the proper page and giving credit where it's due.
Original answer: You can't do this, for two reasons:
The browser must know the target URL.
Obscuring the target URL would be a violation of basic security principles.
The <iframe> element requires a src attribute. See MDN for comprehensive documentation.
Related
I have an asp.net mvc web application, and inside my Content folder I have items such as the site.css, the logo , ajax.png.
I thought that the asp.net mvc will prevent the users from accessing the Content folder item directly, and these items can only be viewed when called from an action method, or atleast from an authenticated users . Currently if a user (how did not login to the system) types the following
https://..../OurProject /Content/ajax.png
he will be able to see the image directly .i am not sure if this is a security problem, or it is normal to have such ability?. Baring in mind that I have used the [Authorized] annotation inside all the controller classes, but seems that the content folder items can be viewed by unauthenticated users?
can anyone advice ?
Thanks
we currently use Active Standard (a website quality testing service that checks pages for spelling, grammar, broken links, poor HTML code, etc). I want to understand how they could use this going forward with our new CQ5 site so that content is checked before it goes live. Since Active Standards is a ‘service’ it currently only checks the live site as that is all it can access.
Do we know if there is a content quality testing tool that could integrate into the CQ5 authoring environment?
Challenges:
How would a service like Active Standards be able to access the
authoring environment which sits behind a firewall on client's
network?
Is there a product which integrates with CQ5 that can be run at the
point the author is creating content?
I don't know Active Standard but from your description I understand it's a service that accesses a public website via HTTP to check its content.
If that's correct and there's no way to provide it with credentials so that it could access a secured stating version of your website, the only way that I see is exposing the staging content that you want to check on a public URL like staging.mysite.com, maybe adding disclaimers, robots.txt and removing CSS etc. so that people don't mistake it for the actual site. That staging website can then get content from the CQ author in a restricted way, using CQ access control and read-only users for example. But that won't work if you want to keep your staged content secret.
At the CQ level, the observation/notification and workflow mechanisms can be used to process content as soon as it's created, but to use this you need to be able to submit the content to the checking service yourself using HTTP or other clients, instead of having it crawl your staging content by itself.
I am trying to get my first hello world application on facebook using asp.net with facebook toolkit.
I am hosting my files on www.aspspider.info/jasminm89/ using it as a canvasurl
and link to my facebook app is http://apps.facebook.com/mytesterapp/
At that location i have: default.html page with the h1 tag with plain text.
When I visit my app on facbook I get message:
The page cannot be displayed
The page you are looking for cannot be displayed because an invalid
method (HTTP verb) was used to attempt access. Please try the
following:
Contact the Web site administrator if you believe that this request
should be allowed. Make sure that the Web site address displayed in
the address bar of your browser is spelled and formatted correctly.
HTTP Error 405 - The HTTP verb used to access this page is not
allowed. Internet Information Services (IIS)
Technical Information (for support personnel)
Go to Microsoft Product Support Services and perform a title search
for the words HTTP and 405. Open IIS Help, which is accessible in IIS
Manager (inetmgr), and search for topics titled Setting Application
Mappings, Securing Your Site with Web Site Permissions, and About
Custom Error Messages.
here source code from facebook, where it loads my page:
<form action="http://aspspider.info/jasminm89/"
method="post" target="iframe_canvas"
id="canvas_iframe_post_4e513da6b75410144827584"
onsubmit="return Event.__inlineSubmit(this,event)"><input
type="hidden" autocomplete="off" name="signed_request"
value="xxx....."></form>
One point here.
I setup my account on 000webhost.com and by default there is default.php created,
I copy the link to my facebook and it loads the page, it worked as well with plain index.html.
final
This error is because with IIS we can't use static html pages to be called in this way
I now upload plain .aspx page with some text and it worked.
First this sounds like an error with your server configuration, not with accessing the Facebook API/SDK.
Secondly, don't you need to add the call to the facebook SDK and include the <div id="fb-root"></div> ?
Or are you using the C# Facebook SDK?
I iis you can not handle post method coming from facebook including signed_request.
So firstly reconfigure IIS allowing handle post method. Or for simple start make index.html as the default document, put inside "hello world", then process the second step.
I have a client that has a SilverLight app that contains all of their products. They are wanting to create HTML pages (now that they realized they aren't getting indexed in Google) for all of their products. On those pages they want a link to the silverlight app that will open a specific product.
I'm not a WPF developer, so I'm not sure what is possible. My first thought was maybe we can pass an id to the SilverLight app and then put some code in place to switch to the correct product.
Any ideas?
Thanks,
Cole
In the asp.net host application, you can read the parameters from the query string and pass them to the silverlight plugin in the InitParams section.
More info can be found here.
Ideally you want to detect that it is Google (or another search engine) hitting your site and direct the user/search to an appropriate page (Silverlight page for people and HTML pages for Search Engines).
Navigation in Silverlight uses bookmark URLs on a single page (like website.com/silverlightpage/#item=1234) whereas your site will likely use MVC mappings (like website.com/item/1234).
From a user-experience perspective you just want to click a result in Google and go straight to the Silverlight bookmark URL equivalent.
To do this you need to catch incoming URL requests in your web site, identify any search engines, and if it is a real person redirect them to the Silverlight app page (e.g. with item id passed into the bookmark).
I am creating a standalone asp.net page that needs to be embedded into a sharepoint site using the Page Viewer Web Part. The asp.net page is published to the same server on a different port, giving me the URL to embed.
The requirement is that after a user is authenticated using Sharepoint authentication, they navigate to a page containing the asp.net web part for more options.
What I need to do from this asp.net page is query Sharepoint for the currently authenticated username, then display this on the page from the asp.net code.
This all works fine when I debug the application from VS, but when published and displayed though Sharepoint, I always get NULL as the user.
Any suggestions on the best way to get this to work would be much appreciated.
If you want to retrieve the currently authenticated user from the SharePoint context, you need to remain within the SharePoint context. This means hosting your custom web application within SharePoint (see http://msdn.microsoft.com/en-us/library/cc297200.aspx). Then from your custom application reference Microsoft.SharePoint and use the SPContext object to retrieve the user name. For example:
SPContext.Current.Web.CurrentUser.LoginName
You can still use the Page Viewer Web Part to reference the URL of the site, now located within the SharePoint context.
Thanks heaps for the answers!
Turns out that as long as the asp.net page is using the same URL and port as the Sharepoint site, authentication works across both sites.
The solution is to use a Virtual Directory inside of the sharepoint site and install the asp.net page there.
When it works in debug, is that being used in SharePoint?
Your page and the Sharepoint site might as well be on different servers as far as authentication is concerned -- in order to get the information over you might need to pass it via the QueryString from the webpart if you can -- or you might need to make your own webpart to do this (just put an IFRAME in the part with the src set to your page with the QueryString passing the username).
It does seem that this would be a security issue if you use the name for anything though -- if you are just displaying it, then it's probably fine.
If you actually need to be authenticated, you might need to add authentication into the web.config of the site hosting your standalone page.
edit: I think you'd have better luck putting your page on the same port and server as SharePoint.
I suspect you will have a hard time specifically querying SharePoint for the currently authenticated username. I can't think of a way to easily access the SharePoint context from a separate web application like you are describing.
I don't know what kind of authentication scheme you are using, but you may want to consider using Kerberos, as I've found that it can make these kinds of scenarios a little easier by allowing for delegation and passing credentials from application to application or server to server.