Setting up policies for an Applet embedded in HTML - html

I have designed an Applet to take a screenshot and save it on the users computer using the java.awt.Robot class. I need to embedd this applet into an html page (using the object tag) so that when the user clicks a button on the webpage the screenshot is taken.
The applet itself works fine, i've tested it by adding a temporary main method to it and running it on my local machine as a regular java app.
Where I'm having difficulty is setting up permissions to allow it to run from its embedded location. Obviously the robot class is somewhat hazardous so an AWTPermission needs to be established and the applet itself needs to be signed.
I followed through the tutorial at http://download.oracle.com/javase/tutorial/security/toolsign/index.html and succeeded in creating a signed .jar file and then a policy file that allowed the demo application in that tutorial to run. Where I am now running into issues is how to reconcile what I've learned with the situation my applet will be used in.
My target audience comprises around 100 machines and I need it to be executable on all of them. I have packed my java .class file into a .jar and signed it using keytool and jarsigner. I then uploaded the .jar and .cer files to the server directory where the pages in question are hosted.
However: When I then used policytool to create a new policy file on one of the machines to test the setup I am still unable to execute the applet from the HTML. I get Java.Security.AccessControlException Acess Denied java.awt.AWTPermission createRobot errors.
I rather suspect its the policy step that is going awry, so I'll outline the steps I took:
I download the certificate to the local machine and generate a keystore from it, I launch 'policytool' from this directory through the commandline
I add the directory on the local machine where the keystore generated from and my certificate is located.
I then hit the add policy button and enter the SignedBy alias
Then Add Permissions and select AWTPermission
Targets name I select createRobot
The function field I have been leaving blank as I cant think what would apply here
Signed By in this window is also left blank
I then hit 'OK' and 'Done' and get a warning that there is no public key for the alias I've entered in the first step. I do a 'save as' and save my policyfile to the same directory as I put the certificate and the keystore generated from it.
This is not allowing me to run the applet from the webpage however and my limited understanding of this aspect of programming offers no clues as to what has gone wrong.
Ideas, thoughts, observations? If I havent explicitly mentioned something then I havent done it. My biggest suspect is the warning I recieve but I cant seem to find why its appearing
EDIT: Forgot to mention a step. I manually added to my jre\lib\security\java.security file the line 'policy.url.3=file:/C:/Testing/debugpolicy' since thats the path and policy filename I created during the above steps. I also just now managed to remove the warning I mentioned earlier, I'd been mixing up my alias' and gave the alias for the private keystore rather than the public one during policyfile creation, however I still encounter the same problems

