Trying to retrieve the value of a input field in a external site's webpage. They wont change the headers. So been told to use Jsonp. Never used this. Anyone have any examples or can point me in the right direction?
Outline:
External Site:
<input type="hidden" id="ImHiddenGetMe" value="Get Me If You Can">
Cannot use ajax/jquery as they wont change the headers to allow the cross domain.
For using JSONP the other server must provide an interface to it. For example: The other server must provide an URL like
http://other.com/getvalue?jsonp=callbackFunction
This URL must sent JavaScript code like
callbackFunction({ value: "Get Me If You Can" })
If the other server does not provide such an interface and do not provide the Access-Control-Allow-Origin Header necessary for Cross origin resource sharing you cannot load the other site via AJAX.
But you can always program a crawler which stores the value periodically on your server (where you can use it). Please respect the other server's robots.txt in this case.
Related
I am using v-file-input with 'accept' option, e.g.
<v-file-input
:accept=".docx, .txt, image/* ",
label="Choose Attachment"
name="file0"
id="file0"
></v-file-input>
This works and does not allow a file to be selected outside the defined 'accept' file types. The question is that is it still recommended to check for the valid file extension at the server?
Yes, most frontend validations for data being added to an endpoint request can be bypassed by making the request outside of your app using programs like Postman. Setting up CORS on your backend can mitigate that specific risk... However, you can never be too safe. If it's a security risk or concern at all, always validate on the backend.
I'm stuck having to work around an existing bad design.
Our client team will (for logging reasons apparently) have to inject a dynamic value somewhere into their request URL even for the same resource. This of course busts all client side caching as the browser sees it as a new resource.
My question: Can anything be done so the browser can recognize these dynamic urls as the same? Some magic header? Tricky use of etag? Anything?
In my html I'm using hidden value as :<input type="hidden" value="secure" name="first"> but the problem is when I see in browser console value is displaying .How to hide this?
The browser belongs to the visitor. You can't give the browser anything without giving it to the visitor as well.
If you don't want to visitor to have access to data, then never give it to the browser in the first place.
Keep the data on the server and send the browser a session token instead.
You can't. The whole point of a client/server based setup, like 'the web' is by definition, is that everything you transmit to the client can be read by any client.
If you need to secure data from the end user, keep it on the server side. There are a myriad of possible solutions for this, like sessions, cookies and preshared keys, to sync serverside storage with the client.
I assume the browser contacts the web server and asks for the "src" (in those situations where there's something to src).
Can that interaction be controlled in any way?
How much information is available to the server about who wants the src and when?
Alternatively, could one deliberately 404 the request, then control the 404 mechanism to respond appropriately?
Don't mess around with 404 handling for this. If you want to dynamically generate javascript there's no need.
The browser doesn't care what URL is in the src="" attribute - it certainly doesn't have to end in .js. The important thing is that whatever the URL is, it should return its content with the content-type application/javascript.
So the simplest thing to do is put the path to a PHP (if that's what you're using) file and just ensure that what's returned is valid Javascript, sent with a correct Content-Type HTTP header
Scripts specified via a src attribute are handled just like any other resource on a page. If you return a 404 code, the browser won't bother trying to deal with the server further for that resource. The server gets all of the usual HTTP request information (assuming the browser sends it normally), and the Referrer: header is set to the page which is including the resource.
I'm no expert on web development, and need to find a way to let the browser call a PHP routine on the server with the current document ID as parameter, eg.
http://www.acme.com/index.php?id=1
I then need to call eg. /change.php with id=1 to do something about that document.
Unless I'm mistaken, there are three ways for the client to return this information:
if passed as argument in the URL (as above), it will be available as HTTP referrer
by including it as hidden field in
by sending it as cookie
I suppose using a hidden field is the most obvious choice. Are there other ways? Which solution would you recommend? Any security issues to be aware?
Thank you.
You can also POST the data so it won't be seen in the URL with ’form method = "post" ’
All of these methods are, to a point, insecure as they can be manipulated by a savvy user/hacker. You could https your site, limiting any man in then middle attacks. Be sure to check and validate incoming data
Ajax is another option as well, and it allows you to send that information without refreshing the page.
http://www.acme.com/index.php?id=1
The above url would be more "browser friendly" if you transform it into something similar to this:
http://www.acme.com/index/page/1
I am sure you can achieve this in Apache. Or Java Servlets.