I have a small django website that allows file uploading hosted on pythonanywhere. The files are uploaded to aws s3.
Now the problem is that even with the presence of download attribute in the html, the browser still renders the file instead of downloading it
<a download href="{{file_url}}">Download</a>
From Mozilla Developer Network Anchor element reference:
"....download only works for same-origin URLs, or the blob: and data: schemes..."
Your aws s3 links most probably are not same-origin (same domain etc) as your site.
If that is what you are running into, one work around that comes to my mind is, you can make on your site a transfer url that receives the document identifier, downloads from aws s3, and then forwards its content as response. This way you can also control content-type like headers that you may need to explicitly set to make the browser behave the way you want.
One addition, if you decide to have a solution like that, you have to take precautions to control the request content that transfer url, and only transfer content that your web site intended to. Otherwise you will have opened a vulnerability similar to what is called an "Open Redirect" vulnerability.
Related
I am making an ASP.NET application and would like to be able for my file upload to allow attachments to be dragged straight from Gmail. The problem is that I cannot load the data from the links dragged in because of cross-origin rules.
There are 2 problems:
First, cross-origin rules prevent me from making requests to the gmail attachment server.
Second, even if I were to make the request with cross-origin, the cookies would not be included.
I am using Chrome and only interested in doing this on my own computers.
One option is I could make a Chrome extension which allows cross-origin requests but only from my website.
Another option would be for my locally hosted server to communicate with Chrome to make the request itself.
Which of these would be the best option and how would I do it?
Almost all useful extensions require permission to access and modify all data on a page.
We can't be sure that a chrome extension is malicious in the sense if it's leaking my data or not.
I realise that many extensions which I use for example the great suspender, even though it needs access to all site data, it doesn't need to communicate with outside world.
Is there a way to block specific chrome extensions from making any network requests at all. ( can we block all outgoing/incoming traffic to a chrome extension. )
I can't keep monitoring a extension 24/7 to see when is it leaking data, For all you know it could be leaking once a month.
No, there's no way to block just the network communication of an extension without blocking its site access (aka "host permissions") entirely. That's because a malicious extension can open a tab with its controlling site (or a hidden iframe in the background script) and insert js code as a standard DOM script which the browser will attribute to the page itself so it'll be able to communicate with the site's domain to upload the exfiltrated data.
So, what you can do practically is to protect the most sensitive sites you use from all extensions by adding a local ExtensionSettings policy with runtime_blocked_hosts that contains that site(s). This will prevent all extensions from accessing the entire site either via content scripts or network requests. Example: {"*": {"runtime_blocked_hosts": ["*://lastpass.com"]}}. And if you have an extension you trust then you can relax this rule for that extension by using runtime_allowed_hosts. See the policy link above for more examples.
In my app I'm viewing a list of files on the local machine (their paths are fetched from DB). When a file is being clicked, it should be opened. I tried the following with no success:
FileName
When the user clicks the link above, nothing happens. When using chrome, I can see the following error message in the console (on firefox there's no message):
not allowed to load local resource
I have read this question, and understood that:
Mozilla browsers refuse to follow file URLs on a page that it has fetched with the HTTP protocol.
I also understood and that this feature was implemented in other browsers as well.
The presented files are not located in the server, but on the local machine. So I can't use a relative link (right?). Is there anyway to bypass this and create a link that opens a local file?
You cannot access local resources from a website served over http because it is a security concern. Think of what would happen to your machine if any website could access files on it. You'll have other security restrictions for serving data from a different domain from your domain as well.
What exactly are you trying to accomplish by accessing a local file? Giving additional insight into the reason might get you more useful suggestions. Otherwise, the answer is that you can't and shouldn't do this.
My site is using HTTPS only.
I allow using BBCodes to show images. Users are placing images like "https://imagehoster.net/img.png" and the imagehoster is using a redirect so the browser loads it via HTTP "http://imagehoster.net/img.png". This makes the browser showing annoying mixed content warnings. Is there a way to prevent this?
Short: NO
Long:
the have no really web server listening to ssl.
in fact, there is only a firewall/proxy which sends a http locate to the browser.
You can't intercept that request. even if you could, where to redirect to?
they don't provide a ssl server, because it takes to much resources for encryption or it takes to much traffic, because proxy#s can't cache.
An idea to solve that problem:
detect those links, download them and store a copy on your server.
replace the link. maybe you need only to store a preview. if the click on it redirect to the original link on a new browser window.
I'm hosting images for client websites. I want them to be able to link to the images locally ie. www.myclient.com/clip1.jpg but have the image actually loaded from www.mysite.com/clip1.jpg. The idea is to provide security/anonyminity so the client doesn't have to reveal that they are using my service (through the images on my site).
Can this be done without editing .htaccess?
Thanks,
skibulk
If you don't want to reveal where the final origin is, then the image has to come from the server that you want it to appear to come from. A redirect will reveal the real origin.
You can proxy the images with with Apache directives, the equivalent for whatever non-Apache server is in use, or a server side script (written in the language of your choice that is supported by the server).
Just copying the images would probably be the most efficient approach though.