I've developed a asp.net web api2 service to use in phonegap mobile application.
Asp.net web api2 service is running fine
I've tested it from any site like localhost/abc or www.abc.com by ajax call. The response is ok
But phonegap have no response.
I've used
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
</customHeaders>
in my service.
I've used
<access origin=".*" />
in phonegap.
But no result.
Please help me in resolving this.
#Debashis,
in all likelyhood you have NOT implemented the CSP (Content Security Policy). This policy needs to implmented at the webpage level. See below.
Quick to many common white-list problems
The alternative is this quick fix – but know that this fix removes all needs for white-list. This creates a security issue which you may not want to by pass.
QUICK FIX Add this to your config.xml
<preference name="phonegap-version" value="3.7.0" />
The long answer is as such:
From Top Mistakes by Developers new to Cordova/Phonegap you have hit:
#6 Not setting the "phonegap version" for your compiler
#7 Not setting "version" for you plugins
#10 Not adding the new "white-list" and "white-list plugin" parameters in config.xml.
For #6 & #7
With the CLI version, if you do not assign a version for your platform OR in ''Phonegap Build'' if you do not set the phonegap-version in config.xml, YOU WILL GET THE LATEST VERSION. If you are lucky, your program just works as expected. If you are not lucky, you'll get a set of cascading errors.
Luckily for all of us, Holly Schinsky has written a nice blog post to explain it all:
Cordova/PhoneGap Version Confusion
http://devgirl.org/2014/11/07/cordovaphonegap-version-confusion/
For #10
This relatively * NEW * requirement means – to access ANY website or resources on the web, you MUST use the whitelist and the whitelist plugin. This requirement goes into affect, if you are using cordova-android#4.0.0 or better; including cli-5.1.1 and cli-5.2.0. If however, your version is before 4.0.0, let's say 3.5.0 or 3.7.0, then you will not have to add the white-list requirement.
To be clear, the "whitelist" has been around for a bit, but the plugin and requirement is very new. As you would expect, when the "whitelist" was added, the defacto open-access feature was deprecated. Or said another way, the defacto open-access feature was planned and scheduled to be eliminated. This change marks a step in removal of the open-access feature.
In addition, the Content Security Policy (CSP) has caught numerous developers - because it was soooo poorly publicized. Depending on your use and the version of Phonegap you are using, the CSP needs to go in every single HTML page you used, just like you have to wait for 'deviceready'. However, there are cases where it is not needed at all. The documentation is confusing for some, please read it carefully. The documentation is buried in the bottom of many of the latest documentation pages.
Related Links
Phonegap Build Forum: Notes for upgrading to cli-5.1.1 on PGB and now required Whitelist
Cordova Whitelist Guide
Phonegap Whitelist Guide
Phonegap Build Whitelist Guide
Related
We've recently been working on a fairly modern web app and are ready to being deploying it for alpha/beta and getting some real-world experience with it.
We have ASP.Net based web services (Web Api) and a JavaScript front-end which is 100% client-side MVC using backbone.
We have purchased our domain name, and for the sake of this question our deployment looks like this:
webservices.mydomain.com (Webservices)
mydomain.com (JavaScript front-end)
If the JavaScript attempts to talk to the webservices on the sub-domain we blow up with cross domain issues, I've played around with CORS but am not satisfied with the cross browser support so I'm counting this out as an option.
On our development PC's we have used an IIS reverse proxy to forward all requests to mydomain.com/webservices to webservices.mydomain.com - Which solves all our problems as the browser thinks everything is on the same domain.
So my question is, in a public deployment, how is this issue most commonly solved? Is a reverse proxy the right way to do it? If so is there any hosted services that offer a reverse proxy for this situation? Are there better ways of deploying this?
I want to use CloudFront CDN as all our servers/services are hosted with Amazon, I'm really struggling to find info on if a CDN can support this type of setup though.
Thanks
What you are trying to do is cross-subdomain calls, and not entirely cross-domain.
