php header function - function

can I use point in time?
something like:
header('refresh:1.5; url=xxx');

Yes you can use:
header('refresh: 2; url=someurl.php');
Where 3 is the time in seconds. More info about the header can always be found here.
But anyway I always advocate a combination to avoid problems with some browsers:
Header (as you're doing)
Meta tag (in the HTML head)
JavaScript timeout
When using the header I don't think you can use a decimal like 1.5. In any case I doubt any user notices the difference between 2 and 1.5 seconds. But if this is important to you, you can achieve it by using the JavaScript timeout.
Redirection ways
Meta tag:
<meta http-equiv="refresh" content="2;url=http://www.yourwebsite.com/someurl.php">
JavaScript:
setTimeout(function() {
window.location = "http://www.yourwebsite.com/someurl.php";
}, 1500);

header( "refresh:5;url=wherever.php" );
ref: http://php.net/manual/en/function.header.php

Yes u can, but before any headers already sent:
Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include, or require, functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.
http://php.net/manual/en/function.header.php

If you need time between 1 and 2 second you can use 1.5 as u declared in your question.

refresh is not part of the HTTP standard. It is a legacy method introduced by Netscape and implemented by other browsers as well. Even if it works on one browser you cannot be certain it will work on all browsers.
The W3C discourages the use of it, for details see this Wikipedia article. Especially the sections "Drawbacks" and "Alternatives" are of interest.
I'd prefer to use this over header('refresh ...'):
usleep(1500000);
header("Location: xxx");
This will send a clean 302 redirect and make sure it's HTTP conform and works with every browser.

Related

Is it possible to nest one data: URI inside another?

