I have a web application that opens a local application on client machines using a protocol already registered during client setup.
The web application gives an alert when opening local application and gives a checkbox to be selected in that alert. If checkbox is checked, the browser doesn't prompt next time when opening the local application.
However, this checkbox is seen when my web application is hosted with https. When hosted with http, the checkbox is not given by the browser and the browser always throws the alert. Can the user at client side manually do something to avoid the alert every time?
I looked into the Google chrome settings. There is Protocol Handlers in Site Settings but it doesn't allow to enter a site manually. It shows outlook.office.com which I can remove but doesn't give a way to enter a site manually.
Is there a workaround to trust a site and not show alert for this specific trusted site
If your environment is Microsoft, with a GPO the website can be added in the safe list address of Internet Explorer options. Otherwise, you will have to do it manually in each endpoint.
Related
Anytime I have dev tools open on localhost my cookies are deleted and I am redirected to the login page on every page load which means I cannot use dev tools to debug or get insight into my site. I have localhost setup with a valid SSL cert (self-signed) and the site works normally until I open dev tools. How do I fix or disable this new "security" or setting in chrome?
After lots of issues and trying out many different things I came across this post/answer
When adding a Javascript library, Chrome complains about a missing source map, why?
Turns out that when I opened Dev Tools it would request a CSS map and the request was being sent to a different firewall causing my application to require me to re-authenticate every time this resource was requested. Turning off the CSS source map option fixed the issue
I'm developing an enterprise web app with Vue.js, and I would like to use the Web Serial API in Chrome. On the linux machine that I'm developing on, I went to this Chrome flag chrome://flags/#enable-experimental-web-platform-features and enabled it. Then I did console.log('serial' in navigator) and it returned true, meaning that the flag is enabled. All is good so far.
So I went and did the same thing on the corporate computer I need to be using (running windows 10). I enabled the flag in Chrome, restarted it, and ran console.log('serial' in navigator) on the tab running the web app, but it returns false, which is bad because I need it to be true. But when I run that code on a different tab, it returns true. How could my web app be changing the navigator? So I can't use the Web Serial API on the one computer that needs to be using it and I don't know why.
Any help is appreciated.
UPDATED. The problem is not specific from vue js, you should make the script execute from a secure environment, either localhost or from a ssl secured domain. This security concerns are covered on this draft https://wicg.github.io/serial/#security.
I have created a website and hosted it in IIS Server on Windows Server 2012 R2. I have set the authentication to be Windows Authentication. When the user who has logged into the domain tries accessing the website, everything works fine and no prompt is shown to the user.
Now I need to serve this website over https. I have purchased the certificate and added it to the website and have set up the SSL binding. When the user tries accessing the website now (using Google Chrome), he/she gets a "Sign in" prompt like this:
Why does this happen? Is there a setting in IIS I can change so that the user is not prompted?
I cannot not find documentation from Microsoft on how is this supposed to happen but I was under impression that the browser would pass the user's credentials to the IIS server without prompting the user to enter them.
With the information from this post, I found the solution for Google Chrome (67.0.3396.99). Apparently Chrome (as well as IE) reads the settings from Internet Options in Control Panel.
Here are the steps to remove the Sign in prompt:
Go to Control Panel -> Internet Options
Go to Security tab and select Trusted sites zone:
Click Sites button and make sure that you have your website's URL added to the list. Add it if you do not see it.
Close the Trusted sites popup.
In the Internet Properties dialogue, click Custom level… button
Scroll down to User Authentication section and make sure that you have “Automatic logon with current user name and password” option selected.
Click OK button to close the security settings dialogue.
Click Yes button on the Warning popup.
Click OK button to close the Internet Properties dialogue.
I have a web site (Web Site A) that is hosting HTML files. The HTML files contain image links that are hosted on another web site (Web Site B). The web site B uses Windows authentication. When a user requests a page on web site A, a network resource dialog pops up for authentication details. I want the images to be loaded with the user having to enter authentication details. I thought that if I run the app pool on web site A using a network login that has access to web site B, then the network resource dialog would not appear, but it still does. Does anyone have any suggestions how I can keep web site A anonymous and load resources from web site B without the network login prompt?
Make sure your users use IE and are logged on to their domain account
http://support.microsoft.com/kb/258063
The following conditions must be met for Internet Explorer to
automatically authenticate a user's logon and password and maintain
security:
Windows Integrated authentication, also known as Windows NT Challenge/Response, must be enabled in the Web site properties in IIS.
Anonymous authentication is attempted first, followed by Windows
Integrated authentication, Digest authentication (if applicable), and
finally Basic (clear text) authentication.
Both the client and the Web server must be either in the same Microsoft Windows NT-based or Microsoft Windows 2000-based domain or
in trusted Windows NT-based or Windows 2000-based domains in which the
user's account can be granted permissions to resources on the
IIS-based computer.
The user's browser must be Internet Explorer. Internet Explorer is the only browser that supports Windows Integrated authentication
(NTCR).
Internet Explorer must consider the requested URL to be on the intranet (local). If the computer name portion of the requested URL
contains periods (such as http://www.microsoft.com and
http://10.0.0.1), Internet Explorer assumes that the requested address
exists on the Internet and does not pass any credentials
automatically. Addresses without periods (such as http://webserver)
are considered to be on the intranet (local); Internet Explorer passes
credentials automatically. The only exception is addresses included in
the Intranet zone in Internet Explorer.
Internet Explorer's Intranet zone security setting must be set to Automatic logon only in Intranet zone. This is the default setting for
Internet Explorer.
For additional information about Internet Explorer security zones,
click the article number below to view the article in the Microsoft
Knowledge Base:
174360 How to Use Security Zones in Internet Explorer
The user requesting the Web page must have appropriate file system (NTFS) permissions to the Web page as well as all of the objects
referenced in the Web page. For example, a user may have Full Control
rights to a Web page, but is prompted for a password if the Web page
refers to graphics that are in a secure folder.
I am sure this is not a new issue I am facing, but couldn't find any resolution yet.So, we have a ng2 app which uses Windows Authentication. It is implemented using Waffle libraries with Jersey RESTful service. We are implementing logout functionality, which seems to have an issue where browser is caching credentials, until all of it’s instances are closed.
When user launches browser for the first time (first instance of browser), it prompts for credentials as expected. When user clicks on “Logout” option from application, session is invalidated on server. But, next time when user refreshes URL or launches application in new tab, browser do not prompt for credentials.
In Internet Explorer, using document.execCommand(“ClearAuthenticationCache”) clears credentials stored for the user. Is there any equivalent code or way to clear http authentication cache from Chrome?