That are tricks for that: http://www.tomhoppe.com/index.php/2008/03/cross-sub-domain-javascript-ajax-iframe-etc/
As asked how this issue is most commonly solved. My answer is: this issue is commonly AVOIDED. In real world you would setup your domains such as you don't need to make such ways around just to get your application running or setup a proxy server to forward the calls for you. JSONP is also a hack-ish solution.
To allow this Web Service to be called from script, using ASP.NET AJAX, add the following line to the first web service code-behind :
[System.Web.Script.Services.ScriptService]
You can simply use JSONP for AJAX requests then cross-domain is not an issue.
If AJAX requests return some HTML, it can be escaped into a JSON string.
The second one is a little bit awkward, though.
You have 2/3 layers
in the web service code-behin class, add this atribute : <System.Web.Script.Services.ScriptService()> _
maybe you need to add this in the System.web node of your web.config:
<webServices>
<protocols>
<add name="AnyHttpSoap"/>
<add name="HttpPost"/>
<add name="HttpGet"/>
</protocols>
</webServices>
In the client-side interface
-Add web reference to the service on the subdomain (exmpl. webservices.mydomain.com/svc.asmx)
Visual studio make the "proxy class"
-add functionality in the masterpage's|page's|control's code behin
-Simply call this functions from client-side
You can use AJAX functionality with scriptmanager or use another system like JQuery.
If your main website is compiled in .NET 3.5 or older, you need to add a reference to the namespace System.Web.Extensions and declare it in your web.config file.
If you have the bandwidth (network I/O and CPU) to handle this, a reverse proxy is an excellent solution. A good reverse proxy will even cache static calls to help mitigate the network delay introduced by the proxy.
The other option is to setup the proper cross domain policy files and/or headers. Doing this in some cloud providers can be hard or even impossible. I recently ran into issues with font files and IE not being happy with cross domain calls. We could not get the cloud storage provider we were using to set the correct headers, so we hosted them locally rather than have to deal with a reverse proxy.
easyXDM is a cross domain Javascript plugin that may be worth exploring. It makes use of standards when the browser supports them, and abstracts away the various hacks required when the browser doesn't support the standards. From easyXDM.net:
easyXDM is a Javascript library that enables you as a developer to
easily work around the limitation set in place by the Same Origin
Policy, in turn making it easy to communicate and expose javascript
API’s across domain boundaries.
At the core easyXDM provides a transport stack capable of passing
string based messages between two windows, a consumer (the main
document) and a provider (a document included using an iframe). It
does this by using one of several available techniques, always
selecting the most efficient one for the current browser. For all
implementations the transport stack offers bi-directionality,
reliability, queueing and sender-verification.
One of the goals of easyXDM is to support all browsers that are in
common use, and to provide the same features for all. One of the
strategies for reaching this is to follow defined standards, plus
using feature detection to assure the use of the most efficient one.
To quote easy XDM's author:
...sites like LinkedIn, Twitter and Disqus as well as applications run
by Nokia and others have built their applications on top of the
messaging framework provided by easyXDM.
So easyXDM is clearly not some poxy hack, but I admit its a big dependency to take on your project.
The current state of the web is that if you want to push the envelop, you have to use feature detection and polyfills, or simply force your users to upgrade to an HTML5 browser. If that makes you squirm, you're not alone, but the polyfills are a kind of temporary evil needed to get from where the web is to where we'd like it to be.
See also this SO question.
I know there are already a few questions on SO about the oracle padding exploit but none of them explain how it downloads the web.config. I run a couple of ASP .NET apps which I have already tested using Microsoft recommended mitigation factors but i'm still scared that people will be able to get the web.config.
Can someone please explain how they do this or even provide a link to a tool that I can use to test my site with. I find that the official explanation of this part of the attack is really lacking.
The attack that was shown in the
public relies on a feature in ASP.NET
that allows files (typically
javascript and css) to be downloaded,
and which is secured with a key that
is sent as part of the request.
Unfortunately if you are able to forge
a key you can use this feature to
download the web.config file of an
application (but not files outside of
the application).