If an applet is correctly signed, no policy file is required, nor is it required to separately upload any certificate. A correctly signed applet will prompt the user for permission when the applet is visited, before it loads. Does the prompt appear?
Here is a small demo. I wrote that demonstrates Defensive loading of trusted applets. That is the security prompt I am referring to.
If the applet is both digitally signed by the developer and trusted by the end user, it should be able to take a screen-shot.
There is one other thing you might try if the applet is trusted, just as an experiment (1). Early in the applet init(), call System.setSecurityManager(null). That will both test if the applet has trust, and wipe away the last remnants of the 'trusted' security manager given to applets.
And in the case that works, and it makes the screen capture successful, it suggests either a bug or Oracle changed their mind about the defaults of what a trusted applet could do.
1) Don't do this in a real world or production environment. To quote Tom Hawtin:
This question appears to have given some the impression that calling System.setSecurityManager(null); is okay. ... In case anyone has any doubts, changing global state in an applet will affect all applets in the same process. Clearing the security manager will allow any unsigned applet to do what it likes. Please don't sign code that plays with global state with a certificate you expect anyone to trust.
Edit 1:
Here is the source of the simple applet used in that demo. For some reason when I originally uploaded it, I decided the source was not relevant. OTOH 3 people have now asked to see the source, for one reason or another. When I get a round tuit I'll upload the source to my site. In the mean time, I'll put it here.
package org.pscode.eg.docload;
import java.awt.*;
import java.awt.event.*;
import javax.swing.*;
import java.net.*;
import java.io.*;
import java.security.*;
/** An applet to display documents that are JEditorPane compatible. */
public class DocumentLoader extends JApplet {
JEditorPane document;
#Override
public void init() {
System.out.println("init()");
JPanel main = new JPanel();
main.setLayout( new BorderLayout() );
getContentPane().add(main);
try {
// It might seem odd that a sandboxed applet can /instantiate/
// a File object, but until it goes to do anything with it, the
// JVM considers it 'OK'. Until we go to do anything with a
// 'File' object, it is really just a filename.
File f = new File(".");
// set up the green 'sandboxed page', as a precaution..
URL sandboxed = new URL(getDocumentBase(), "sandbox.html");
document = new JEditorPane(sandboxed);
main.add( new JScrollPane(document), BorderLayout.CENTER );
// Everything above here is possible for a sandboxed applet
// *test* if this applet is sandboxed
final JFileChooser jfc =
new JFileChooser(f); // invokes security check
jfc.setFileSelectionMode(JFileChooser.FILES_ONLY);
jfc.setMultiSelectionEnabled(false);
JButton button = new JButton("Load Document");
button.addActionListener( new ActionListener(){
public void actionPerformed(ActionEvent ae) {
int result = jfc.showOpenDialog(
DocumentLoader.this);
if ( result==JFileChooser.APPROVE_OPTION ) {
File temp = jfc.getSelectedFile();
try {
URL page = temp.toURI().toURL();
document.setPage( page );
} catch(Exception e) {
e.printStackTrace();
}
}
}
} );
main.add( button, BorderLayout.SOUTH );
// the applet is trusted, change to the red 'welcome page'
URL trusted = new URL(getDocumentBase(), "trusted.html");
document.setPage(trusted);
} catch (MalformedURLException murle) {
murle.printStackTrace();
} catch (IOException ioe) {
ioe.printStackTrace();
} catch (AccessControlException ace) {
ace.printStackTrace();
}
}
#Override
public void start() {
System.out.println("start()");
}
#Override
public void stop() {
System.out.println("stop()");
}
#Override
public void destroy() {
System.out.println("destroy()");
}
}

Related

Best way to implement a button for the SP request to the IdP?

