I just finished a app with Meteor that was kind of to test the waters and really try to figure Meteor out. My application is a two player game with 64 buttons. Two users enter a single game, whoever presses the most buttons, wins. Everything works well for the most part except for one part, a user in the game can easily cheat by typing some jQuery into the console the most obvious is $('.button').click();. After a while of searching through Meteor Docs and trial and error I am stumped. The buttons are part of a collection specific to the two players. As soon as one player logs in the server side code inserts buttons into a collection called "Games". How can I protect users from modifying code via JavaScript console? I obviously don't want to post 100s of lines of code and I hope I gave you the gist of how my application operates if you want to see specific code please check out my Git Repo. Also heres a link to the actual game : Bubble Popper
You can't control what your clients do on their computers. You best hope is to add some restrictions on the server side. Perhaps it's not possible for any human to click on two buttons within 1 second? If it's not, then add this restriction on the server.
From How does Facebook disable the browser's integrated Developer Tools?
This should only work for chrome.
Object.defineProperty(console, '_commandLineAPI',
{ get : function() { throw 'Nooo!' } })
That being said - this isn't security - just a cosmetic thing / security from ignorance.
Security should happen via your server side Meteor.methods, and from your allow/deny rules in the db.
Related
Previously working code that downloads a csv file from our site, now fails. Chrome, Safari and Edge don't display anything helpful except "Blob Blocked", but Firefox shows a stack trace;
Uncaught TypeError: Location.href setter: Access to 'blob:http://oursite.test/7e283bab-e48c-a942-928c-fae0907fdc82' from script denied.
Then a stack dump from googletagmanager
This appears to be a fault in the tagmanager code introduced in the last couple of weeks.
The fault appears in all browsers and is resolved immediately by commenting out the tag manager. The problem reported by a customer on the production system, and then found on both staging and locally. The customer advised they had used the export function successfully 2 weeks ago.
The question really is, do Google maintain a public facing issues log for things like the tag manager?
It's not about GTM as a library really, it's about poor user implementation. It's not up to Google to check for user-introduced conflicts with the rest of the site's functionality.
What you could do is go to GTM, and see what has been released in the past two weeks. Inspect things and look for anything that could interfere with the site's functionality. At the same time - do the opposite, see all the front-end changes introduced during this time frame by the web-dev team.
Things to watch for is mostly unclosured JS deployed in custom HTML tags. junior GTM implementation specialists like to use the global space, taking the global variables, often after the page is loaded, thus overwriting front-end's variables.
Sometimes, people would deploy minified unclosured code to the DOM, thus chaotically taking short var names. To the same end.
This is likely the easiest and most common way for GTM to break front-end. There definitely still are many ways to do so besides this though.
If this doesn't help, there's another easy way to debug it: make a new workspace from Default (or whatever is live), go into the preview mode and confirm that the issue still happens. Now start disabling newest created fired tags one by one and pinpoint which one causes the issue.
Let us know what it was.
Solution was to replace the previous tag manager code with the latest recommended snippet
I already have dynamic responsive website with html5,JavaScript and php as backend.The client wants to convert it to an app since he wants offline capabilities. I am totally new to this. Really confused as to how to go about it. We have managed to write sqlite queries for loading the master data. But still unsure as to how all things fall into place.Do we have to include jquery mobile as well.please guide.
There's a couple of things to keep in mind. I'll address the easiest one first - no, you do not need to use jQuery Mobile. jQuery Mobile gives you a nice UI, and a SPA-like framework for your app, but it isn't required per se. You can use something else like Ionic for example.
As for the conversion, at a high level, this is what needs to happen.
Imagine your current PHP site has 2 pages. The home page is a list of people. You click on a person and you go to a detail page. You have 2 php pages. The first simply does a SQL query to get people and the second does a SQL query to get one person based on the query param.
In your PhoneGap app, your code is all on the user's device, which means no PHP. Your home page needs to get people, so it has to call an API on your application server. You can use PHP to do the SQL as it does now, but instead of displaying it as a simple HTML list, it outputs it as JSON.
On the PhoneGap side, you can call this via JavaScript and then render the results.
The same goes for the detail view - you would need an API on your server side to return info about the person.
I hope this helps. I also have a full blog entry on this, with demo, here: http://www.raymondcamden.com/2012/05/05/converting-a-dynamic-web-site-to-a-phonegap-application
I'm just learning ASP.NET using VB 2010, and although I've had a lot of good progress, I am stumped by one issue that I can't resolve. I've also the web for answers, but I haven't found anything that is exactly what I am dealing with. ...though I may not be using the correct search terms.
Anyway, this is an app that will run on our company internet site which requires users to enter information into text boxes and click a button to accept it. Then it will show a modal pop-up asking the user to confirm. The pop-up has a "Confirm" button and a "Cancel" Button. The cancel button works immediately (hides the confirmation pop-up), but the confirm button hangs up for several seconds before it moves to the next step, which is a modal "Thank You" pop-up. The Confirm button writes data to a database.
Now, that's how it works inside the development environment. However, when it's on the production server, it will sit there for who-knows-how-long before it does anything. I can tell that it is writing to the database, and then displaying the data on the page, but the Confirmation pop-up stays up, and the Thank You pop-up never shows up. Also, the app is supposed to send an email to the user as acknowledgement, but it doesn't do that.
When it hangs up like this, I have never waited long enough to see when it catches up. And when it's live like that, I don't know of a way to debug it.
