I am building a Grails app that will utilize HTML5's Offline Mode. In that article, the author talks about the requirement for your web server to not cache something called the "Cache Manifest" file:
So here’s one thing you should absolutely do: reconfigure your web server so that your cache manifest file is not cacheable by HTTP semantics.
So I need to figure out how to tell Grails (2.4.x) not to allow clients to cache a particular file. I found this answer but am not confident it is the generally-accepted "Grails way" of doing this.
So I ask:
Is that answer the generally-accepted way of prohibiting a file from being cached in Grails? If not, then what is?; and
If it is, then what is CacheFilters, where do I define it, and are there any docs on its all, before, after, afterView, etc. methods?
You cannot easily control the headers in a web-app file as far as I know.
A quick workaround for now could be to map /cache.manifest to a controller action in the urlmappings and simply set the header manually.
In the action you can do something like this after setting the appropiate headers:
response.outputStream.write(grailsApplication.applicationContext.getResource("/cache.manifest").getFile().bytes)
Coded freehand, but you get the general idea.
Related
Consider a system where we want to send someone a plain HTML+JS file and when loaded in a browser, it "executes" itself. (The inspiration is Portable Secret, which password-protects secrets for a file that can be shared offline, for a very convenient user experience).
The system has lots of flaws. One of them is that the HTML file could be modified while it's sitting around on the operating system, to do anything - for instance, you could tamper with it so when the password is supplied, it sends its secrets over the network to the attacker.
Now, we don't have this problem with most apps these days because they are signed. If you tamper with them, when the OS launches the app, it will (greatly simplifying) hash its contents, and notice that it no longer matches the signature. The signature can't be faked for the usual public-key crypto reasons, blah blah.
So, the question, finally: is there any equivalent anti-tampering standard we can use for an HTML page, stored offline?
I thought that maybe there would be something in Progressive Web Apps, perhaps putting a signature in the manifest, but I don't see anything immediately relevant. The behavior can't be anything defined in the HTML+JS file itself, obviously; it must be something the browser does automatically to check the contents. It might be acceptable if it has to do a network request to do it.
There are a few approaches you could take to try to prevent tampering of an HTML+JS file stored offline:
Sign the file: One approach you could take is to sign the file using
a private key and then include the signature in the file. When the
file is loaded in the browser, the browser could verify the signature
using the corresponding public key. This would prevent tampering with
the file because any changes to the file would invalidate the
signature.
Use a Content Security Policy: You could use a Content Security
Policy (CSP) to specify which sources are allowed to be used by the
HTML+JS file. This would prevent tampering with the file by blocking
any attempts to load external resources or execute malicious code.
Use a Service Worker: Another option is to use a Service Worker to
cache the HTML+JS file and serve it from the cache. This would
prevent tampering with the file because any changes to the file would
not be reflected in the cached version served by the Service Worker.
Ultimately, it's important to note that there is no foolproof way to prevent tampering with an HTML+JS file stored offline. It's always possible for an attacker to modify the file, so it's essential to be aware of this risk and take steps to mitigate it as much as possible.
My application is currently using HTML5 appcache.
I want to get the hash of files that I get from update() events. However, I can't seem to find out how to access the resources I downloaded.
I want to do something like
$.get( "/sunflowers.png", function( data ) {
hash(data)
});
I know that I can view the cached resources via chrome-internals however I hope to automate this process
PS: Bump for chromium devs! please advice.
AppCache is effectively deprecated at this point, so it's not likely that the answer for this original use case would still be relevant.
But in general, it's worth pointing out that there's a more "official" way of confirming that the contents of a downloaded subresource match the expected local hashes: using subresource integrity.
can anybody explain the process. I am totally confused. NO idea of how to get this compression and decompression. Detail guide will be appreciated, However please leave your thoughts and suggestion which are useful.
Your question explicitly asked "How to Gzip a json file and read it from server?", not "what is gzip and how to do things"
The link actually have an answer marked
Browsers automatically add the accept-encoding header as appropriate,
including on XHR requests. You don't need to do that at the DOM/JS
level.
If you need detailed step by step:
Choose a mature web server (IIS, apache)
Create a directory
Put your json into a file with .json file extension
Make sure the MIME type is set, if you are using IIS check it out here
Gzip/deflate is done by the web server & almost all browsers. You do not have to do anything.
