We have on the public part of our web app some mailto: links in the footer. Someone or something (aka bot) keeps hitting these links and navigating to https://basurl/mailto:some#email.com which results in errors as the webserver isn't happy with the colon in the url.
I assume this is a client setting and outside of our control, correct?
What are the option to prevent this beside obfuscating the link with javascript, also hiding it for bots?
If this is a defective client and not a bot the javascript solution wouldn't help either.
I could supress this kind of error but this is more preventing the symptom instead of the cause...
I assume this is a client setting and outside of our control, correct?
Yes.
What are the option to prevent this beside obfuscating the link with javascript, also hiding it for bots?
It's a bad bot. It probably isn't doing anything good for you. You could examine the IP ranges it comes from and the user agent it sends and block it entirely.
Related
So,
Imagine that I have this link:
Test
How do you deal with people that visit your site and don't have any email handler? What are the possible solutions? Like showing the email, for example? Any other solutions?
Thanks
EDIT: This solution requires you putting the email in between the anchor links. Why would you not?
I would not worry about it. Most browsers (all modern ones) would allow a user to right click and copy the email to their clipboard in the worst case. Its not such a mission critical feature that I would worry about it. If they do click it, I believe the browser will ask the user what mail client they would like to associatemailto links to.
The only other choice would to allow them to fill out a form that your mail server will generate into an email and then send to the appropriate recipients.
On mouse over it could show a tool tip above the link with the email?
If you don't want to be dependant on client settings, you ll need to provide the service server side. Meaning allow ppl to send an email from your site using some simple text box and a SMTP plugin.
You might find this question helpful: Has anyone ever come up with a way to detect the email program a recipient is using?
Essentially, there's no possible way to check if there's an outside program to handle email, so short of writing a submission forum that automatically sends the email to the intended recipient, there's probably not much you can do.
i got following error when i click on mailto: link in colorbox.
its work without color box, but unfortunately i need to use color box.
i tried header('X-Frame-Options: GOFORIT'); but it does't work.
and it show following error message in console.
Refused to display document because display forbidden by X-Frame-Options.
Any idea?
I've never messed with X-Frame-Options (though I did work directly for the guy that wrote the book on clickjacking). According to Mozilla, there are only two acceptable values:
DENY
SAMEORIGIN
And these are returned by the iframed source server, which it sounds like you have control over. Both of which are defensive, not permissive.
What happens if you turn off the header outright?
Also, to avoid issues with users who use their web mail client (like me) who may not want to leave the colorbox or have the webmail client bound in an iframe, try setting target="_blank" on the link. Perhaps escaping the iframe will alleviate other issues.
Some sites forbid their pages from being displayed in an iframe. If that is the situation you are running into, then there isn't much that can be done. However, I would not recommend trying to colorbox an mailto link, as you have no control over how a visitors handle those kinds of links.
im in the middle of creating my website and need some help with stopping people from going to a page in my website manually. Basically, i've set up a contact form and once it's filled in, it sends you to a thankyou page. I want to stop people going to that page manually by typing in the url for it. I want them to only be able to access it by filling out the form and hitting 'send'.
Firstly, is this possible, and if so, HOW?!
Thanks in advance!!
Have the page as the response to the POST and don't redirect to it.
You'll need to use a redirect in combination with some kind of persistent storage (DB, cookie, session).
Essentially on the thank you page, check that they came from the contact form, via persistent storage, otherwise redirect them.
Maybe you can check the http method. If it is post, presumably the user used the form. If it is get, presumably they typed the address themselves.
Good luck!
You can insert a special hidden hash value in your form and check for it on the page you redirect to. It's not foolproof though.
I have a page on a website that contains a secure form inside an iframe. Although the form data submitted is secure the page doesn't appear secure as the URL in the browser is just HTTP. Is there anything I can do to show the users that the form is secure?
Although the form data submitted is secure
It may or may not be encrypted. But it's not secure, and the browser is absolutely correct to deny you a padlock icon.
If the parent page is http, then that page could easily have been altered by a man-in-the-middle attack to point the usually-secure <iframe> to a completely different server to the expected one. Or, the parent page might have had JavaScript injected into it to log any keypresses you make into the form and send them to the attacker's server.
The user would have no way of checking whether this had happened, short of viewing the page source and reading and understanding every line of markup and script inside it. This is absolutely unrealistic.
If you aren't on a page where all content is secured by https, any submission from that page is insecure, regardless of where the form action is pointed.
Open the form in a new window or host the container page on a secure server. Users have a right to be skeptical of an insecure page hosting a supposedly secure page -- it's practically begging for XSS attacks.
Whether the host page is secured or not, placing https secured pages inside an iframe is not a good idea. Even https pages are not invulnerable to xss and MIM attacks. The only way to avoid any confusion as to which domain/web server your web browser is talking to is go direct to the source page - i.e. the one you are trying to put inside your iframe.
Iframes are a convenient way to quickly include content from another page/site, but they open up a whole bunch of opportunities to the dishonest!
Nothing that will trigger the usual browser "This is secure" indicators.
Is there a way to implement a mailto: link that works with webmail clients?
Edit - so a traditional mailto link is (as I suspected) not going to work. So has anyone seen anything similar to those rss buttons you see with a variety of the most popular sites on?
The links are handled by the user's browser. GMail has a client-side install (GMail Notifier) that lets you specify that you want GMail to handle all mailto links.
But there's no way for a web page to specify that it's mailto link should be handled by a webmail app (even if it could, how would you know which one?).
That's really more of a web client issue, it's already available for Firefox:
http://starkravingfinkle.org/blog/2008/04/firefox-3-web-protocol-handlers/
but ultimately it's down to the user to decide how their browser handles mailto links.