So I'm going to preface this by saying SAML (and user auth in general) is not my strong suit, so I apologize for any misused terminology.
Background:
We currently have an ASP.Net Framework website, using .Net version 4.7.2 (specifically webforms). Our website acts as a service provider (SP) and currently uses SAML 2.0 with a deprecated identity provider (IdP); luckily, this identity provider is getting replaced with Okta. The original IdP provided their own instructions for implementation which used OWIN middleware and their own NuGet package which configured SAML for us. With Okta though, I found we needed to use a different NuGet package. I've begun configuration for SAML using the SustainSys.Saml2 packages and made the suggested changes to the web.config (this is our preference over using their OWIN middleware, although I'm open to that, if there's a specific reason for it). For additional reference, here is the sustainsys documentation I was referencing.
Current Issue:
The web.config modifications and other changes (such as installing NuGets) have been completed and the website has been cleaned up so as not to cause any errors. However, my biggest question is how to tie it all together now. I understand that our website (the SP) needs to make a request to Okta (the IdP) for the SAML assertion. Unfortunately, I don't understand what I need to send in for that request. I was thinking just a hyperlink to the the IdP SSO link should work, but from what I've read about SAML, there would need to be some metadata related to that request. Can anyone suggest how to create a button that would send the necessary metadata? Or clarify if that even needs to be included (perhaps I've misunderstood what needs to be sent)? Also, any additional links or help pertaining to sustainsys (specifically, html or other display elements) would be hugely beneficial.
Thanks
To get the Sustainsys.Saml2 library to start the authentication process, you should use the Owin authentication infrastructure to initiate a challenge. That is a general Owin auth concept, and that is why it is not documented in the Sustainsys.Saml2 library.
Please see https://learn.microsoft.com/en-us/previous-versions/aspnet/dn343601(v=vs.113)
I tried to create a sample webform project and connected to Okta using Sustainsys Saml2 Owin middleware. The code below is just a POC that redirects from Webform Application's to OKTA sign-in page and returns the response back to the configured "Single Sign-On URL" in OKTA. The Code may not have all the necessary security layers. (Security Stamp, Validate Interval)
Login.aspx.cs
If there are more than one external login providers handle the code accordingly.
public partial class Login : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
IAuthenticationManager AuthenticationManager = HttpContext.Current.GetOwinContext().Authentication;
var loginProvider = AuthenticationManager.GetExternalAuthenticationTypes()
.FirstOrDefault();
AuthenticationManager.Challenge(loginProvider.AuthenticationType);
}
}
Screenshot of the SAML sent by Okta after successful authentication, captured using the Chrome extension
Startup.Auth.cs
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseSaml2Authentication(new Saml2AuthenticationOptions(true));
}
}
LoginCallback.cs
Again not completly sure on what code goes into the LoginCallback. But I just checked if the user is Authenticated.
public partial class LoginCallback : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
IAuthenticationManager AuthenticationManager = HttpContext.Current.GetOwinContext().Authentication;
bool isAuthenticated = AuthenticationManager.User.Identity.IsAuthenticated;
}
}

getting error when using jQuery load() method [duplicate]

