I have a small little swf that I'm trying to get to work while the webpage is using https/ssl. I'm passing into the swf the fact that the page is using https and have conditional logic as such:
if ( secure ) {
pollChannel = new AMFChannel('my-secure-polling-amf','https://' + globalDomain + '/flex2gateway/cfamfpollingsecure');
}
else {
pollChannel = new AMFChannel('cf-polling-amf','http://' + globalDomain + '/flex2gateway/cfamfpolling');
}
When the page is http it uses the correct endpoint no problem. When secure == true for whatever reason the browser is reporting its using http://somedomain.local/flex2gateway/cfamfpollingsecure, not https.
Anybody have a clue why??? I don't understand why it would adjust itself like that.
Any help is much appreciated!
Lucky for you I had the exact same mystery issue last week and the fix is extremely simple (once you know where to look, that is; I've been digging through the source code for a while to figure it out):
you just have to use SecureAMFChannel instead of the regular AMFChannel
Related
I have a question about writing a frame-buster-buster. I have already read Frame Buster Buster ... buster code needed but I need an extra tweak.
My content from my blog at [http://my_domain.c0m/blog] is being displayed at another site showing three "views". One view is a feed and doesn't particulary bother me. The other two bother me and I wish to break both. I also want to permit exceptions of domains with permission to frame.
In one view, it appears the the content from the top of my html of the top of my blog is first copied to create a "snapshot" [http://the_other_domain.c0m/copy_of_blog] then that copy is framed in [http://the_other_domain.c0m/ ]. So, in this case, the 'child' copy are both hosted at [http://the_other_domain.c0m/] . Google translate does a similar thing-- but I find this ok. So, I would like to break this frame while also permitting exceptions for google and also for people who have made a copy to their pcs and would like to view in a utility that might frame.
In the other view, it appears the content from my site is framed. So in this case [http://my_domain.c0m/blog_post] is framed by [http://the_other_domain.c0m/]. I would like to bust out of this frame. However, my difficulty is that I can't figure out how to do so while keeping the exceptions for google translate or individual pc users frames at home.
My solution so far (I am not particularly familiar with javascript. So, please don't laugh too hard at the redundancy and lack of knowledge):
I was able to bust the first frame using:
<SCRIPT type="text/javascript" >
var topWindow = String(top.location)
var topWord=topWindow.split("/")
var selfWindow = String(self.location)
var selfWord=topWindow.split("/")
var correctLocation ="http://my_domain.c0m/blog"
var correctWord2="my_domain.c0m"
var http="http:"
if( ( (topWord[2] != correctWord2) || (selfWord[2] != correctWord2) )
&& (topWord[2] != 'translate.googleusercontent.com' ) && (topWord[0] == http ) ){
document.write("message expressing my opinion about the asshattery going in here.]" )
setTimeout("redirect_after_pause()",8000)
}else{
//document.write("<p><font color='purple'>Hi there! Javascript is working.</font> </p> " )
}
function redirect_after_pause() {
var correctLocation ="http://my_domain.c0m/blog"
top.location=correctLocation
}
I know this is inefficient. But it works and achieves my goal of making an exception for a) translations at googlecontent which my readers in france requested and b) cases where a user is framing in a utility that downloads to their pc (which I think has uri's beginning with "FILE:".
Now the difficulty: This does not work for the view where content hosted at my domain is framed at the other domain. I believe I have tracked the problem down to var topWindow = String(top.location) not being permitted in my child window. In principle, this would work:
<script type="text/javascript">
if(top != self) top.location.replace(location);
However, I think it screws up the use of google translate which uses a top frame that holds their translation of my content also hosted at [http://translate.google.com]. I suspect it similarly screws up readers that might display a local copy on someones pc if that copy is displayed in a frame.