Create a text file named MailtoWebMail.reg with the following content...
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mailto\shell\open\command]
#="\"(BrowserExecutable)\" (Parameters)"
where (BrowserExecutable) is replaced with the complete path to your browser (ie. C:\Program Files\Internet Explorer\iexplore.exe)
and (Parameters) is replaced with the appropriate line for the mail service as described below...
GMail
"http://mail.google.com/mail/?view=cm&fs=1&to=%1"
Hotmail
"http://hotmail.msn.com/cgi-bin/compose?To=%1&mailto=1"
Yahoo Mail
"http://compose.mail.yahoo.com/?To=%1"
Netscape Mail
"http://webmail.netscape.com/compose.adp?mailto=%1"
Mail.com
"http://mail01.mail.com/scripts/mail/Outblaze.mail?composeto=%1&compose=1"
Opera Web Mail
"http://mymail.operamail.com/scripts/mail/Outblaze.mail?compose=1&did=1&a=1&to=%1"
Note: There should not be a blank line after the [HKEY_LOCAL_MACHINE] line
MikeB
I am just brainstorming here. You might be able attach a Javascript handler to the link that asks the user if s/he wants to login to a webmail account (along with a list of providers). If you have the correct URLs for the webmail providers, you would then be able to invoke them on the basis of the user's choice. If the user answers no, return true from the handler and presumably the link would work normally.
See, for example, http://toric.blogspot.com/2005/07/gmail-compose-link.html and http://blog.monstuff.com/archives/000238.html
Here are 2 Opera UserJS examples that you can inspect to give you and idea of how you can do it on a regular pages. (Obviously, UserJS-specific functions wouldn't work in a regular page, but you can use regular events.)
This one catches left-clicks on mailto links and opens them in Gmail for example. It can also handle forms.
http://shadow2531.com/opera/userjs/BeforeMailtoURL.js
This one catches all mailto actions, has a more generic parser (that supports any hname and not just to, cc, bcc, subject and body) and has a better format string syntax:
http://shadow2531.com/opera/userjs/BeforeMailtoURL.zip
Basically, you have to find a way to intercept mailto link actions. You can do this with click event listeners on links and submit listeners on forms (if you really want to support forms). (It's easier to use a click event listener on the whole window and just filter it to find mailto actions. That way, you catch mailto links that are dynamically added at some arbitrary time.)
Or, you can just run through the page and process all the mailto links.
But, if you want to intercept mailto actions in the address field, via window.open or document.location etc., you'll need something like HTML5's registerProtocolHandler or something like Opera's webmailprovider.ini support. You can use registerProtocolHandler in Firefox, but by default, it's restricted to the domain you set it on.
So, basically, you either convert mailto links to http(s) webmail compose URIs up front, or at the time the mailto action is invoked. The latter works much better.
Converting a mailto link to a webmail compose URI involves a few things. First, you need to know what query string variables the webmail accepts. Then, you need to parse the mailto URI to split it up into the parts you want. Then, you need to decode and re-encode (to normalize) those parts. Then, you need to join multiple occurrences of hvalues together. And, you need to handle things in a case-insensitive manner and check for and escape unsafe characters and %HH etc.
For the parsing, you can do a quick and dirty regex, but you'll get better results with a full mailto URI parser and normalizing functions.
So, if you just want to handle left-clicking on links, you can do that cross-browser. For more than that, you have to use any hooks the particular browser gives you.
Hypothetically, assuming the webmail client passes arguments through the authentication process (or the user is already authenticated), I don't see why this is so impossible. It can't be done in the simple mailto: way, but it'd be possible to provide a selection of links to popular webmail services and use Javascript to intercept clicks on mailto: links such that the user is presented with a drop-down list of possible webmail services (or their local email client). The links would carry the To:/Subject: address but formed in whatever structure that webmail service requires.
If you're using a Google Apps email account (hosted email), than Gmail Notifier will not work. You can use a bookmarklet though, to change all of your mailto: links to links that point to your webmail.
Here's a bookmarklet I wrote to do just that, it will highlight all fixed links in red.
javascript:for(var i=0;i<document.links.length;i++){var a=document.links[i];if(a.href.indexOf('mailto:')==0){a.href='http://mail.google.com/a/sample.com/mail?extsrc=mailto&url='+a.href;a.style.backgroundColor='red';a.style.color='white'}};return true;
Just be sure to change http://mail.google.com/a/sample.com to whatever the proper hosted address is for you.
I suppose this will work with a number of other email clients if you just change that link around.
Kind of an old thread, but nobody has quite answered it yet, so here goes.
As blesh nearly says above, while there's no way to get "mailto:" to go to Gmail, there's another way to skin this cat that works just fine in many situations. Just change the URL. Remove the "mailto:" prefix and insert "https://mail.google.com/mail/?view=cm&fs=1&tf=1&to=".
This seems to work like a charm, whether or not the user is coming in through Google Apps. If the user is not logged in, he'll be walked through that step, and then Gmail will still kick off a new message. The only downside I've noticed is that if (when?) Google decides to change their bookmarking scheme, this may need a bit of tweaking.
It may make sense to perform this transform either before or after the URL is in the DOM, depending on your situation.
Oh and double click the MailtoWebMail.reg to insert the command into your registry.
MikeB
Has anyone seen numbers indicating what percentage of webmail users have configured their systems with plugins etc. to properly have mailto: links sent to their browser / webmail system rather than to a desktop app? This seems critical in deciding whether to use mailto: links on a site or a contact form, but I'm having trouble coming up with numbers to guide the decision.