I have made a small xslt file to create an html output called weather.xsl with code as follows:
<!-- DWXMLSource="http://weather.yahooapis.com/forecastrss?w=38325&u=c" -->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
exclude-result-prefixes="yweather"
xmlns:yweather="http://xml.weather.yahoo.com/ns/rss/1.0" xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#">
<xsl:output omit-xml-declaration="yes" indent="yes"/>
<xsl:strip-space elements="*"/>
<xsl:template match="/">
<img src="{/*/*/item/yweather:condition/#text}.jpg"/>
</xsl:template>
</xsl:stylesheet>
I want to load in the html output into a div in an html file which I'm trying to do using jQuery as follows:
<div id="result">
<script type="text/javascript">
$('#result').load('weather.xsl');
</script>
</div>
But I am getting the following error:
Origin null is not allowed by Access-Control-Allow-Origin.
I've read about adding a header to the xslt, but I'm not sure how to do that, so any help would be appreciated, and if loading in the html ouput can't be done this way, then advice on how else to do it would be great.
Origin null is the local file system, so that suggests that you're loading the HTML page that does the load call via a file:/// URL (e.g., just double-clicking it in a local file browser or similar).
Most browsers apply the Same Origin Policy to local files by disallowing even loading files from the same directory as the document. (It used to be that Firefox allowed the same directory and subdirectories, but not any longer.
Basically, using ajax with local resources doesn't work.
If you're just testing something locally that you'll really be deploying to the web, rather than use local files, install a simple web server and test via http:// URLs instead. That gives you a much more accurate security picture. Your IDE may well have some kind of server built in (directly or via an extension) that lets you just hit "run" in the IDE and have the server fired up and serving the file.
Chrome and Safari has a restriction on using ajax with local resources. That's why it's throwing an error like
Origin null is not allowed by Access-Control-Allow-Origin.
Solution: Use firefox or upload your data to a temporary server. If you still want to use Chrome, start it with the below option;
--allow-file-access-from-files
More info how to add the above parameter to your Chrome: Right click the Chrome icon on your task bar, right click the Google Chrome on the pop-up window and click properties and add the above parameter inside the Target textbox under Shortcut tab. It will like as below;
C:\Users\XXX_USER\AppData\Local\Google\Chrome\Application\chrome.exe --allow-file-access-from-files
Hope this will help!
Just wanted to add that the "run a webserver" answer seems quite daunting, but if you have python on your system (installed by default at least on MacOS and any Linux distribution) it's as easy as:
python -m http.server # with python3
or
python -m SimpleHTTPServer # with python2
So if you have your html file myfile.html in a folder, say mydir, all you have to do is:
cd /path/to/mydir
python -m http.server # or the python2 alternative above
Then point your browser to:
http://localhost:8000/myfile.html
And you are done! Works on all browsers, without disabling web security, allowing local files, or even restarting the browser with command line options.
I would like to humbly add that according to this SO source: https://stackoverflow.com/a/14671362/1743693, this kind of trouble is now partially solved simply by using the following jQuery instruction:
<script>
$.support.cors = true;
</script>
I tried it on IE10.0.9200, and it worked immediately (using jquery-1.9.0.js).
On chrome 28.0.1500.95 - this instruction doesn't work (this happens all over as david complains in the comments at the link above)
Running chrome with --allow-file-access-from-files did not work for me (as Maistora's claims above)
Adding a bit to use Gokhan's solution for using:
--allow-file-access-from-files
Now you just need to append above text in Target text followed by a space.
make sure you close all the instances of chrome browser after adding above property.
Now restart chrome by the icon where you added this property.
It should work for all.
I was looking for an solution to make an XHR request to a server from a local html file and found a solution using Chrome and PHP. (no Jquery)
Javascripts:
var x = new XMLHttpRequest();
if(x) x.onreadystatechange=function(){
if (x.readyState === 4 && x.status===200){
console.log(x.responseText); //Success
}else{
console.log(x); //Failed
}
};
x.open(GET, 'http://example.com/', true);
x.withCredentials = true;
x.send();
My Chrome's request header Origin: null
My PHP response header (Note that 'null' is a string). HTTP_REFERER allow cross-origin from a remote server to another.
header('Access-Control-Allow-Origin: '.(trim($_SERVER['HTTP_REFERER'],'/')?:'null'),true);
header('Access-Control-Allow-Credentials:true',true);
I was able to successfully connect to my server.
You can disregards the Credentials headers, but this works for me with Apache's AuthType Basic enabled
I tested compatibility with FF and Opera, It works in many cases such as:
From a VM LAN IP (192.168.0.x) back to the VM'S WAN (public) IP:port
From a VM LAN IP back to a remote server domain name.
From a local .HTML file to the VM LAN IP and/or VM WAN IP:port,
From a local .HTML file to a remote server domain name.
And so on.
You can load a local Javascript file (in the tree below your file:/ source page) using the source tag:
<script src="my_data.js"></script>
If you encode your input into Javascript, like in this case:
mydata.js:
$xsl_text = "<xsl:stylesheet version="1.0" + ....
(this is easier for json) then you have your 'data' in a Javascript global variable to use as you wish.
Using Java Spring to run a web service, you need to add:#ServletComponentScan right above
#SpringBootApplication in your auto-generated YouAppApplication.java file ( the one with the main() function ) and create a class with the following implementation:
#WebFilter("/*")
public class AddResponseHeaderFilter implements Filter {
#Override
public void init(FilterConfig filterConfig) throws ServletException {
// ...
}
#Override
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
httpServletResponse.addHeader("Access-Control-Allow-Origin", "null");
httpServletResponse.addHeader("Access-Control-Allow-Credentials", "true");
filterChain.doFilter(servletRequest, servletResponse);
}
#Override
public void destroy() {
// ...
}
}
note that you can choose a different name for this class as soon as it implements Filter and has the #WebFilter annotation you can also provide a different wildcard than /* so this filter doesn't apply to every endpoint.
As specified by #Louis Loudog Trottier you need to add ...withCredentials = true; when creating your Ajax request for this to work.

