I believe I already know the answer to my question, but I'll throw it out there just for fun.
Is there anyway in the Vimeo Advanced API to change the global settings for an account?
I would really like to set the Embed Settings approved urls in the global side rather than having to loop through all the videos in an account to add an approved url.
Is there any way to change the global settings for a Vimeo account through the advanced API or is that going to be something implemented in the APIv3?
This is not supported in the advanced api, and may be implemented into API3 in the future.
The plan is to have support for most features on site, but each one needs to be handled securely. I can not assure you that this feature will be implemented in API3, but if you have a specific need it's worth contacting vimeo directly about it : https://vimeo.com/help/contact
Related
I wonder if my Google maps API key is safe the way I use it now. Because I have a Cordova application with Google maps, I have generated an API key. I cannot white-list the key to my domain, because it runs client side on the phone.
Also my API key is visible for anyone who unpacks my app and read the index.html, or listen to the web requests that the app makes.
Is there any way to protect my API key? And if there isn't, it is safe to use Google maps, or any other third party API that uses a API key for authentication?
I see two possible solutions to your problem. Both of them I have already personally implemented (not with GMaps though) but still have some downsides.
(1) You can use a backend technology to add in API keys to your requests. For this it is advisable to use a combination of something like Apache2 mod_proxy and mod_rewrite. In your application you then use URLs that point to your proxy server i.e. https://yourserver.com/js/googleapis/maps/api/js and make mod_rewrite this URLs to something like https://maps.googleapis.com/maps/api/js?key=API_KEY
A rule for mod_rewrite (not tested) could look like this:
RewriteCond %{QUERY_STRING} ^$
RewirteRule ^/googleapis/maps/api/js (.*)$ https://https://maps.googleapis.com/maps/api/js?key=API_KEY
I think you get the idea. The big advantage of this approach is that you can completely hide your private information on a server you control. The downsides are: If your app causes high traffic you will most likely experience high traffic on the proxy machine. Further if attackers figure out the URL to your Google Maps API proxy endpoint it will be easy for them to retrieve the GMaps API through your service.
(2) The second option would be to create a service to retrieve your API keys. Assuming your application already needs some form of authentication anyways you cold go a road where the API key service hands out the API key only to registered and authenticated users.
Both approaches will have their downsides regarding better tooling for debugging mobile-web applications. I.e. an attacker using MacOS, XCode and Safari on a desktop could establish a debugging session to your Cordova application and step debug the JS code that runs inside your App. Which means whatever stretch you make in the Cordova arena it is quite easy to attach to your App and read variables.
No credit to comment on accepted answer but personally, I'd go for the 2nd option suggested by Matthias Steinbauer. However, his concern about an attacker debugging your Production app doesn't apply to apps built with a Distribution Provisioning profile (such as required when submitting to the App Store) - only apps signed with a Developer Provisioning profile. The same goes for Google Apps too. IF it were possible to just debug a prod app, then say goodbye to security.
Having said that, an App's static content can be viewed by others (since app is just a zip file) - so don't hard-code any keys or security info.
Personally, I'd also obfuscate the source when building prod version.
Hope it helps
Good afternoon, I am creating an application in Cordova and wanted to use linkedin, but when I run my application, it says I need to set my domain javascript API in my Application linkedin. I've tried with the domain "file: ///" but gives the same error.
Does anyone have an idea or a solution to this problem?
Best Regards
LinkedIn (or any OAuth provider) requires your Web domain for security purposes (to know the right URL for authentication callbacks, and to help prevent random sites from trying to impersonate your application).
You must supply a domain such as www.yourdomainname.com or even your external IPv4 address will work, such as 55.55.12.12.
We have a web based system that we are looking at replacing our existing "help system" from uploading flash videos directly to our website to instead "embedding" content we upload to our vimeo account. We have setup a vimeo pro account and these videos need to be "private" i.e. not accessible to the general public. Which API version should I use? And do you have any sample code in say PHP I could take a peek at with the functionality we are after
The Advanced and Simple API's will no longer receive new features, and soon you will not be able to create new apps for them.
Vimeo has moved towards a unified API, which you can read about at http://developer.vimeo.com/api. Make sure to use the api through api.vimeo.com, not vimeo.com/api/rest/v2.
Vimeo has an official PHP library, with some very basic examples that you can see at http://github.com/vimeo/vimeo.php
Developing an AIR based app that captures video. The user will then be able to upload to facebook if they so choose.
Right now I am confused about the requirements in uploading videos to facebook.
Even though this is technically NOT a facebook application, will I need to create a Facebook application ID?
Will I also need to make use of the facebook-actionscript SDK?
I've read elsewhere that the API needs to launch the Facebook login within a web view.
Or are there alternatives in my case?
Even though this is technically NOT a facebook application, will I need to create a Facebook application ID?
Yes.
Will I also need to make use of the facebook-actionscript SDK? Or are there alternatives in my case?
Talking to the API works over HTTP – so you can use any technique that allows you to make HTTP requests.
But using a framework/SDK that already has methods for usual FB API stuff will be much simpler, than handling all that HTTP stuff yourself.
I am creating a browser extension that injects some javascript onto certain websites.
The script's functionality requires to know if the user has geolocation enabled for the specified site or not. Thus far, I have only seen example javascript that asks for permission from a user on a site, and then makes its decision on what to do.
To be as unintrusive as possible to the user, I would like to find out if the user has already permitted the site to use its geolocation and if it has, use that information, otherwise execute the code that doesn't require it. Is there any function in the html5 geolocation api that allows me to do this?
First of all, Geolocation is NOT part of HTML5, it is a W3C specification.
Secondly, as far as I'm aware, there isn't a method of doing this. A quick look at the W3C Geolocation Specification doesn't reveal anything.
I'd suggest simply attempting to obtain their position via Geolocation anyway, if it works then you can assume permission has been granted, if not run the code that doesn't require the API.
I know you don't want to explicitly ask the user's permission, but it will only be the once so you might as well.
As far a I know, there is no such feature and I've never heard about it, so you may have to wait for a long time...
It looks like there is now a "Permissions API" that will allow you to look at what permissions have been granted to the site.
// Check for Geolocation API permissions
navigator.permissions.query({name:'geolocation'})
.then(function(permissionStatus) {
console.log('geolocation permission state is ', permissionStatus.state);
permissionStatus.onchange = function() {
console.log('geolocation permission state has changed to ', this.state);
};
});
https://developers.google.com/web/updates/2015/04/permissions-api-for-the-web
However, at this time it is not very widely supported outside of Chrome and Firefox: http://caniuse.com/#feat=permissions-api