I have an old site I am just about well enough (broken arm + cancer) to start working on again and I have already moved it to another server OVH and added an SSL/TLS certificate to it.
However in Chrome when I visit any page on the site, especially https://www.strictly-software.com/plugins/order.asp it shows either (don't know why refreshes would change it but they do sometimes) the insecure sign with the red line through the https:// part of the URL in the address bar or an information circle.
In Firefox however I get a secure lock sign. It maybe some add-on I have used like a popup blocker or something but I am at a loss to find out what is causing these insecure signs to appear when I need locks, especially on the order page
This morning I spent hours going through loads of JavaScript and CSS (background:http://blah.jpg) etc and changing it so it is local and cannot be changed remotely as well as making any http references into src="//" or href="//" etc.
I thought it must be one of the images on the "add this" pop up but cannot see anything in their code. Then I thought the Twitter scroller might be showing images from http destinations but Twitter wraps them all in their own URL format.
Does anyone know from looking at the generated source code what is making the page insecure?
Surely there should be a list somewhere in the browser that shows what content isn't secure and offers you to load or not load it? I know the information icon lets you load or not lot Flash, images or JavaScript but do you know of how I can find out what content isn't secure on these pages without asking visitors?
Thanks in advance.
Related
I have a number of embedded devices with a web-based front end, each on a different randomly assigned ip address.
I often want to check between these devices but, when they're open in different tabs, it is hard to tell which is which.
I have attempted to embed these pages in iframes with a header labelling each one, but CORS prevented the pages from showing.
Is there a way I could get the opening page to label a tab or window to help me distinguish between similar looking pages? Failing that, and possibly in SuperUser territory, is there any way I could manually label the tabs in my browser once they're open?
Here's a partial answer. There are a number of third-party plugins for Chrome which allow the user to manually rename tabs. I have installed one called Simple Tab Renamer and it seems to be doing the job.
An automated system would be nicer, but I suspect security policies would prevent that.
https://chrome.google.com/webstore/detail/simple-tab-renamer/ailhpmlejogfdcpoflidmobgkgdemaog
I'm trying to make a search engine, that will display every website content inside of the website, meaning that the computer won't detect that you even went on the website.
what I have tried:
I have tried to use the fetch function, and it did work, but there were 2 problems:
Only the html code displayed, so there was no css, or is, unless it was in the or tag.
90% of fetched websites returned an error, stating that I needed to enable something in my fetch command, but when I did, no html content popped up.
I've also tried using an api that somebody made, and it did work well, but upon clicking an tag, it redirected you to the actual site
I'm trying to achieve what this website has done, so I can get past website blocking.
I have been using a dev tools network tab to check out the loading of resources within a HTML email, because sometimes some of the images do not load properly.
Now I am trying to understand if the email client will always execute the html code in a top to bottom approach, or if there are conditions which can change this.
So I have a tracking pixel and it is located at the very bottom of my email. This pixel does a lot of things which causes it to take about 15 seconds to load. However, because it is at the bottom of my email, it should not interfere with the images being loaded above it. That was what I thought all the time until I checked out the Network tab.
Within the email, a lot of the images are dynamically injected. In the network tab, these images normally have a status of 302 - moved temporarily. It then looks like these images are then reloaded after the tracking pixel has started its request, which could be the cause of some images not loading properly.
I was really hoping for some advice as to whether my theory could be correct, or if I am missing the point altogether?
Thanks
I want to achieve:
I have a html page that displays an image.
which is pretty easy. [say my image file name is xyz.jpeg]
When the file changes or replaced with new content, say, the server or by some other mechanism the file is getting changed,
Now I want this modified image gets displayed in the browser WITHOUT REFRESHING the web page
So, kind of a notification system in which the browser is notified with new image, and gets displayed.
I am not expecting the exactly source code, but a direction of which tool that can be used?.
I have come across websocket, but I am not sure if this solves this purpose.
The image can be refreshed on timely manner(for eg 10 seconds) using javascript, ie request will be send to server in specified time interval, and the image will be updated, this is pretty easy to code also. Please refer this question
However this solution has got a negative impact on performance, since the number of request to be served is too high if the page is accessed by multiple users.
Hope this solves your doubt.
I have this question: is safe use an iframe to load the page where the customer will do the payment. For example paypal or DineroMail or the page that does the credit card payment.
Because My boss wants that the customer feels that never leaves the site so in my site I added an iframe (and inside this I load the url of the payment) but don't know if is correct and safe or no.
Thanks.
From a technical security point of view (Same Origin Policy), it is exactly as safe to open an iframe as it is to open a new tab.
From a UI point of view, opening an iframe in certain locations can deceive the user and you might be accused of trying to clickjack the user into making an inadvertent payment if you are not careful.
I cannot say anything about PayPal's own policy, but you should make sure they are okay with it.
I have been through this several times with many clients. A lot of it has to do with 1)he isnt comfortable with a customer leaving his site in fear the checkout wont occour or 2) its a pride thing that he wants clients to feel all the services can be performed in site.
One of the things that your boss needs to understand is that people like using paypal because they are trusted and its a familiar process to them. He needs to know that not only are people ok with being redirected to paypal, but they expect it. If I where to run into a site where they checked me out in an iFrame on paypal it would be a red flag for me. Why? Because with the redirect I can see the address bar. I know that Im at paypals site and I can see if its a secure connection.
If he is dead set on a customer never leaving a site. He needs to do something like paypal payments pro. This is probably the solution he really wants.
EDIT
I found your answer answer when dealing with the same issue myself last weekend and wanted to come back with something better!
Its called flex and its apart of the adaptive payments classic api. Which will take an additional application process which your boss may fee is well worth it.
https://developer.paypal.com/docs/classic/adaptive-payments/integration-guide/APIntro/
Head about 3/4 of the way down and youll see step by step instructions to do exactly what your loooking for. A secure paypal iframe.
Quick tip: If you have to incorporate it in your own processes simply do the following.
1) obtain your paykey after sending the request to paypal.
2) call in the javascript source as in the tutorial.
3) redirect the window manually as opposed to their created paypal button. aka https://www.paypal.com/webapps/adaptivepayment/flow/pay?paykey=YOURPAYKEY
another good source is : https://www.paypalobjects.com/webstatic/en_US/developer/docs/pdf/pp_adaptivepaymentsmobile.pdf
It is safe if Paypal allow it, but you have to be careful from a UI point of view.
If your site is loaded over http and you load the IFrame within your site, it appears to the user not to be secure even though the IFrame is loaded over https. This approach is also vulnerable to a MiTM attack as an attacker could intercept and change the IFrame URL to something like http://www.evil.com and nobody would be the wiser at the time of entering the card details.
If your site is loaded over https your customer has to trust you with their card details as they cannot be sure that the IFrame is actually pointing to the Paypal domain on https (https://www.paypal.com) and not your site. Yes they could right click and check the source, but this is a step too far for most users and technically an evil site could swap the IFrame for an evil version without the customer noticing.
My recommendation is to actually redirect to https://www.paypal.com because then it is shown in the address bar with a padlock and reassures users that they are giving their details to Paypal and nobody else.