Chrome remote debugging in a seleniumgrid

Im running a selenium-grid with several chrome instances. The selenium grid are 2 machines(windows) with several nodes. The tests are executed from another machine which connects to the grid. To be able to use the features of remote debugging, i need to connect from the executing machine(which can read the sessions host and the drivers debugUrl) to the other machines and finally the chrome instances.
But chrome rejects anything else than localhost.
I can only find solutions, where people tunnel or port forwarding, which is perhaps ok, when there is only a single instance. In a grid i don't have static ports or static rules to provide static forwarding.
In my scenario the grid is build up automated and not an ever running system.
Has anybody a hint how to solve this?
Since i found a solution by myself i want to share. I will only post parts of code to give the hints and not the full code since its to much work here, but for an experienced developer this should be enough.
To be able to address the right browser and access its remote-debug websocket i implemented a custom servlet for my nodes.
First the servlet:
public class DebugServlet extends RegistryBasedServlet
being registered through the node.json like
"servlets" :["com.....ui.util.DebugServlet"],
To access the node(on the right machine) i ask the selenium session for it like:
"http://" + hubHost + ":" + hubPort + "/grid/api/testsession?session=" + sessionId
where the "sessionid" can be retrieved from chromedriver.
From the returned json we can extract the node info of the session, here we need the url.
url = JSONUtil.get(response.getBody(), "proxyId")
No we can call the servlet of the correct host and give in the websocket url for the browser and whatever data is needed. In my example to add a default network-header for BasicAuth.
url+ "/extra/DebugServlet"
with the header in java(can also be parameters or other http provided possibilities)
new BasicHeader("BrowserUrl", webSocketDebuggerUrl), new BasicHeader("Name", name),
new BasicHeader("Value", value)
In the servlet we extract now the data and open a websocket to the browser with the given url and make our calls.
In the servlet:
public static final String networkDebugging = "{\"id\": 1,\"method\": \"Network.enable\",\"params\": {\"maxTotalBufferSize\": 10000000,\"maxResourceBufferSize\": 5000000 }}";
public static final String addHeader = "{\"id\": 2,\"method\": \"Network.setExtraHTTPHeaders\",\"params\": { \"headers\": {\"${key}\": \"${value}\"}}}";
ws.connect();
ws.setAutoFlush(true);
ws.sendText(networkDebugging);
String payload = TemplateUtil.replace(addHeader, name, value);
ws.sendText(payload);

How to fix cross-site origin policy for server and web-site

I'm using Dropwizard, which I'm hosting, along with a website, on the google cloud (GCE). This means that there are 2 locations currently active:
Some.IP.Address - UI
Some.IP.Address:8080 - Dropwizard server
When the UI tries to call anything from my dropwizard server, I get cross-site origin errors, which is understandable. However, this is posing a problem for me. How do I fix this? It would be great if I could somehow spoof the addresses so that I don't have to fully qualify the resource in the UI.
What I'm looking to do is this:
$.get('/provider/upload/display_information')
Or, if I have to fully qualify
$.get('http://Some.IP.Address:8080/provider/upload/display_information')
I tried setting Origin Filters in Dropwizard per this google groups thread (https://groups.google.com/forum/#!topic/dropwizard-user/ybDOTOxjlLI), but it doesn't seem to work.
In index.html that is served by the server at http://Some.IP.Address you might have a jQuery script that look as follows.
$.get('http://Some.IP.Address:8080/provider/upload/display_information', data, callback);
Of course your browser will not allow accessing http://Some.IP.Address:8080 due to the Same-Origin-Policy (SOP). The protocol (http, https) and the host as well as the port have to be the same.
To achieve Cross-Origin Resource Sharing (CORS) on Dropwizard, you have to add a CrossOriginFilter to the servlet environment. This filter will add some Access-Control-Headers to every response the server is sending. In the run method of your Dropwizard application write:
import org.eclipse.jetty.servlets.CrossOriginFilter;
public class SomeApplication extends Application<SomeConfiguration> {
#Override
public void run(TodoConfiguration config, Environment environment) throws Exception {
FilterRegistration.Dynamic filter = environment.servlets().addFilter("CORS", CrossOriginFilter.class);
filter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
filter.setInitParameter("allowedOrigins", "http://Some.IP.Address"); // allowed origins comma separated
filter.setInitParameter("allowedHeaders", "Content-Type,Authorization,X-Requested-With,Content-Length,Accept,Origin");
filter.setInitParameter("allowedMethods", "GET,PUT,POST,DELETE,OPTIONS");
filter.setInitParameter("preflightMaxAge", "5184000"); // 2 months
filter.setInitParameter("allowCredentials", "true");
// ...
}
// ...
}
This solution works for Dropwizard 0.7.0 and can be found on https://groups.google.com/d/msg/dropwizard-user/xl5dc_i8V24/gbspHyl4y5QJ.
This filter will add some Access-Control-Headers to every response. Have a look on http://www.eclipse.org/jetty/documentation/current/cross-origin-filter.html for a detailed description of the initialisation parameters of the CrossOriginFilter.

