I am writing a command line application that produces an index.html with links to other generated HTML files, but also some links to filesystem subdirectories. Here is an example of such a link:
Invoices
The intention for sharing this content is for the user to zip up the directory tree and send it to other parties for review. However, some users might think to use ngrok, or use screen sharing, to share their web browser to allow other people to access their local system. With ngrok they would be running a web server and might be able to configure the web server to protect against this, but with screen sharing that would not be possible. (Consider the case where a user might leave their web browser open to the remote user and step away, not realizing that the remote user can now examine their entire filesystem.)
The problem is the "Parent Directory" links. Using those links, the others could navigate above the intended directory root and navigate their entire filesystem. Here is an image to illustrate:
The directories linked to can have arbitrary numbers and levels of subdirectories, so hard-coding links on custom pages would probably be prohibitively complicated.
There is no web server involved here; the files are displayed by just opening index.html in a web browser, so .htaccess is not a solution. Also, I don't want to disable navigation, I only want to limit its upper bound.
Is there a way to prevent this access?
If there is no web server involved at all, there is no way to prevent that behaviour.
Edit:
You could of course write a browser plugin that limits the access to the parent directory using JavaScript. But every client would have to install that plugin.
Related
I am a college student building a website for a local band. I've recently noticed that when I navigate to the webpage folder using the domain (https://insert website domain.com/folder name) it show the "Index of" page and allows me to navigate the resources of the webpage. Is there a way to disable this through code, or is this a hosting issue?
You have at least two options:
Add an index page in the folder, and the server will display that page instead. The name for the index page depends on the webserver you are using. For instances, most webservers will try to find index.html. You can also configure it.
Disable directory listing in your webserver settings. The specific instructions strictly depend on the webserver you use.
I'm making a webapp for members of my caving club to search through and view cave survey note PDFs. It works fine, and I got the AppCache working for the web version of it.
However, since the PDFs are quite large and slow to download, and many members have the PDFs on their local machines from the same SVN the website gets them from, it would be ideal for them to be able to use a page with links to a local SVN folder of their choosing.
The design goals:
The site displays links to PDF files on the local filesystem
Whenever I add features to the site, users get them automatically the next time they open the page and they're connected to the internet
But after the first time they open the page, the site works offline.
Sadly web browsers don't appear to support this useful combination of design goals at once.
I can satisfy #1 by having users download a copy of the site, add their local SVN path in a JS, and open their local copy in the browser, so that file:/// links work.
I can satisfy #2 by having absolute links to JS bundles on the server.
I can satisfy #3 by using the AppCache.
I thought I could get clever by having the copy of the page on the local file system have <html manifest="https://myserver.com/myapp.appcache">, but unfortunately Chrome doesn't seem to allow a local file to use an app cache manifest hosted on a server, for seemingly no good reason to me.
Does anyone know of another way I could satisfy all 3 goals?
Perhaps there's some simple program/config I could give my friends that would intercept web requests to https://myserver.com/some/folder and instead serve them out of a folder on their local file system?
Andy,
I know this post is a bit old but came across it looking for something else related to AppCache. My understanding it that the html page and the manifest must reside in the same domain for it to work. So I think you need to modify your design:
Create a JavaScript function that acts as a setting for the user to enter the path to their local copy of the PDF's. Store this information in localstorage.
Create a html template page for the document links.
Create a JavaScript function that populates the html template page with any documents and links the user enters.
This way, the users visit your application online and it uses appcache to store itself and the JS files for offline use. To access the PDF's, the user clicks a settings button that launches a page to collect path information and saves the information in localstorage. The users can then access the template page which will populate with the documents they entered.
Here is a good intro to localstorage: [http://www.smashingmagazine.com/2010/10/local-storage-and-how-to-use-it/]
My requirement is to show a panel where I list the local system directory, from where I drag and drop the files inorder to perform operations on it.
In HTML5 the FileSystem API is available , but most of the browsers are not supporting.
Is it possible by using input type as file? Like we browse and select a directory, then we can see the list of files and their details?
As the previous commenters correctly noted, this is not possible because it is considered a security hole. Think about a malicious script that could read out everything on your local file system just by visiting a web page.
You can however implement file drag-and-drop like this: https://github.com/moxiecode/plupload
I have a Air/Flex desktop application and I'm trying to create a component within the app that can view files on the web server is is already connected to. It just needs to access one particular folder that will contain PDFs, Images & Word documents. I also want the ability to click on the files and having them open in their default desktop applications.
Is this possible and how would I go about doing this?
It's possible but not with your Flex/AIR app alone. It cannot view files/directories on server by itself but it can communicate with your server via webservices, AMF, or any other back end based service. Typically the back end reads the folder and send this information to your app. Your app can open those files in corresponding app but only if those files are available on disk so your app will have to download them prior to opening them.
Every Application has different needs but I myself usually save anything to a desktop or you can use the App storage container as well. As I use only the desktop I download what is needed OR been asked for, and the visitor has the choice of keeping it or if not needed it gets automatically deleted! this way you can use whatever PDFs, Word, Images etc. use read and write (re-write) as well as creating PDFs on the fly with Images, text etc, and that way a visitor also can print directly at his or her own leisure. regards aktell
I'm working on a web application that caches html pages and saves it on the user's computer. I want to create a link, so that the user can click on the link and access the cached webpage.
Following is my link to a cached page:
BBC
When I click on the link, nothing happens. I'm not even getting any error.
Can someone please suggest how to create a link to a cached html page?
First of all, not all browsers handle local files equally, indeed, not all computers will be running windows or have a C: drive. Secondly, you don't have much control over a user's cache. Cached pages are usually handled by the browser automatically. You can use headers to specify how a browser ought to cache files, but it's not even required to do so. You can read the W3C recs on caching for more information.
It's unclear what you're trying to do here, but it sounds like it might make more sense for you to use HTML5 local storage or offline files than trying to mess around with their file system directly. The security model of most browsers is such that web apps don't interact with local files, which may be why it's not working for you with your current setup. Dive Into HTML5 has a good overview of HTML5 local storage and offline pages.
Edited based on comment below:
Most browsers' security settings won't let a page on a website access files stored locally. Only locally saved files can link to other locally saved files. Therefore, if the page with a link is on a website, your link won't work. Try creating a link to your file from another locally stored file and see if that works.
Instead of providing the .html extension in the main page where you provide the link you should do something as below:
< href="file:///C:/Users/xxx/yyy/bbc">BBC</a>