I have a project that run in local server, i need to record the user audio but the browser not allowed the microphone without https, there have chance to do this in local server without https ? thank you before , and sorry for the bad english language
Related
Our setup is like this: we use a coldfusion 10 server, and files are on a local intranet. Users use a domain login to access any files over https. I'm interested in using html5 websockets, but the first attempt gave me an error because no credentials were supplied. Is there a way around this? If not, is there a recommended technology for this scenario?
The user does log in on the client side. If it's possible, what I'd really like to do here is pass those credentials when making the connection to the server.
you should be able to supply the authentication header to your web socket server before the elevation to web socket read that and send it back in the headers for the elevation (first frame) then when the browser connects it should have the authentication it needs.
if your using a custom authentication E.G in page not authentication header you can also do this by passing any custom header to your server.
Or mandate that the first thing your web client sends is the authentication details this could be something like {username_hash}.{password_hash} if they don't close the socket to them.
Do not do this.
You're now responsible for sending and encrypting the authentication credentials yourself, bypassing something that already works and is tested.
Anyone can snoop on an unencrypted websocket port. Use HTTPs for an intranet, use stable solutions, don't reinvent this wheel because it tickles your fancy.
In a couple of years some colleague will have to maintain this and will have to figure out how your homebrew version works versus something that's solid like plain browser authentication.
My advice: Leave this to the browser and to well-tested coldfusion libraries.
In my website I need to record audio from the microphone and then replay it.
I do not need to send those files to the server, they can remain on the client.
Currently I'm successfully using flash for that, but I would like to switch to html5 and getUserMedia().
I'm aware that I normally need SSL for using getUserMedia() (except from localhost use), but I'm wondering if there is some sort of exemption if I don't want the data to be uploaded (and thus there should be no security issues in using it).
There's no exemption. Having one would require running your script in some sort of local sandbox with separate local storage and no networking. Does not exist.
Only Google Chrome enforces this https requirement by the way. Other browsers do not.
Getting a free certificate is easy.
There's a recent update in Google Chrome's security in which they don't allow using the geolocation and accessing webcam when the site is not 'https'.
Is there a way to disable this for local IP addresses? We're only using it in out intranet so there's no way to put https in it.
Hope somebody can help me
Thanks
It only works on localhost, but not on the internal network.
The best I can suggest is to install a local page on each user's localhost. The page, when loaded, would store the user's location, record it in memory, then call an endpoint on your local network to transmit the data.
Let's say I'm building a "secure" offline HTML5 app which must be run locally in the web browser without needing to download more files from the server. Let's say I connect to the server initially with the web browser over HTTPS (TLS) and download the HTML, JavaScript and CSS required to run locally. I can reasonably assume that the first time I download the files that it is done securely as it is a brand new server that no-one else knows about yet. All the files get stored in the HTML5 Offline Application Cache. Now I have everything I need to run the application locally and shouldn't depend on the server for anything else.
Now every time I run the app, the application will use the HTML5 Offline Web Application Manifest to see if there are any updates from the server for the app to be downloaded. Potentially this could be a problem. If an attacker has now targeted my server and has done a MITM attack on the connection they could alter the application manifest, causing an update to be triggered and therefore make the client download new JavaScript and HTML. This would easily compromise the security of the application as the application relies on the integrity of those files.
What are some possible options to prevent this? Can we do any of these:
1) Completely disable or block updates from the server after all files have been downloaded. Then if the manifest is changed on the server, or the attacker serves up a new manifest, then the client ignores the new manifest and keeps using it's local copy of the files.
2) Detect if the manifest has been changed, or an update event triggered, or the browser is downloading new files. Therefore notify the user that this has occurred. And if it's not expected from the user, then it would indicate an attack. I understand that the there is a 'downloading' or 'updateready' or 'checking' event listed in the spec. Is there a way for the JavaScript to detect that those events have been fired?
3) Store a version value or cryptographic hash of the files inside the browser's local storage. Then on page startup, if the files change unexpectedly, we can throw up an alert to the web browser notifying the user they have been unexpectedly changed.
4) Perhaps use some sort of cache header that forces the browser to cache the files indefinitely. In other words, a kind of hack to make it ignore new manifest files that are sent by the server. This sounds like it could probably work as there are lots of issues that can cause the application not to update even when the manifest file is changed.
Thank you in advance.
in the light of facebook's imminent switch to HTTPS (yes, i'm late to the party),
i have some questions around AS3 and HTTPS / HTTP.
so my understanding is that facebook is going to serve up html from an https address,
and in the html is an iframe with the URL of our .swf file.
i assume that we'll have to be able to server that .swf file via https, and that seems reasonable.
my questions are more around what happens within flash once the .swf is running.
we have many requests to our backend via HTTP, and we also periodically open up a raw socket also into our backend.
is flash/the browser going to give us grief about that socket or those http requests ?
thanks in advance,
orion