If someone can guide me toward a solution I can implement to break both frames while permitting my exception
BTW: It does appear that the site in question is using a framebuster. I poked around and found this inside their /static/common.js?1345250291 code:
enable_iframe_buster_buster:function(){var a=this,b=0;window.onbeforeunload=function(){b++};clearInterval(this.locks.iframe_buster_buster);this.locks.iframe_buster_buster=setInterval(function(){0<b&&(b-=2,a.flags.iframe_story_locations_fetched&&!a.flags.iframe_view_not_busting&&_.contains(["page","story"],a.story_view)&&NEWSBLUR.reader.active_feed&&($(".NB-feed-frame").attr("src",""),window.top.location="/reader/buster",$(".task_view_feed").click()))},1)},disable_iframe_buster_buster:function(){clearInterval(this.locks.iframe_buster_buster)}
That's deep inside some particulary dense javascript. Whatever it does it doesn't seem to affect my ability to bust the frame for the case where my content is copied and hosted at [http://the_other_domain.c0m/]. I haven't yet fully explored whether it busts simple framebusters because earlier I only recently recognized that " var topWindow = String(top.location) " was forbidden in the child frame with a different domain from the parent frame.
Whether or not the frame-buster is present, I'd like help with solutions here. I know that if one site is now framing my content in this way it is only a matter of time before the obnoxious technique catches on and I would like to code in solutions that bust both methods gracefully while providing myself with exceptions. Thanks in advance.
Is it possible not to show the google analytic code on the master page? I mean can I place it somewhere where no one can see it but still get all the analysis on the application ?
You can use the mobile code for google analytic to make what you ask.
http://code.google.com/mobile/analytics/docs/web/
How this works. This google modile code can call the google analytic from your server on code behind, and not from the client page using javascript. So you can totally hide this call from your clients, and all data are send to google analytic, let say on page load.
First on your google analytic detail page, get the code for mobiles for asp.net, and then see this code that you need to focus and change, so you can make a global function that use on Page Load. To avoid possible delay I also suggest to make a new thread call to the google analytics, until the asp.net 4.5 get outs that include that option on WebRequest.
string utmGifLocation = "http://www.google-analytics.com/__utm.gif";
// Construct the gif hit url.
string utmUrl = utmGifLocation + "?" +
"utmwv=" + Version +
"&utmn=" + GetRandomNumber() +
"&utmhn=" + HttpUtility.UrlEncode(domainName) +
"&utmr=" + HttpUtility.UrlEncode(documentReferer) +
"&utmp=" + HttpUtility.UrlEncode(documentPath) +
"&utmac=" + account +
"&utmcc=__utma%3D999.999.999.999.999.1%3B" +
"&utmvid=" + visitorId +
"&utmip=" + GetIP(GlobalContext.Request.ServerVariables["REMOTE_ADDR"]);
SendRequestToGoogleAnalytics(utmUrl);
private void SendRequestToGoogleAnalytics(string utmUrl)
{
try
{
WebRequest connection = WebRequest.Create(utmUrl);
((HttpWebRequest)connection).UserAgent = GlobalContext.Request.UserAgent;
connection.Headers.Add("Accepts-Language",
GlobalContext.Request.Headers.Get("Accepts-Language"));
using (WebResponse resp = connection.GetResponse())
{
// Ignore response
}
}
catch (Exception ex)
{
if (GlobalContext.Request.QueryString.Get("utmdebug") != null)
{
throw new Exception("Error contacting Google Analytics", ex);
}
}
}
All that is a little hack on google analytic mobile code, but the general idea works on your case. Get the Google Analytic SDK here.
http://code.google.com/apis/analytics/docs/tracking/home.html
What actually google try to archive here. Google say that there is not reason for mobile phone with limited and costly bandwidth to make the call on google analytics. So google make a code behind call to google analytic just by opening a page. From the part of the mobile, he only need to read a tiny image, and on code behind this call to the image is making the reall call to google. From your side, you do not need to place an image, you can direct call google analytic by changing a little the function that google provides.
