How can I download content from iframe?
enter image description here
NOT WORKING
document.getElementById('iframeID'); (show "object HTMLIFrameElement" not content)
$(iframeID).contents().find("html").html();
This will not be possible due to the same-origin policy imposed by the browser. You won't be able to access the contents of that iframe unless you are on the same domain.
Some methods will just give you an empty result:
document.getElementById('your-wiki-frame').innerHTML
> ""
document.getElementById('your-wiki-frame').innerText
> ""
Other methods might explicitly tell you about the restriction:
window.frames[0].body
> SecurityError: Permission denied to access property "body" on cross-origin object
This might seem like a pain, but if you're just somebody trying to programmatically access the contents of Wikipedia, you have no need for a browser as an intermediary.
If you really really wanted to use your browser for these shenanigans, you could route all of your traffic through an HTTP proxy you control so that some special path based off 'en.wikipedia.org' (e.g. http://en.wikipedia.org/your-special-page) returns your own site. This way, your browser would accept that the origin of your page was the same as the wikipedia content you are trying to access. Essentially you'd need to perform a man-in-the-middle attack on yourself, and of course it will only work on a network you control, and you'll run into mixed media restrictions if you try to access an iframe served over https from within a page served over http.
Related
I'm using myRealPage to create Mobile links for me. In the settings it creates links for various things like listings etc... I can embed all the links but one into an iFrame. All the others work perfectly fine but this one
http://listings.myrealpage.com/wps/recip/25064/m.form
It just sits there and tried to load. I do get one error saying this
Uncaught SecurityError: Blocked a frame with origin "http://listings.myrealpage.com" from accessing a frame with origin "MYSITE". Protocols, domains, and ports must match.
I'm not really understanding that because all the other links contain the same listings.myrealpage in them and work fine.
The code I have for the iFrame is this
<iframe src="LINK" name="frame2" scrolling="auto" frameborder="no" height="800px" width="100%">
</iframe>
That's the same too for all the others but replacing the src part with the other links.
Hopefully there's an answer for this.
Thanks
That error message is due to the same-origin-policy
Usually, this is sent in a HTTP header and causes the browser to deny a load of IFRAME content unless there's an exact match of port, protocol and domain.
E.g. port - usually 443 for SSL, or 80 if standard HTTP - protocol (http for parent page and iframe, or https for both) and domain (blah.domain.com and blah2.domain.com would be a non-match)
Either remove the restriction of the same-origin-policy (you may not be able to do this if you do not govern the server), or, satisfy it. Then, you'll be able to render that content within a frame.
You could use something like Fiddler to determine the erroneous url (It's free to download from Telerik) and where the request occurs.
I'm working on a set of sites that use a lot of cross-domain immge requests (our own site), and am getting a lot of 404 errors in our logs, but can't identify any actual pages where the images aren't showing. Does anyone know of any method that can be used to find out what page requests contains the bad image references?
It occurs to me I could write an HttpModule for use on the sites to scan all pages for image references, and do some logging that I can use to track down the offending pages, but I wanted to see if there was as easier method first.
The request should have an 'Origin' header that specifies the calling domain. This header is set by the browser and can't be spoofed. The 'Referer' header will give you the full url to the calling page. You could write these header values to your log.
When accessing our sharepoint site via HTTPS, users inside our network receive a prompt stating "Display nonsecure items?".
When accessing the site from outside our network via HTTPS, some images do not display at all. Some links do not function correctly as well.
We have found that this occurs when site administrators create images and/or link and display them using HTTP.
How can we seamlessly integrate HTTP and HTTPS so that we don't have to tell site administrators to use only HTTPS when creating images and links?
I have looked at our Alternate Access mappings, and here is the relevant info there:
http://computername Default http://computername
http://HostName Default http://HostName
http://subdomain.domain.com Intranet http://subdomain.domain.com
https://subdomain.domain.com Extranet https://subdomain.domain.com
http://computername:port Default http://computername:port
http://subdomain2.domain.com Default http://subdomain2.domain.com
http://computername:port2 Default http://computername:port2
...Some explanation:
ComputerName is the name of the server.
HostName is just a single hostname DNS entry we have so people can quickly type for example "Sharepoint" in their address bar.
Subdomain is basically sharepoint.ourdomain.com. pretty self explanitory
Subdomain2 is for our Business Intelligence services server.
We have two entries with port numbers. One goes to central admin. the other gives an error and i'm not sure what its used for (if anything).
I inherited support of this application. I hope things arent too messed up.
So TLDR: How can I get HTTP and HTTPS working seamlessly together inside/outside our network to avoid missing images and invalid links?
Thanks all.
The problem is that the urls in the links and image src are absolute rather than relative.
http://subdomain.domain.com/someimage.gif is always going to use http as its an absolute link.
/someimage.gif is a relative link (the leading / means relative from the hostname) so if this url is from a http site it will use http, from a https site will use https (well technically depends upon the document BASE but you can ignore that for your purposes)
E.g. given the relative URL /somepage/someimage.gif
When accessed from this page
Will mean this
http://example.com/somepage/
http://example.com/somepage/someimage.gif
httpS://example.com/somepage/
httpS://example.com/somepage/someimage.gif
http://NEWDOMAIN.com/somepage/
http://NEWDOMAIN.com/somepage/someimage.gif
and everything will work just fine with no warnings.
The built in CEWP puts all links in as Absolute. To fix -
MSDN - Fixing absolute URLs for all Alternate Access Mappings (AAM) of Content Editor Web Part with a Control Adapter
I do not believe this is possible, but I figure there are people out there way smarter than me, so why not check ..
I would like to have an HTTP image that is viewable from within a page when used w/in an img tag, but NOT visible if the img src link is called directly. Does that make sense? Viewable in page, but not if called directly.