If you are generating dynamic json content as opposed to the above steps (static), just make sure your application is sending the mime type properly and let the browser do it.
I just came across a website pagesource and saw this in the header:
<link href="../css/style.css?V1" rel="stylesheet" type="text/css" />
Could we actually pass GET data to css? I tried searching but found no results apart from using PHP. Could anyone help make meaning of the ?V1 after the .css
I know this forum is for asking programming problems, however I decided to ask this since I have found no results in my searches
First of all, no you can't pass GET parameters to CSS. Sorry. That would have been great though.
As for the example url. It can either be a CSS page generated by any web server (doesn't have to be PHP). In this case the server can serve different pages or versions of the same page which might explain the meaning of V1, Version 1. The server can also dynamically generate the page with a server-side template. This is an example from the Jade documentaion:
http://cssdeck.com/labs/learning-the-jade-templating-engine-syntax
It can also just be used as cache buster, for versioning purposes. Whenever you enter a url the browser will try to fetch it only if it doesn't already have a cached copy which is specific to that URL. If you have made a change in your content (in this instance the css file) and you want the browser to use it and not the cached version you can change the url and trick the browser to think it's a new resource that is not cached, so it'll fetch the new content from the server. V1 can then have a symantic meaning to the developer serving as a note (ie I've changed this file once...twice..etc) but not actually do anything but break the cache. This question addresses cache busting.
There are different concepts.
At first, it only is a link - it has a name, it might have an extension, but this is just a convention for humans, and nothing more than a resource identifier for the server. Once the browser requests it, it becomes a server request for a resource. The server then decides how to handle this request. It might be a simple file it just has to return, it might be a server side script, which has to be executed by a server side scripting interpreter, or basically anything else you can imagine.
Again, do not trick yourself in thinking "this is a CSS file", just because it has a css extension, or is called style.
Whatever runs at the server, and actually answers the request, will return something. And this something then is given a meaning. It might be CSS, it might be HTML, it might be JavaScript, or an image or just a binary download. To help the browser to understand what it is, the server returns a Content-Type header.
If no content type is given, the browser has to guess what it is. Or the nice web author gave a hint on what to expect as response - in this case he gave the hint of text/css. Again, this is how the returned content should be interpreted by the client/browser, not how that content is supposed to created on the server side.
And about the ?V1? This could mean different things. Maybe the user can configure a style (theme) for the website and this method is used to dispatch different styles. Or it can be used for something called "cache busting" (look it up).
You can pass whatever you want; the server decides what to do with the data.
After all, PHP isn't your only option for creating a server. If i wrote a server in Node.js, set up a route for /css/style.css and made it return different things depending on what query was given, neither the server nor browser will bat an eyelid.
I have got two simple questions
How can I tell what server is a website on? I remember I used to read the HTTP Host Header to identify the type of server. Is there any tool to do it?
2a. A lot of the website have the page extension .html and you just know they are not html. How can I tell what programming language is behind them?
2b. For ASPX, I think IIS can map the extension, so it will show HTML instead of ASPX, right?
Cheers
1.
Yes, you can check the http header tag "SERVER". Example of responses:
-Microsoft-IIS/6.0
-GFE/1.3
-Server Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.2 with Suhosin-Patch
You can also check "X-Powered-By" on some servers, example:
-PHP/5.2.6-3ubuntu4.2
-ASP.NET
You can do this in firefox/firebug for example. Go to NET pick a request, select headers and check under response headers. You could do this is Fiddler to or any other http sniffer.
2a)
See my first answer
2b)
Yes you can map .html or anything as a "asp.net" extension, meaning that the extension will be handled by the web application. Common use is that you have a httphandler that catches that extension in web.config.
Not sure what your endgoal of these questions are.. or rather to what purpose, maybe we could answer better then.
Look at the HTTP headers. This works as long as the Server admin hasn't disabled them (which he usually doesn't).
Try http://kalender-365.de/ip/get-http-header.php
2a. This actually works with all servers and all extensions. Some Interpreters - such as e.g. PHP - send a special created-by HTTP header (which can be disabled, however).