Hope this help.
since you have to put it in your header for the analytic script, there is no easy way of doing this. you want to hide your ID#? There may be a way to reference a variable for your ID#, but without a bunch of extra coding there is no way.
If it's there, people can see it if they look for it. If it's not there, you can't get the analysis.
You could get a little sneaky, and have the analytics on a page that gets loaded into an invisible iframe, but someone that wants to find it will.
I ran into an extremely odd issue with IE today. IE fails every time I try to do a response.redirect more than ten times! Of course, the page works fine in FF and Chrome. Has anyone else experienced something like this?
Here are some code snippets to make sure I am not doing anything blatantly wrong...
Loop
if ( iDomain < ubound(aDomain) ) then
Response.Redirect "/home/login/a_logout.asp?site=" & strSite & "&domain=" & iDomain+1 & "&l=" & ilogout & "&s=" &sSid
end if
Array
Dim aDomain(10)
aDomain(0) = ".x.com"
aDomain(1) = "www.x.com"
aDomain(2) = "w1.x.com"
aDomain(3) = "w2.x.com"
aDomain(4) = "x.com"
aDomain(5) = "w3.corporate.x.com"
'aDomain(5) = "w4.x.com"
aDomain(6) = "w5.x.com"
aDomain(7) = "w6.x.com"
'aDomain(8) = ""
'aDomain(9) = "w8.x.com"
aDomain(8) = "w9.x.com"
aDomain(9) = "w10.x.com"
Removed context sensitive data.
Let me know if you need any other info. Thanks!
This is the default behaviour to prevent a user from being looped back to the same page infinitely.
IE8s limit is 10 requests to the same page, Chrome and FireFox I believe are 20.
And no, a different querystring doesn't constitute a new page as I found out myself.
I would highly suggest that you change this. Redirecting multiple times is a pretty bad idea.
Instead, just run whatever code is being run by your a_logout page locally. I'm assuming your clearing several cookies. Go ahead and resend all of the appropriate cookies with blank data and an expires yesterday time.
Redirecting so often is blatantly wrong. The ideal maximum number of redirects is 1. In practice it can be a lot easier to do certain tasks if you allow for more than that, but anywhere more than 5 redirects happen should be considered a bug (more than 1 on the same server or more than 3 that crosses to another server should be considered sub-optimal, but not urgent to fix).
Browsers can't depend upon servers never doing anything blatantly wrong, so after a few goes they give up to save the user from the server. Sometimes user-agents don't protect themselves in this way (not serious browsers, but it's an easy mistake to make writing a simple piece of HTTP client code). It isn't pretty.
To demonstrate just how bad this can be, consider a case where the handler for /somePath/?id=1 redirects to /somePath/?id=2 which redirects to /somePath/?id=3 and so on. For all the server knows, you've just got a more obscure version of that, and will never stop redirecting.
I want to display LaTeX math in the gmail messages that I receive, so that for example $\mathbb P^2$ would show as a nice formula. Now, there are several Javascripts available (for example, this one, or MathJax which would do the job, I just need to call them at the right time to manipulate the gmail message.
I know that this is possible to do in "basic HTML" and "print" views. Is it possible to do in the standard Gmail view? I tried to insert a call to the javascript right before the "canvas_frame" iframe, but that did not work.
My suspicion is that manipulating a Gmail message by any Javascript would be a major security flaw (think of all the malicious links one could insert) and that Google does everything to prevent this. And so the answer to my question is probably 'no'. Am I right in this?
Of course, it would be very easy for Google to implement viewing of LaTeX and MathML math simply by using MathJax on their servers. I made the corresponding Gmail Lab request, but no answer, and no interest from Google apparently.
So, again: is this possible to do without Google's cooperation, on the client side?
I think one of the better ways to do this might be to embed images using the Google Charts API.