More info about the page: There are several update panels, one that responds to a timer tick every second to update fields on the page. The others are set to "conditional," being updated by other events. For example, the Confirmation and Thank You modals are in conditional update panels which respond to different events.
So I have two questions: Can anyone advise me about the hangup, and is there a way to debug from a live site? Oh, and maybe a third: Can you have too many update panels?
Update: Follow up question: Can it be going off on a different thread, going off track from the correct thread? I've never really understood threading, but this seems like a possibility.
This could be any number of things, so it's going to probably be something you're going to need to dive into and troubleshoot and it's probably not something we'll be able to help with too much.
First, the obligatory request: please post your code :)
Now, something that works quickly and dev and slowly in production is usually a resource issue or a code/data issue. First, take a quick look at the server and make sure it's up to the task for multiple users and all of that. It's worth a quick look, but it's usually an issue with the code or data.
What is that update command doing? Is the SQL behind it written well and efficiently? Are there any database locks that might be happening where another user is doing something and your code is actually waiting for it to complete before doing the updating? How many rows are in the database / how many are being effected?
I'd start by running a SQL trace to see what's really happening and to get an ideas as to how many database calls there are an how long each one takes to execute. If that's not the answer, look at the VB code and see if it's efficiently written. If not, go back to the server resources. Without seeing any code or having any idea what the application is supposed to do, I'd bet on the database queries being the culprit.
My bad. I hadn't mentioned one aspect, because I had no idea it would be a factor, but it is. Part of the process was to log certain events into a log file. The way it's set up in our IIS, that's a big no-no. So it was throwing an error, but the error was only manifesting itself as a long delay. I commented out the code that opens, writes to, and closes the log file, and it's all good.
My web-app records users via webcam and microphone. I want to use HTML/JS for the controls and content, so I created two separate Flex modules:
* A "Webcam Setup" module that lets you choose your camera and mic input devices
* A "record" module that lets the user record and submit the recording
When I embed either of these on the page, since they access the user's Camera/Mic object, Flash shows the Privacy dialog that says "[mysite] is requesting access to your camera and microphone. If you click Allow, you may be recorded."
The problem is, if I answer Yes in the Setup module, and later add the Record module to the page using Javascript, it again shows the Privacy dialog.
Is there a way to avoid the second privacy popup?
I would think that saying "Yes" for [mysite] would store that permission for at least that session, but apparently not.
What I've tried
I tried combining them into one SWF, adding it to the page once and moving the DOM element with jQuery's append() function when needed. When I move it, however, it reloads and asks me again.
Imagine if [mysite] was, say, blogger.com or livejournal.com (or, if it were still around, geocities.com). Would you want a "yes" response on that site to be good for every page under that domain?
Rememeber, just because you promise (cross your heart & hope to die) not to abuse the security hole you request, doesn't mean they can allow you to have that security hole.
Eventually, I found a usable workaround, similar to what I originally tried (above).
I combined the setup and record modules into one SWF. I first show the setup screen. When the user hits the Continue button on my page, Javascript calls a function in the SWF to swap to the Record screen.
I then move the <div> containing the Flash object to another location on page using absolute positioning, and resize the object.
Previously, I was trying to use jQuery's append() function to move the div within the DOM, and that was causing the SWF to reload. Just changing position and size does actually work.
You could build the "record" component to simply send and receive signals using an API you've created for your "setup" component (which has already been authorized, meaning one auth & two swfs) by using the LocalConnection class:
http://livedocs.adobe.com/flex/3/langref/flash/net/LocalConnection.html
This seems far closer to best practice than the other implementations mentioned, which smell a bit hacky and would probably confuse anyone who may inherit the codebase in the future.
I am working on a Flex AS3 application and wanted to add the Facebook Like button inside the app. I am unable to find any API or anything apart from the http://developers.facebook.com/docs/reference/plugins/like code generator.
Any ideas on how this might be accomplished? I am quite new to the recent changes in the Facebook Platform, so any info would be appreciated.
A direct "like" button should not be possible, since Facebook needs to sandbox the whole thing. Both like button formats (iframe and xfbml) use a sandboxed iframe, so nobody but facebook can set "likes" or know anything about the user.
For that to work with Flash, I think facebook would have to provide the button itself as a SWF file so you can load it in Flash. Then it can create a sandbox within itself and thus load the user information safely. Very much like the Chromeless Youtube Player, where it's almost impossible for Flash to access the actual FLV URL (even through introspection).
But even so, I don't think this would provide enough security... realize that you are dealing with very private user information and credentials here.
The only way I know you can "like" stuff through Flash is first doing the whole Facebook Connect thing (several popup windows asking the user for permissions) and then using the API of your choice to do the actual "liking", for instance, with the Graph API:
http://developers.facebook.com/docs/api#publishing
The closest information I could find are these 2 items so far. Hope it helps you in your journey.
Facebook Developer Site: Source
Facebook like button in flash
I hate answering "no" to a question because what I really mean is "I don't know and I can't find a way". I'm sure your Google-fu is as good as mine. All I can see are Facebook forum posts like this where people are asking the same question and no one is answering.
The examples they give of the like button are either embedded in iFrames or using XFBML <fb:like ../> tag. There are no examples of how to like something using their new graph api or either of their old APIs (FQL and REST API).
I had to get a Facebook like button in a html page (looked like a header on the top) and get the swf embedded below. As its a complete flex app in my case, this work around was possible and plausible