Guys - the answer is that once they have obtained the machineKey, they can use that key to fetch the files using another feature in ASP.NET
"In ASP.NET 3.5 Service Pack 1 and ASP.NET 4.0 there is a feature that is used to serve files from the application. This feature is normally protected by the machine key. However, if the machine key is compromised then this feature is compromised. This goes directly to ASP.NET and not IIS so IIS's security settings do not apply. Once this feature is compromised then the attacker can download files from your application - including web.config file, which often contains passwords.
Versions of ASP.NET prior to ASP.NET 3.5 SP1 do not have this feature, but are still vulnerable to the main machine key attack."
(see the post at the bottom of here: http://forums.asp.net/t/1603799.aspx from the asp.net team)
Scott Guthrie has a post which explains it to some extent.
This blogpost is pretty interesting: http://www.gdssecurity.com/l/b/
also read this:
How serious is this new ASP.NET security vulnerability and how can I workaround it?
afaik it goes like this:
these are hit: webresource.axd and scriptresource.axd, both use an encrypted/signed value that asp.net tries to check if its valid
because of differences in the response when the files are or not valid, they can make the padding attack.
once the attack is successful they can generate a request for a resources as if it were originally emitted from asp.net
Now, as far as I knew, both of those are supposed to serve embedded resources, but I guess that's not the case (Scott Gu did mention in his post's comments those are the ones being used in the attack showed).
The following post may be interesting for this thread:
http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
FYI, a patch for this bug has been released on Windows Update.
http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx
I have an asp.net webforms application in production server and it was really slow. So i decided to get some performance tips from my fellow SO users.
I ve applied these to increase my asp.net website performance,
Set debug=false
Turn off Tracing
Image caching
<caching>
<profiles>
<add extension=".png" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange" location="Any" />
<add extension=".jpg" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange" location="Any" />
<add extension=".gif" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange" location="Any" />
</profiles>
</caching>
Any other real performance booster do you know? Any Suggestion...
A webpage can be fast only by design.
A simple option can not make your page load faster. The debug=off only eliminate the extra debugging functions and actually if you are not use them can not make many thinks.
I agree with all that Paul say, and you can found them here with more details and I have to say as extra...
You need to follow some guide and do a lot of work to make them real fast.
What I follow.
I use (custom) cache for my database action that really boost the data loading speed, but make at the same time the code to much more and I have spend a lot of time.
I have use profiler to find my slow points on the page and correct them.
I use the Inspector on Google Chrome Browser to locate slow loading and double loading problems.
I have eliminate the double use/create of any variables on custom controls.
I use cache on client browser base on this suggestions.
I use webfarm and/or webgarden (more than one pool).
How to see your page speed: http://code.google.com/speed/page-speed/docs/using.html
Optimize cache: http://code.google.com/speed/page-speed/docs/caching.html
Many general topic from google can be found here: http://code.google.com/speed/articles/
About caching: http://www.mnot.net/cache_docs/
Hope this help.
Not directly ASP.NET, but
1) Make sure compression is enabled within IIS.
2) If your site is cookie "heavy" host static files (images, CSS and JS) within a separate domain. Each request back to the server needs to send all site cookie information back to the server. So if your cookie usage is 10kb+ then 20 static file references within the page will result in an extra 200kb being sent back to the server in total. If you move the static files over to a domain which has no cookie requirements you remove this overhead. It is worth noting that due to a "fault" in how IE processes things, you don't get any benefit in using subdomains, IE appears to insist in sending all domain cookies to sub domains. An additional benefit to this is allowing more HTTP requests in parallel
Stop hacking your production server (that is likely to introduce functional bugs) and take a step back. Can you reproduce the performance problems in a non-production environment? If not, then do the work to try.
You should try to reproduce the problem as follows:
Get production-grade hardware in your test environment - web and database servers etc - running the same hardware as production
Run the same software set as production - this includes the same configuration of ASPNET and all other servicces used.
Load production-size data (production data if possible) into your databases (remember to firewall your lab from the internet so that it cannot send mail or other things to the internet, or your users might start receiving email notifications from the test system which would be bad!)
Create simulated traffic to the site to production level - this is potentially quite tricky but there are a lot of tools available
Now you've got a fighting chance to repro the problem in testing, you can try solutions.