If I use a data URI to construct a src attribute for an HTML element, can it in turn have another data URI inside it?
I know you can't use data uri's for iframes (I'm actually trying to construct an OSDX document and pass it to the browser with an icon encoded in base64 but that's a really niche use case and this is more of a general question), but assuming you could, my use case would look like:
var iframe = document.createElement('iframe');
var icon = document.createElement('image');
var iSrc = 'data:image/png;base64,/*[REALLY LONG STRING]*/';
iframe.src='data:text/html,<html><body><image src="'+iSrc+'" /></body</html>
document.body.appendChild(iframe);
Basically what I'm after is is there anything in a data uri that would break a parent data uri?
Yes you can. I really thought it was impossible, as did everyone I asked.
Example:
Pasting the following into your browser's URL bar should render a gmail logo in an html page that says hello world.
data:text/html,<html><body><p>hello world</p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAMAAAApWqozAAAAz1BMVEX///+6xs7iTULj5+vW2tzk49TX3+Tq6tz09Orz9/jm7O6wu8aNm6WwMCjfRDnm5ube2Mmos7vt7++jrLP29/eyTk3d4+fj6+foWFLM1t2bNzeZpa2trKPv8/ajo6Xud2f0r6rv7uG3ubvd6eXIysq9s6jeopfSUknx8fHbXGKvTx7Hz9X09PTwhXHw9Pb++/fp7/Xu4d3SZlPSiXjuaFmMkZX39/vZy6/j8+v2+/v76uP7+/v0/Pewl4raMi/f5+7KTjitf4W2rI3/9vDzz8uC91bdAAAAAXRSTlMAQObYZgAAAmBJREFUeF6VldeunDAQQNeF3jvbe729p/f//6aMxzaBKHe5OZiVJY6OBvbBAyTvZaDJSy/xzpJ4pdJzz1tfOme5LD0vly45fETe4/1vUoK26bnPznUPzrPrmSJsgtrPpQnpPCmvp2/gukyE/HX6JtYor9/kpqUcY3ogvUxv5RhlSrbHenFzY/+0cxtYApZlGZod3W9JaqJspuSR1vTqw41U4UZb+S/zMAz35FbJt4QK6sUnW+naxWwoaJXBpBi37bxTjuchyl+0zLGs4npmVK1dHSLBiLhmlg+chLukFiLqV3dQ1i84p1SEv42CgLhYzmR5vqh1XIUXeypGoN+LAMoVz5yBk/EKZfsOQioOsnGFWXr/eXLCMs9EeehK2bab+NKCbQj2/mEymRSjpqzkR5CXOv4AWSqyM3BnRSDKw255CWtBW0BWcILyCmQsMywv5b/xS8WpzGJZzMywPFZjvANTYO10VoNfIxqOW2WlwhU/QnbSMDu1y0yWpSowdiqry6OArEW5ka1GNTaGsWqViwDL4z/lezClu4nBN+K/ypWSIywrNY4NxaqZWZSjThlEkQXLUna8lTZ+unWnDE6T1fbmtZlBxWxbFvHZ5NR8DUeUj5QejQ1mu24cv2C5aJW3R3qv1a4bX8TbIih+wAv6IPvDKCIrAusV8FEpyz5njFUV/ERdWFTBHVWwmGkyKKPcT2kyjvKFy1jPgnJ6IeTMg30vzCUZHBTc52mvzdKhz+GYcJIxTw8ukOKlVmd/SPk4kSdQ4nv8fJh7PriIw7Mn/yxPGW8dm06e269eOTwe/De/AW24fWb7B21TAAAAAElFTkSuQmCC" /></body></html>
or for a shorter example courtesy of Pumbaa80:
data:text/html,<script src="data:text/javascript,alert('hello world')"></script>
MSDN explicitly supports this:
Data URIs can be nested.
An old blog entry talks a little bit more about embedding images within CSS using data: :
Neither dataURI spec nor any other mentions if dataURI’es can not be nested. So here’s the testcase where dataURI’ed CSS has dataURI’ed image embedded. IE8b1, Firefox3 and Safari applied the stylesheet and showed the image, Opera9.50 (build 9613) applies the stylesheet but doesn’t show the embedded image! So it seems that Opera9 doesn’t expect to get anything embedded inside of an already embedded resource! :D
But funny thing, as IE8b1 supports expressions and also supports nested data URI’es, it has the same potential security flaw as Firefox does (as described in the section above). See the testcase — embedded CSS has the following code: body { background: expression(a()); } which calls function a() defined in the javascript of the main page, and this function is called every time the expression is reevaluated. Though IE8b1 has limited expressions support (which is going to be explained in a separate post) you can’t use any code as the expression value, but you can only call already defined functions or use direct string values. So in order to exploit this feature we need to have a ready javascript function already located on the page and then we can just call it from the expression embedded in the stylesheet. That’s not very trivial obviously, but if you have a website that allows people to specify their own stylesheets and you want to be on the safe side, you have to either make sure you don’t have a javascript function that can cause any potential harm or filter expressions from people’s stylesheets.

Redirect from HTML deprecated?

I've heard that the usual way I redirect from an HTML page, like
<meta http-equiv="REFRESH" content="0;url=page.html">
is deprecated by the latest HTML. Is it true or not, and if so, what other ways are there to redirect?
The proper way to redirect is to send redirect headers.
You need to change status from 200 OK to appropriate 3xx status. Then you also need to include Location: http://yourRedirectURL header. The implementation depends on what programming language you are using in the back-end.
Using the Location header is both seamless and a more efficient way to redirect someone to another page, assuming you're just using a zero timeout anyways.
Unless you're placing them on a landing page first then redirecting them, use the Location header.
I should also note that the location header specifies it should be provided with a fully qualified address to land on and not use an absolute or relative site-based path. E.g.
Location: http://www.google.com/
Instead of:
Location: /login
Location: ../../home
If you are using php, you can use the following code (prior to any other output to the browser):
<?php header('Location: http://example.com'); ?>
It is technically not deprecated, but that’s just because the pseudo-term “deprecated” is sloppily used in the “spec”. The meta redirect mechanism is described as “should not” in HTML 4.01:
“Note. Some user agents support the use of META to refresh the current page after a specified number of seconds, with the option of replacing it by a different URI. Authors should not use this technique to forward users to different pages, as this makes the page inaccessible to some users. Instead, automatic page forwarding should be done using server-side redirects.”
The HTML5 drafts, though, describe the meta refresh mechanism without saying such things, though the examples are about different use. This does not make it any better idea. It should not be used for redirecting an address to a new one, except in case you have no way of affecting server behavior so that appropriate HTTP redirect takes place. In that case, it is advisable to add a normal link to the new address into the document body, for situations where the meta redirect does not work.