Quick edit .. acceptable alternative is to embed image in page in such a way as url is not human readable / able to be extracted and typed into browser.
Update 2 ... .NET IIS7 env.
Note that "security" products such as Norton Internet Security and Norton Personal Firewall prevent the HTTP Referer: (TBL's spelling mistake, not mine) header being sent by default. As these products are widely used, referrer blocking will break things for an awful lot of people.
FWIW, if I was keen to get your image other than by viewing your page (although I can't imagine why I should be) I would just grab the bits as they came over the network when I viewed your page, using something like Charles or Fiddler. It's completely impossible to make content available over the web but prevent people from making a copy.
I believe that you can achieve something like this by relying on the referrer header supplied by the browser - when the referrer is a web page on your own site, you serve up the image, but not otherwise.
It's not 100% reliable (as passing the referrer isn't mandatory in the HTTP spec) but works well enough for some sites.
This is achieved through configuration of your webserver; you therefore might have more luck asking this on ServerFault.
Yes, there are lots of articles on how to setup mod_rewrite rules in apache to try and prevent direct access to files.
http://www.cyberciti.biz/faq/apache-mod_rewrite-hot-linking-images-leeching-howto/
It depends on how it gets built. You can always make sure your referrer is the page that you expect it to be hosted from and lock down requests there.
If you have some notion of authentication, you could bury the image under some type of php/ruby script or asp.net http handler that requests the image from the server or database (in a place that is not publicly viewable but is reachable by your server-side code) and that handler could check for your authentication status before returning it.
Frankly, I re-worked my solution so I didn't really have to worry bout it ... know that's a cop out, as it doesn't REALLY answer the question, but there it is. My concern that users would be able to defraud the "game" I was creating if they could figure out the sequence that was being used to name the images. Quick and dirty solution .... don't make image file names sequential / predictable.
I'm working on a web site which contains sections that need to be secured by SSL.
I have the site configured so that it runs fine when it's always in SSL, I see the SSL padlock in IE7/IE8/FireFox/Safari/Chrome
To implement the SSL switching, I created a class that implemented IHTTPModule and wired up HTTPApplication.PreRequestHandlerExecute.
I go through some custom logic to determine whether or not my request should use SSL, and then I redirect. I have to deal with two scenarios:
Currently in SSL and request doesn't require SSL
Currently not in SSL but request requires SSL
I end up doing the followng (where ctx is HttpContext.Current and pathAndQuery is ctx.Request.Url.PathAndQuery)
// SSL required and current connection is not SSL
if (requestRequiresSSL & !ctx.Request.IsSecureConnection)
ctx.Response.Redirect("https://www.myurl.com" + pathAndQuery);
// SSL not required but current connection is SSL
if (!requestRequiresSSL & ctx.Request.IsSecureConnection)
ctx.Response.Redirect("http://www.myurl.com" + pathAndQuery);
The switching back and forth now works fine. However, when I go into SSL mode, FireFox and IE8 warns me that my request isn't entirely encrypted.
It looks like my module is short circuiting my request somehow, would appreciate any thoughts.
I would suspect, that when you determine which resources require encryption, and which not, you do not include the images, or some header and footers as well, or even CSS files, if you use any.
As you always throw away SSL for such a content, it may happen that part of the page (main html) requires SSL, but the consequential request for an image on this page does not.
The browser is warning you, that some parts of the page were not delivered using SSL.
I will check if the request is for HTML, and only then drop the SSL if needed. Otherwise, keep it the way it is (most probably images and such are referenced with relative paths, than a full blown url).
I.e., if you have:
<html>
<body>
Some content...
<img src="images/someimage.jpg">
</body>
</html>
and you request this page using SSL, but your evaluation of requestRequiresSSL does not take into account the images as secured resources, it will form a http, not https request, and you will see the warning.
Make sure when you request a resource and evaluate requestRequiresSSL, to check the referrer and if this is an image:
// SSL not required but current connection is SSL
if (!requestRequiresSSL && ctx.Request.IsSecureConnection && !isHtmlContent)
ctx.Response.Redirect("http://www.myurl.com" + pathAndQuery);
Just figure out how to determine isHtmlContent (if you do not serve images from a database, etc., but from a disk location), just check the the resource filename (.aspx, .asmx, .ashx, .html, etc.).
That way, if the connection is encrypted, but the resource itself is not html, and no set for "encryption", you are not going to drop the encryption.
I highly recommend using this (free / open source) component to do what you're trying:
http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx
Any content that is not normally handled by .Net (such as regular html and most graphic files) will not execute the httpmodule because it doesn't go through .net
Your best bet is to just handle this at the IIS level. See the following for info on how to configure your server.
http://www.jameskovacs.com/blog/HowToAutoRedirectToASSLsecuredSiteInIIS.aspx
I highly recommend you this product:
http://www.e2xpert.com/web/Http-Https-Switch.aspx
It is professional and easy to use. It comes with a powerful configuration tool, by which just one click can finish the entire configuration for you.
Just use SSL throughout your site, for all pages and for all images/scripts/stylesheets. That just makes everything oh-so-simple. IE and Firefox will no longer complain, you will no longer have crazy modules trying to guess whether any given request should be redirected, etc.
For the average user it's nearly impossible for them to make a informed decision when the only thing Firefox vaguely tells them is, "Parts of the page you are viewing were not encrypted before being transmitted over the Internet." This is about as helpful as the "somethings wrong" engine light and in fact is telling them after their information has been transferred.
The least this message should be accompanied with is a list providing the URL, type of content (images, javascript, css) and what it means to the user. BTW I get this message when using GMail.
Until that happens, as others stated your code should work once you determine the unsecured elements. Then you can use Firebug (http://getfirebug.com) to check the content being delivered over the connection.