I am building an app which wraps some content in html. The users will be able to download this html file and view the content (which changes dynamically based on time and a few details fetched from our servers.
I would like to know if there is any settings on browsers that can block https:// requests from file:// urls?
It works by default, I am just concerned if there is any way users can do this. (browser settings, security zones or something like that)
I believe there is no code samples required for this.
There are windows group policy settings that can block browser downloads, but I'm not aware of browser specific settings. Here are a few links:
http://www.grouppolicy.biz/2010/03/group-policy-setting-of-the-week-18-allow-file-downlaod-internet-explorer/
https://serverfault.com/questions/362974/how-can-i-disable-download-from-all-browsers-using-group-policy-for-domain-users
https://superuser.com/questions/578276/can-i-block-all-file-downloads-in-chrome
Related
For some reason DNN generates url for src of iframe inside every modal for editing module or module settings with different protocol on localhost and prod. On localhost when page is opened via https, iframe also has https url. At the same time on prod when page is opened via https, DNN generates http url there for some reason. As result I'm getting this error in dev tools console:
Mixed Content: The page at "" was loaded over HTTPS, but requested an
insecure frame. This request has been blocked; the content must be
served over HTTPS.
Found this solution.
Disabling modals would be really stupid solution as I need editing and settings for DNN modules. So I used workaround with meta tag added to a website via PersonaBar.
That fix actually works, but firstly, it's not the most convenient solution. Secondly, it's a crutch. If localhost can generate https link, then it means that prod also can. But why it doesn't? It's a code that is generated by DNN, not by my code. So as result I don't understand right now what's going on about it and why.
P.S. Just in case to clearify what I'm talking about:
login as superuser to your website
click pencil button to edit page
hover over any DNN module
click pencil icon "Edit module" or gear icon "Settings" (doesn't matter)
that's the modal window with iframe I'm talking about
P.S. I've asked this question at DNN forum yesterday already, but didn't recieve any answers there, so I'm duplicating it here.
DNN's SSL implementation requires a number of things to be in alignment, however, the following should be correct.
Within the security section SSL needs to be enabled, AND enforced, and the page that you are on also has to have the "Secure" flag set.
This is working for us in all production environments, so you so you should be fine.
(If using SSL Offloading, its a bit more tricky)
I want to embed external content on a website in an iframe. I can only load internal websites and external are undefined.
How can I enable CORS in Intershop 7.7 and load an external URL in an iframe or data dialog?
There is nothing special in using iframes in Intershop compared to another platform. Simply put in your ISML:
<iframe src="https://example.com">
</iframe>
Of course this may not succeed to load as you noticed. Some servers include the X-Frame-Options header with value e.g. SAMEORIGIN which instructs the browser that they don't want to be framed on other sites. This may be used to prevent clickjacking attacks. You may use Firebug or any appropriate tool to monitor for such errors during the frame load. An iframe may also not load if you mix http/s traffic.
If you want to programatically access content from an iframe on a different domain, you may use the Web Messaging API (window.postMessage and the onmessage event) to communicate between the page and the included iframe.
In summary:
you can't simply frame any site (maybe your 'internal' site permits that);
this question is not relevant for the Intershop technology stack;
This should be possible with the content security policy support since version 7.6.
Please check the documentation of appserver.properties file. The keys intershop.response.content-security-policy. should help.
I have a website written in Ruby using Ruby on Rail framwork, everything was fine when using HTTP protocol, but when switching to HTTPS protocol.
Some CSS material can not shown, but some of it can.
The font can not be shown, originally the font was designed, but now it is not.
Anyone know what happen?
Without any specific error I assume browser is probably blocking files loading from mixed content, i.e. using both HTTP and HTTPS. Use your browser developer tools network tab to confirm this.
You can use // instead of http:// so that resources load from the relative protocol that the page content is loading from; Can I change all my http:// links to just //?
Also read; How to fix a website with blocked mixed content
I have a web page containing am entry form. HTTPS is enabled via an Apache redirect for all requests matching that page. Unfortunately, because the CSS pulls in external images using 'background-image: url(/images/...)', the browser will generate a warning message that the page contains mixed content.
What's the best way to resolve this issue?
Update 2014.12.17:
Now that SSL is encouraged for everyone and doesn’t have performance
concerns, this technique is now an anti-pattern. If the asset you > need is available on SSL, then always use the https:// asset.
Allowing the snippet to request over HTTP opens the door for attacks
like the recent Github Man-on-the-side attack. It’s always safe to
request HTTPS assets even if your site is on HTTP, however the reverse
is not true.
More guidance and details in Eric Mills’ guide to CDNs & HTTPS.
Source: Paul Irish – The Protocol-relative URL
Here is a very popular solution:
There's this little trick you can get away with that'll save you some headaches:
In HTML
<img src="//domain.com/img/logo.png">
In CSS
div{background: url(//path/to/image.png);}
You should also enable HTTPS for your static resources, and then make sure that the <link> refers explicitly to the HTTPS url for the CSS resource (whose relative urls will then be interpreted relative to the HTTPS base of the CSS file).
You should use full URL for your image:
https://your.domain.com/img/image.png`
or
https://your.domain.com/route/to/img/image.png
This solved my problem some time ago.
I'm using the WebDevHelper toolbar for Internet Explorer to troubleshoot HTTP requests/roundtrips on my SSL site and noticed that IE re-downloads my CSS :hover images every time they are triggered. This causes a huge amount of roundtrips.
How can I prevent this from happening?
Edit: All static content is served with cache-control: public, so images, javascript etc. are cached in Firefox and Chrome. This problem is IE specific.
Serve static content via http, sure, but don't do separate images for :hover states. Proper css image sprites should be used. It's just good practice all around, via https or http. There are tons of resources available for creating sprites. Supposedly SpriteMe, [ http://spriteme.org/ ] is an attempt to automate css image sprite creation.
If the images are being delivered from a different hostname than your main page, then you're hitting the artifact described here:
http://blogs.msdn.com/ieinternals/archive/2010/04/21/Internet-Explorer-May-Bypass-Cache-for-Cross-Domain-HTTPS-Content.aspx
Well there are multiple issues according to other Stackoverflow posts. FireFox 2.x also has this problem. But FireFox 3.x doesn't.
Will web browsers cache content over https
Also in Internet Explorer, you go to Tools > Internet Options > Advanced tab > Security section > Do not save encrypted pages to disk. It appears to be unchecked by default in IE6, 7 and 8.
Content served via SSL will not be cached for security reasons. If you want something to be cached, serve it via HTTP.
Have you tried adding to the header for those type of static files.
P3P: CP="CAO PSA OUR"
I know this works with in IE to allow storage of cookies through framesets and stuff. Not sure if it works with static files under HTTPS.
I know it sounds weird...
try to put a url to something that isn't exists (404 error). after this, all the rest of the images will be cached.