I have built a mobile friendly application by detecting mobile users on the fly and serving a different layout in coldfusion.which is termed as Dynamically serving different HTML on the same URL' by google. I should change the server http header to be a " Vary HTTP header"
now, I have to setup a vary http header based on layout, If it is a mobile then I have to set Vary: User-Agent. How can set this at page level through coldfusion.
Can I achieve this through coldfusion, if not can you help me in setting up in iis.
Thanks
You can use setHeader() for this:
<cfscript>
pc = getPageContext().getResponse();
pc.setHeader( "vary", "user-agent" );
</cfscript>
This functionality isn't very well documented in the official coldfusion documentation, but this article tells you all you need to know.
Related
I will host my site using http and in the web page, I want to include some resource ( css, js ) from some https site.
Is that allowed (seems to me it is fine)?
Does any specification discuss this?
Yes, it's allowed. I'm not sure that it's documented in a specification anywhere; it seems more like a browser policy.
Is it possible to modify the Response Headers for an IFRAME in a Node.JS application?
Do you have to create a proxy first? ( Something similar to this? http://www.bennadel.com/blog/2179-Extending-EventEmitter-In-Order-To-Create-A-Response-Proxy-In-Node-js.htm )
I basically want to be able to show the mobile version of Gmail within an IFRAME.
In general the answer is yes, you would have to proxy it. However in this particular case, that may not even work - Google seems to have deployed additional counter-measures to block logging-in via proxies. (If you're proxying the request, then you can see the users password, read their email, etc.)
If you only need to read your own email, then you have an alternate option: https://USERNAME:PASSWORD#gmail.google.com/gmail/feed/atom will give you an RSS feed of recent emails. This also has the x-frame-options: SAMEORIGIN header, but you can proxy it through node.
we have nearly 13 domains within our company and we would like to serve images from one application in order to leverage caching.
for example, we will have c1.example.com and we will put all of our product images under this application. but here I have some doubts;
1- how can I force client browser's to cache the image and do not request it again?
2- when I reference those images on my application, I will use following html markup;
<img scr="http://c1.example.com/core/img1.png" />
but this causes a problem when I run the website under https. It gives warning about the page. It should have been used https//c1.example.com/core/img1.png when I run my apps under https. what should I do here? should I always use https? or is there a way to switch between auto?
I will run my apps under IIS 7.
Yes you need to serve all resources over https when the html-page is served over https. Thats the whole point of using https.
If the hrefs are hardcoded in the html one solution could be to use a Response Filter that will parse all content sent to the client and replace http with https when necessary. A simple Regular Expression should do the trick. There are plenty of articles out there about how these filters are working.
About caching you need to send the correct cache-headers and etag. There are several of questions and answers on this on SO like this one IIS7 Cache-Control
You need to use HTTP headers to tell the browser how to cache. It should work by default (assuming you have no query string in your URLs) but if not, here's a knowledge base article about the cache-control header:
http://support.microsoft.com/kb/247404
I really don't know much about IIS, so I'm not sure if there are any other potential pitfalls. Note that browsers may still send HEAD requests sometimes.
I'd recommend you setup the image server so that HTTP/S is interchangeable, then just serve HTTPS Urls from HTTPS requests.
We are using Drupal 5.x. We are experimenting with Squid as reverse proxy. Squid and Drupal are configured. Static content is getting cached.
For testing purposes, we would like to set "Cache-Control: public ..." on the 'authenticated' pages returned by Drupal.
We see that the headers are set in bootstap.inc. We've modified all instances of "Cache-Control" header in that file, set it to 'public'. However, when we view the HTTP headers (in Safari's Web Inspector), we see "Cache-Control:private". For that reason, Squid is returning Cache MISS on those pages.
Question is - where exactly is this "Cache-Control" getting set to "private"? How can we change the "Cache-Control" header for authenticated users?
Thanks in advance!
Try Pressflow (https://launchpad.net/pressflow/5.x) which is a fork of Drupal with built in cache control.
I am developing a web page that needs to display, in an iframe, a report served by another company's SharePoint server. They are fine with this.
The page we're trying to render in the iframe is giving us X-Frame-Options: SAMEORIGIN which causes the browser (at least IE8) to refuse to render the content in a frame.
First, is this something they can control or is it something SharePoint just does by default? If I ask them to turn this off, could they even do it?
Second, can I do something to tell the browser to ignore this http header and just render the frame?
If the 2nd company is happy for you to access their content in an IFrame then they need to take the restriction off - they can do this fairly easily in the IIS config.
There's nothing you can do to circumvent it and anything that does work should get patched quickly in a security hotfix. You can't tell the browser to just render the frame if the source content header says not allowed in frames. That would make it easier for session hijacking.
If the content is GET only you don't post data back then you could get the page server side and proxy the content without the header, but then any post back should get invalidated.
UPDATE: 2019-12-30
It seem that this tool is no longer working! [Request for update!]
UPDATE 2019-01-06: You can bypass X-Frame-Options in an <iframe> using my X-Frame-Bypass Web Component. It extends the IFrame element by using multiple CORS proxies and it was tested in the latest Firefox and Chrome.
You can use it as follows:
(Optional) Include the Custom Elements with Built-in Extends polyfill for Safari:
<script src="https://unpkg.com/#ungap/custom-elements-builtin"></script>
Include the X-Frame-Bypass JS module:
<script type="module" src="x-frame-bypass.js"></script>
Insert the X-Frame-Bypass Custom Element:
<iframe is="x-frame-bypass" src="https://example.org/"></iframe>
The X-Frame-Options header is a security feature enforced at the browser level.
If you have control over your user base (IT dept for corp app), you could try something like a greasemonkey script (if you can a) deploy greasemonkey across everyone and b) deploy your script in a shared way)...
Alternatively, you can proxy their result. Create an endpoint on your server, and have that endpoint open a connection to the target endpoint, and simply funnel traffic backwards.
Yes Fiddler is an option for me:
Open Fiddler menu > Rules > Customize Rules (this effectively edits CustomRules.js).
Find the function OnBeforeResponse
Add the following lines:
oSession.oResponse.headers.Remove("X-Frame-Options");
oSession.oResponse.headers.Add("Access-Control-Allow-Origin", "*");
Remember to save the script!
As for second question - you can use Fiddler filters to set response X-Frame-Options header manually to something like ALLOW-FROM *. But, of course, this trick will work only for you - other users still won't be able to see iframe content(if they not do the same).