Our CakePHP 4 web app sends email to clients with a link for direct download. When the client clicks on the link, the download of the document starts.
This works great if the user receives the mail in their email client, or clicks on the download link in the web app, but if the user receives the mail in Gmail (Web client), the file is not transferred.
Are there any obstacles, or settings?
We also use:
$securityHeaders = new SecurityHeadersMiddleware();
$securityHeaders
->setCrossDomainPolicy()
->setReferrerPolicy()
->setXFrameOptions()
->setXssProtection()
->noOpen()
->noSniff();
Related
I am creating a web application in Golang/HTML. I am implementing registration, sessions, email verification, and login.
My code works, however I have noticed some strange browser behavior. When the user registers for the first time, my application will send them an email containing a link with a unique nonce (number used once) in the url. This is to ensure that the user is able to receive email from us at that address and "verify their email", as is standard practice on many web applications.
Please click the following link to verify your account: http://localhost:8080/verify-email/55c17d2c
I noticed that when I receive this email, if I click on the link in the email, the browser will open the link in a new tab as expected, however, it will not send any cookies on requests associated with that tab.
But when I copy and paste the link into a new tab manually and press enter, it sends the cookies just fine. What gives? is this some sort of undocumented security feature? What should I do about this?
I used https://github.com/six-ddc/httpflow to capture a log of the HTTP requests and responses going between my web browser and my server application. I have two separate logs, one of them captured a registration flow where i clicked the link, and the other one captured a registration flow where i copy and pasted the link into a new tab.
Log where link in email was clicked: https://paste.cyberia.club/~forest/2f3fce7dcc71fc095341eeaefb33f20883c79886
Log where link was copy and pasted from email into url bar: https://paste.cyberia.club/~forest/0623f76cfee339e91d2213dd8f4c7710c6fa2797
Please note that I tried this on firefox and google chrome, I also tried it with a real domain and https certificate, got the same behavior in all browsers and setups.
Here are my constraints:
I want the application to work fine with javascript disabled, however, I'm open to javascript-based solutions if they are simple, secure, and make the site more enjoyable to use. For example, I am using a javascript that hashes passwords client side before sending to the server for login. But if javascript is disabled, the raw password will be sent.
I don't want the user to have to log in again after they click the link to verify their email address.
I don't want the link in the email address to represent a "free pass" into the user's account. I want to require the user to be already logged in (or somehow otherwise authenticated) before they can verify their email address. For example, if someone steals that email and clicks that link before the intended user does, I don't want the email thief to be able to take over the account.
OOPS I just figured this out, I wanted Lax SameSite policy on my cookies:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_attribute
It takes three possible values: Strict, Lax, and None. With Strict, the cookie is sent only to the same site as the one that originated it; Lax is similar, except that cookies are sent when the user navigates to the cookie's origin site, for example, by following a link from an external site;
I have mailto: link in a web app that includes 'CC' and 'subject' fields. I would like these fields to have different values if the link will be opened int outlook or gmail. Is it possible to programmatically determine which email client is the user's default?
Firstly, Gmail is web based, and you need a local app to handle the mailto url. See How to register custom program to handle mailto protocol on Windows 7
Secondly, you would need to access the registry key to determine the mailto url handler, and you cannot do that from a script running inside a browser.
I have just created desktop push notification for Chrome and Firefox using GCM (OneSignal). It works perfectly fine. Now I want to send push notification to specific users after login. How can I do that? Is it possible?
You can use getUserId from the OneSignal SDK to get the OneSignal player / user id for the browse and send it to your server. You can then use include_player_ids on the OneSignal create notification REST API call to send a notification to the specific user.
I have create script backed by a Google Spreadsheet in Google Drive and published it as a web app, setting "Execute the app as: me" and "Who has access to the app: Anyone, even anonymous". The main page serves html content from the spreadsheet.
The basic functionalities are: a "random internet user" is able to see some informations, while an user logged with his Google Account is able to submit information as well.
The issues is - if I set the permission to "anyone" people are first redirected to the standard google login page, and once logged in have to accept the script permissions. Once that's done, navigating to the web app will give the "logged in user" version as long as you are logged in with your google account.
However - if the web app is set to allow "anonymous users" there doesn't seem to be any (at least obvious way) to allow anonymous users to login and accept the app permissions.
What I have tried until now:
a link to the url google redirects me to if I am not logged on if the web app require the user to be logged in. That works, but I feel it is not the right way and also, once logged in, there is no way to logout or to switch account; it seems that once you are logged in, you are logged in forever
to use https://developers.google.com/apps-script/reference/script/authorization-info#getAuthorizationUrl() to get the auth url - but I don't know how to use the url it returns (navigating the user to that page in the web app frame on the top frame both result in a blank page)
How can I get a login (and possibly a switch login) url to allow anonymous users to login in my web app?
Created sample code for 2 .gs web app projects:
one - no auth, runs as owner, anonymous can access
two - needs auth, runs as user, anyone can access
...as I have no idea what your "I got it to work redirecting the user to the URL" statement looks like in code.
The 1st file has a button with a click listener to act as the login button, but it's just calling for a window.top.location.href change.
The 2nd app is using ScriptApp.invalidateAuth(); to log users out after being called from a client-side button click.
Demo - 1st web app url
I'd still vote to just offer a 2nd web app as a link that pops open in a new window though and as I note in the comment, the setup above forces users to re-authorize each time and after the signout.
I am building a CMS for my company(using Rails 4, in case that matters) and nearly all of my users will be using Gmail.
Each user has a profile and I want it so when a user views another user's profile and clicks on their email address, Gmail will open with a new message to that user's email.
I imagine there'd be a way to do this using their API but so far I haven't found it.
There's no way I know of to specifically open Gmail; mailto always opens the default mail client, which can be set to Gmail.
See this guide (or direct your users to it) so that they can set Gmail as their default client: http://blog.hubspot.com/marketing/set-gmail-as-browser-default-email-client-ht