Issues with redirect code

When people visit my main page, index.php, I want them to be redirected to index.php?page_id=2
To do this, I added a simple html code in the head:
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.domain.com/index.php?page_id=2">
The problem is that the destination and all other pages of my site runs that code it goes on a loop. I am using Wordpress. Is there any solution to direct them to index.php?page_id=2 upon visiting index.php without it going on a loop?
Any assistance would be greatly appreciated.
To avoid infinite loops, just check if the $_GET variable is empty. If so, do a redirect:
if (empty($_GET))
{
header('Location: index.php?page_id=2');
}
Fundamentally you need to make sure that your "meta refresh" is not inserted when index.php has arguments (such as page_id) on its query string.
If you were just doing this in PHP, you would write an if statement inspecting the contents of the querystring using the $_GET hashtable, i.e. if $_GET["page_id"] ...
http://www.php.net/manual/en/reserved.variables.get.php
In wordpress (which I know less about), you may find a different solution altogether is what you want. For instance, a meta-refresh is actually considered inferior to what's called an HTTP redirect - a header which has the same effect.
In PHP, it is:
http://php.net/manual/en/function.http-redirect.php
I notice that the wordpress documentation contains references to redirect utilities; I tried to provide the links, but StackOverflow blocked me from including any more. A search for "redirect" within their documentation may be helpful.
In general, I would expect to see an if statement that decides whether or not to issue a redirect, either using PHP's mechanism, or Wordpress'.
I hope this is helpful.

HTML cache version

You know how if you use
<script type="text/javascript" src="urlhere.js?version=1.0.0"></script>
the browser caches the javascript file and updates it when you give it a new version?
Is there a way to do that with the HTML code?
Because I want the browser to cache the HTML, but then update when the code is changed.
Is that possible?
The best way to handle caching would be at the server level, specifying two tags:
Expires
When the date specified has past, it tells the browser the content is no longer valid and it must be refreshed.
Cache-Control
Without involving the date, it lets the browser know how it should handling caching for the page.
Note: The browser should already take care of this as it (in the background) already looks at the last modified date of the file. However, the above methods are valid ways of overriding (extending) this kind of detection in places where the last modified date may not necessarily reflect change.

Spoofing HTTP-request Referrer from HTML?

Is there some secret and mystical way to change the value of my HTTP-request's referer, or at the very least, keep it from showing? Also, using a MitM page from another domain would not solve my issue, as you are now just submitting that other page's value.
This is not browser specific, I would need to do this on the HTML level.
The problem I am facing is a silent-login page where it sends an HTTP-Redirect to the http-Referrer, unless it is the same domain, or empty.
You can not control this on an html level. Your only option is to modify the login code to not issue the redirect or to direct it to the desired page.
It's an old question, but I know how you can do this. The first way is not guaranteed across all browsers, but you can use rel=noreferrer. AFAIK GC is the only UA to currently support this but it is in the standard. FX may also, IDK.
The second way is far more reliable, and it involves a cool little hack someone shared with me on IRC:
Basically, construct an iframe from a base64-encoded data: URI. The framed document is to have a script that listens for a window.postMessage() and when it gets fed the command with a URL to visit, it executes window.top.location = msg.data.URI or however it is that one reads the message. Sorry I can't recall, I haven't slept for a few days.
Enjoy if you still care.. :)