XSS Domain and Sub-domain - subdomain

I want to access the resources of
http://abc.example.com
on
http://example.com.
Is this a violation of the Same origin policy?
I am not able to test it because I am designing something and do not have server access to validate the same.

Even though you dont have server access, you can still test this. Set up a simple webserver on your laptop and modify your hosts file. Next lookup the definition of origin: Port, protocol and full hostname. Same origin policy be relaxed by setting document.domain on subdomain or using CORS headers.

Related

How to add cloud flare's ips to Oracle cloud infrastructure whitelist

I purchased a domain from namecheap, and I'm gonna to use cloudflare to DNS my domain, but it says Error 521.
I created an free instance on Oracle.
Cloudflare suggest me to add their ips to oracle, but I have no idea where to add these ips.
We're from the Solutions Architecture team over at Oracle Cloud Infrastructure and wanted to give you a few pointers to help you out.
What this error indicates, is Cloudflare is having problems accessing your website. Most likely this is because you have not yet configured your website to be accessible from the internet. While we didn't write this, it appears the community has a set of instructions here on how to expose your site to the internet:
https://dev.to/yoursunny/how-to-host-a-website-in-oracle-cloud-free-tier-5hca
Here's another online class for doing the same with wordpress: https://www.udemy.com/course/wordpress-website-built-on-oracle-cloud-always-free-tier/
Once done, you'll want to test your website by IP address in a web browser to make sure you can at least load your web page.
What Cloudflare is suggesting is you should actually only open access to your website from the specific IP addresses of the Cloudflare network. This increases the security of your website by preventing people from bypassing Cloudflare if they know your site's IP address. To do so, instead of adding 0.0.0.0/0 as the allowed CIDR you add an individual entry for each CIDR listed here: https://www.cloudflare.com/ips/
For testing though, just use 0.0.0.0/0 until you have it working. Then you can change it.
Finally, don't forget to check host firewall rules (see iptables --list). Not having a entry for port 80/443 is a common error.
Let us know if it works for you.
I have a similar setup where cloudflare is fronting my app. However, in my case I am just using a public load balancer in OCI. Bought a domainname pointing to the public IP of load balancer. This way first I tested my site without the domain name and just hitting load balancer IP. If that works fine, then in the Cloudflare you just need to proxy the domain to the public IP of LoadBalancer.

Service with multiple ports/protocols per route (e.g. HTTP and HTTPS) possible in OpenShift?

I am currently evaluating OpenShift for use in our company.
We have a web application in a container, which exposes both port 80 http and port 443 https. Is it possible to run this container in OpenShift, using both ports over the SAME hostname? The OpenShift GUI lets me select only one port per service, if I try to create a route, and either http or https, not both. My use-case is, that my application is reachable on http://my-app as well as on https://my-app (in my opinion a quite common use-case)
It is not possible to have multiple routes with the same hostname and path. Only first such route will be admitted to the router.
The routes with paths will work as mentioned by #Graham
You can put all 3 below in a single project without problem:
example.com
example.com/hello
example.com/world
They can have different protocols. Adding a duplicate route with different protocol will not work.
Additionally if you have Project B, you won't be able to use example.com host again. So, none of the below will be accepted to a router:
example.com
example.com/hello
example.com/world
example.com/path
Which makes sense, as you don't want someone else to use your domain.
What usually happens when you have https exposed is that all http traffic is redirected to https.
You can achieve it by creating edge terminated route (over UI) and selecting Insecure Traffic: Redirect. There is also an option to set it to Allow.
More documentation and yaml examples if you would like to create route from command line: OpenShift Origin: Secured routes

simulate as3 crossdomain behavior in localhost

I am writing an action script 3.0 client that has to communicate with a remote server. In localhost environment everything works fine, but if I test the client in the real internet environment there is no connection.
My guess is that it has to do with the cross domain policy file, but calling
Security.loadPolicyFile("xmlsocket://"+targetIP);
does not send the <policy file request\> message to the server on the default 843 port, or any port for that matter. I think it might be because flash recognises that the address is local and omits the request. But I need to receive it to be able to implement the answer on the server. Otherwise I'd be coding blindly.
Is there a way to force the flash client to behave as if it was in a different domain while still being in localhost so I can troubleshoot this issue without involving a remote host? I don't have many resources in that regard.
Try running the client on 'localhost', and load the policy file from '127.0.0.1'.
They should be seen as different 'domains'.

hotlink working locally, not in server

I want to hotlink an image from a remote website. This works when I test in my local PC (Apache server), but doesn't work when I try from my website.
I am not an expert in this subject, but as I understand if hot-linking was blocked in the remote site, it should not work in my local server as well, right? In that case what might be the issue (my hosting provider is saying they don't have any issue)?
Let's play this through.
On your local server:
You make a request to 127.0.0.1 (or localhost) that returns some HTML with a hotlinked image to example.com.
The browser makes a subsequent request to example.com and sets the referer header to 127.0.0.1.
Now example.com has to determine whether the referrer is allowed to hotlink or not.
Since, for that server, example.com and 127.0.0.1 both refer to the same thing, namely the server itself, this looks like a valid request.
On your remote server:
Same as above, but replace 127.0.0.1 with your.favourite.url.
This time when the server validates the referrer, it will come to the conclusion that your.favourite.url and example.com do not refer to the same thing, and therefore block the image request.
This could be seen as a misconfiguration of example.com, since the referrer might not resolve to the same point from both client and server context.
If you access your local server via your local network IP (e.g. 192.168.1.42), then hotlinking should no longer work, unless example.com has a really graceful referrer policy, or happens to use exactly the same local IP as you.
It could also be possible to expose example.com's local IP by brute-forcing all local network IPs, though while that technically is an information leak, there's not much you can do with it.

How to pass proxy URL to the machine behind that proxy?

Our server setup is the following:
a proxy and load balancer directs all the requests to its machines behind. The problem is, that these machines behind do not know where they are. If the proxy gets the request for
www.bridge.de/m01
he redirects to machine01.
Machine01 only knows its local path
m01
For an application solution for a password reset functionality I considered several opportunities.
We decided to pass the value of URL from 'before proxy' to the database of machine01. So machine01 'knows' its external context for that specific requests.
My question is: Is there a better way to pass external URL context to machines behind a proxy? We are using JavaEE, JSP and MySql for our application. Virtual machines running with CentOS.
Thanks for any suggestions! :D
Your question is not fully clear.
I assume you have the issue, what your load balancer terminates the connection and forwards you the request.
Usually your balancer provides you the origin URL of the request, since you may need it from time to time.
In this case you can check your http headers. If it is not provided, you have to reconfigure your balancer to provide you the needed details.
check this: Strategies for dealing with URIs when building an application that sits behind a reverse proxy