Usually database-driven web sites are bottlenecked by the database, so I'd start there. The main tricks are
Do fewer queries
Optimise the queries you do do (fetch less data, use appropriate indexes etc)
Change the database structure so that the queries you have to do are easier for it (clustered indexes etc, denormalise possibly)
But any change you make, try it on your test system, measure the results, and if it doesn't help, ROLL IT BACK.
In general configuration changes are likely to make only minor differences, but you can try those too.
If all this sounds like too much effort, try throwing hardware at the problem - developer time is much more expensive than hardware. In the time it takes you to do the above (could be months depending on the complexity of the app) you could have bought some meaty production boxes. But be sure that it's going to help.
Does your database fit in RAM? Could it possibly fit in ram? If the answers to those questions are no and yes respectively, buy more ram for the database. This is one of the cheapest ways of making your db go faster without code changes.
I'm trying to get a better understanding of how endpoints work. I've read this and have learned that the services.config is "baked" into the swf at compile time. In that article he references the tokens...
<endpoint uri="http://myServer:{server.port}{context.root}/flex2gateway/" class="flex.messaging.endpoints.AMFEndpoint"/>
... where server.port, and context.root are the tokens. I guess what I'm wondering is what tokens are available to me, and if they act like variables can I set my own custom token?
Edit: We're moving to another development server soon. We have 2 main flex developers and when they check out projects from the repository we want their projects work work independently of each other... so I want to make sure the endpoint will get set correctly for each developers project location.
I would have though that, when compiled, the tokens would be hard coded into the app... this apparently is not the case, so using {server.name} worked for us.
Disclaimer: I have limited ASP.Net skills
I have a couple of websites which I am transferring from my current hosting onto the Mosso hosting service. When I tried transferring one of the websites, I got the error "System.Security.SecurityException: That assembly does not allow partially trusted callers.", which appears to have to do with the fact that Mosso runs on Medium Trust for ASP.Net apps, and the code in the website appears to require full-trust.
Unfortunately, I don't have access to the full source code for the app, and the original developer is not available. Is there any easy workaround to porting these websites? I tried adding in web.config but that didn't work.
I don't think asking Mosso to adjust the security level is an option, because they had refused when I asked them.
Does anybody have any ideas?
Is your assembly strong named? Does it call strong named assemblies?
You should apply the 'AllowPartiallyTrustedCallers` attribute to the Assembly. More information about this attribute is available here.
From the docs:
By default, a strong-named assembly
that does not explicitly apply this
attribute at assembly level to allow
its use by partially trusted code can
be called only by other assemblies
that are granted full trust by
security policy. This restriction is
enforced by placing a LinkDemand for
FullTrust on every public or protected
method on every publicly accessible
class in the assembly. Assemblies that
are intended to be called by partially
trusted code can declare their intent
through the use of the
AllowPartiallyTrustedCallersAttribute.
See this MSDN article for more information.
Edit:
Some information that confirms my suspicions that the APTCA attribute is a possible solution to the problem:
https://support.isqsolutions.com/article.aspx?id=10334
http://bloggingabout.net/blogs/rick/archive/2006/04/07/11929.aspx
Sorry to say but unless they allow you to set the trust level, you could have big issues. You could have a look here.
Professional ASP.NET 2.0 Security, Membership, and Role Management
Almost exactly the same thing happened to me, except the my hosting company changed their trust policy after I a number of websites running on their servers for a couple of years. In the end I had to give up and move to DiscountASP as they overrode <trust level="Full" /> in my congfig file.
Here was my original question.
ASP.NET WebPermission Security Exception
Good luck
I know this is old, but I thought I'd add something to it that might help. Mosso's change to Medium trust caused us some issues as well.
We use BlogEngine.NET and access MySQL for its backend. We had the MySQL dll in our bin directory and that was causing issues with medium trust. Once Mosso added a MySQL dll to the GAC, we were able to use it successfully.
Obviously, I don't know your particular details and what you are trying to do, but if it is related to MySQL, let me know.