<img src="http://chart.apis.google.com/chart?cht=tx&chl=x=\frac{-b%20\pm%20\sqrt{b^2-4ac}}{2a}">
To Learn more: https://developers.google.com/chart/image/ [note, the API has been officially deprecated, but will work until April 2015]
If you really must use LaTeX and some js library, I think one way you could accomplish this is by injecting a script tag into the iframe.
I hope this is a good starting point.
Example:
// ==UserScript==
// #name Test Gmail Alterations
// #version 1
// #author Justen
// #description Test Alter Email
// #include https://mail.google.com/mail/*
// #include http://mail.google.com/mail/*
// #license GPL version 3 or any later version; http://www.gnu.org/copyleft/gpl.html
// ==/UserScript==
(function GmailIframeInject() {
GM_log('Starting GMail iFrame Injection');
var GmailCode = function() {
// Your code here;
// The ':pd' (div id) changes, so you might have to do some extra work
var mail = document.getElementById(':pd');
mail.innerHTML = '<h1>Hello, World!</h1>';
};
var iframe = document.getElementById('canvas_frame');
var doc = null;
if( iframe ) {
GM_log('Got iFrame');
doc = iframe.contentDocument;
} else {
GM_log('ERROR: Could not get iframe with id canvas_frame');
return
}
if( doc ) {
GM_log('Injecting GmailCode');
var code = "(" + GmailCode + ")();"
doc.body.appendChild(doc.createElement('script')).innerHTML=code;
} else {
GM_log('ERROR: Could not get iframe content document');
return;
}
})();
Well, there are already greasemonkey scripts that do things to GMail as far as i know (like this one). Is this a possible security hole? Of course, anything you'd do with executable code has that risk. Google seems to move a glacial speeds on things they're not interested in. They really do seem to function based on internal championing of ideas, so best way forward is to go find sympathetic googlers, if you want them to include something into GMail. Otherwise stick to Greasemonkey, at least you'll have an easy install path for other people who'd like to see the same functionality.
What is the best way to limit the amount of text that a user can enter into a 'textarea' field on a web page? The application in question is ASP .NET, but a platform agnostic answer is preferred.
I understand that some amount of javascript is likely needed to get this done as I do not wish to actually perform the 'post' with that amount of data if possible as ASP .NET does have an upper limit to the size of the request that it will service (though I don't know what that is exactly).
So maybe the real question is, what's the best way to do this in javascript that will meet the following criteria:
-Must work equally well for both users simply typing data and copy/paste'ing data in from another source.
-Must be as '508 compliance' friendly as possible.
function limit(element, max_chars)
{
if(element.value.length > max_chars)
element.value = element.value.substr(0, max_chars);
}
As javascript, and...
<textarea onkeyup="javascript:limit(this, 80)"></textarea>
As XHTML. Replace 80 with your desired limit. This is how I do it anyway.
Note that this will prevent the user from typing past the limit in the textbox, however the user could still bypass this using javascript of their own. To make sure, you must also check with your server side language.
use a RegularExpressionValidator Control in ASP.Net to validate number of character along with with usual validation
The most user-friendly idea seems to me a solution like the Twitter-one. Provide a visual indication that the user has crossed the maximum but don't limit him in typing.
Whatever Javascript you use, you will still have to validate at the server end. Users with Javascript disabled will otherwise be able to circumvent your limit.
As Javache said, you'll still have to check server side. We've been using the jQuery validator plugin which has support for Max lengths amongst tones of other stuff...
I use this, where the limit is a must. It also provides the user with the number of characters left.
function CountLength(vControl)
{
var strValue = vControl.value;
var vMax = 480;
var vLeft = vMax - strValue.length;
if (vLeft < 0)
{
vLeft = 0;
}
var vMessage = returnObjById('TextCounter');
if (document.all)
{
vMessage.innerText = vLeft + ' characters remaining.';
}
else
{
vMessage.textContent = vLeft + ' characters remaining.';
}
if (vLeft == 0)
{
vControl.value = vControl.value.substring(0, vMax);
}
}
jQuery also provides some options here. Options, options, and options.