Is it possible to play the protected streams with HTML5 Audio tag? The stream I'm playing is password-protected (HTTP Basic Authentication), how do I suppy the credentials? Thanks in advance
Use special HTTP URL format http://username:password#example.com/your_stream in your source tags - this sends the credentials in the standard HTTP "Authorization" header.
Related
I am trying to implement user authentication process, and I have gone through enormous number of posts and totally agree that using HTTPS is probably best way to transfer username/password from client to server befor hashing.
Just out of curiosity, I want to know : how safe it is to send username/password from client to server using POST method along with enctype='application/x-www-form-urlencoded' as this also send form data in encoded form?
PS. I am using GWT for frontend and JAVA for backend.
Sending data by way of the body instead of url params is the way to go, but to ensure that is not sniffed out, you must use HTTPS. Otherwise it will be plaintext.
As to how safe? see here: https://security.stackexchange.com/questions/53596/how-safe-is-ssl
There are existing discussion [1] on the use of protocol relative URL in HTML, but how about email?
Will email client, or service providers like Gmail strip or modify protocol relative URL when they are used in HTML email?
[1] Can I change all my http:// links to just //?
I sent an email through Gmail with this content:
link
and it was received unmodified. When I right-clicked on the link to copy the link address, Chrome prepended https: to it (since Gmail uses secure HTTP), but when I inspected the element's HTML, it showed the <a> tag as I had written it.
It's not normal for email servers to change the contents of emails.
Omitting the protocol is intended to let a web browser choose between secure and insecure versions of the same content. If you load a page via https and it contains an image with an src beginning in http, the browser warns the user that it is dangerous to load insecure content -- a confusing and worrying message. If you load a page via http and it contains an image with an src beginning in https, that prevents caching among other inefficiencies.
The compromise is to allow the browser to load content with security matching the page that loads it -- efficiency for an insecure page; complete guarantee of security for a secure page.
But an email client always warns about embedded content (images, scripts, ...), meaning omitting the protocol has no benefit.
Furthermore, a non-browser email client doesn't have a protocol to begin with. It downloads information and then loads it from the disk. If you really want to let the email client choose to load embedded content with the security level with which it loaded the email, you'd let the client look for the information on the same computer. (They'll actually do that by assuming // means file:///.)
So is it safe to put a // URI in an email? I'd say it doesn't make sense; therefore, there has not become a standard way for non-browser clients to handle it, meaning you're looking at undefined behavior.
Better to choose the protocol based on the sensitivity of the information identified by the URI. Is it a chart of proprietary financial data? Use https. Is it a lolcat? Use http.
No , its not safe to use protocol relative URL in email. because its change protocol so that browser can fetch a resource from whatever protocol the site is telling it to use.
but some email clients (Outlook especially, as usual) won’t try to use HTTP or HTTPS as the protocol. Instead they’ll use the file:// protocol and assume the resource you’re referring to is on the local machine. But it won’t be. So don’t use these in emails.
You have to be sure that the server you’re requesting from is capable of serving content over both HTTP and HTTPS. If not you might end up fetching content from an unsecured or nonexistent server port.
IE6 does not know how to handle this. If you care about supporting Internet Explorer 6 then you shouldn’t use these.
IE7-8 support protocol relative URLs but they’ll end up fetching the resource twice. Once from HTTP and once over HTTPS. This can slow things down a bit but the way I see things it’s not much of a problem for anyone except the person using IE7-8 and if you’re using IE you’ve got more important things to worry about.
its browser dependent so its depends what browser you are using GMAIL working fine in crome but not in IE6.
I have a server that use Basic authorization scheme, when user tries to access restricted content, the browser will pop-up a login/pass dialog which I saw will further transmit authorization type header to server.
I want to implement a classic (pure html) page with login/pass edit boxes and a send button but keep intact the auth scheme on server (is some embedded very limited server, without php, etc.), so the form must send that headers too.
Is it possible? Or did I missed something in my understanding so far?
Thanks very much in advance,
Does a Silverlight video player share the HTTP connection with its host?
Here is the scenario: a web site is password protected. The web page contains a Silverlight control with a video player. The video player plays a video from the same web site. Will the credentials from the web browser be used by the video player? I use MediaElement.Source to specify where the video is coming from.
If not, how can I fix this?
That depends on the way it communicates with the server... for example the webrequest class can be set to use BrowserHTTP or ClientHTTP...
BrowserHTTP uses the browser's HTTP implementation including Referer, Cookies etc.
ClientHTTP allows you to manage HTTP setting like Cookies manually...
Using MediaElement.SetSource you can leverage whatever connection you please (BrowserHTTP / ClientHTPP) with you specific settings (including Authorization header / Cookies etc.) as log as that connection provides a Stream interface for the content...
Further details see
http://msdn.microsoft.com/en-us/library/system.net.browser.webrequestcreator.browserhttp%28v=vs.95%29.aspx
http://msdn.microsoft.com/en-us/library/system.net.browser.webrequestcreator.clienthttp%28v=vs.95%29.aspx
http://msdn.microsoft.com/en-us/library/cc838250%28v=vs.95%29.aspx
http://msdn.microsoft.com/en-us/library/cc190669%28v=vs.95%29.aspx
which browsers do not send referer information?
This is not dependent on the browser make/version, but on the browser configuration. All decent browsers with default settings will send it, but the enduser can configure it to not send it. It's also dependent on the environmental software. If you have for example Norton AntiVirus/InternetSecurity installed, then you can configure it to let it block or spoof the referrer header with something entirely different, regardless of the browser used.
All the popular web browsers send referrer headers, at least by default. Some web browsers give their users the option to turn them off. (Example)
Referrer information not sent with a Flash http request
http://training.sessions.edu/resources/SoftwareDesignTips/current/flash.asp
For example, if someone clicks on flash banner linked to your site, request can come to your server without HTTP referrer information