Execute exe-file from html-page?

I want to launch a local exe-file (without saving it to another location first) upon clicking on a link on a local html file.
It either needs to work in IE, Firefox, Chrome or Opera, I don't care. It's just for a presentation tomorrow.
It's simply not possible. If it was, it would be considered a security flaw and fixed. On Firefox within hours, on IE within some months.
UPDATE: You could try registering your custom protocol: http://openwinforms.com/run_exe_from_javascript.html
But I believe the browser will still prompt you whether you want to run the app.
I want to share my experience.
The accepted response says that it is not possible but it is quite possible indirectly.
If you want to execute an exe on a pc, it means that you have acces on this pc and you can install your exe on that machine.
In my case, I had to take a 3D scan from a 3D scanner via a web application. It seemed impossible at the beginning.
After lots of research, I found that we can send socket messages via javascript.
It means that if we had an application which listens a specific port, it can communicate with a website.
Let's explain how I did this.
In my web application, I created a javascript method like this :
function openCapron3DScanner(foot) {
$("#div-wait").show();
//Creates a web socket pointed to local and the port 21000
var ws = new WebSocket("ws://127.0.0.1:21000");
ws.onopen = function () {
//Sends the socket message to the application which listens the port 21000
ws.send(foot + "-" + #ProjectHelper.CurrentProject.Proj_ID);
};
ws.onerror = function myfunction() {
$("#div-wait").hide();
alert("Erreur connection scanner.");
}
ws.onmessage = function (evt) {
//Receives the message and do something...
var received_msg = evt.data;
if (received_msg == "ErrorScan") {
alert("Erreur scan.");
}
else {
refreshCurrentProject();
}
};
ws.onclose = function () {
$("#div-wait").hide();
};
};
And I created a windows forms application who listens the localhost and port 21000.
This application is hidden, only shown in icon tray.
The only thing to do is to add the application on windows startup via code on the first load to assure that the next restart of windows it will be executed and listen the port.
private static WebSocketServer wsServer;
static WebSocketSession LastSession;
private void Form1_Load(object sender, EventArgs e)
{
wsServer = new WebSocketServer();
int port = 21000;
wsServer.Setup(port);
wsServer.NewMessageReceived += WsServer_NewMessageReceived;
wsServer.Start();
}
private static void WsServer_NewMessageReceived(WebSocketSession session, string value)
{
if (value.StartsWith("ScanComplete-"))
{
//If the scan is ok, uploads the result to the server via a webservice and updates the database.
UploadImage(value);
//Sends a confirmation answer to the web page to make it refresh itself and show the result.
if (LastMacSession != null)
LastMacSession.Send("ScanComplete");
}
else if (value == "ErrorScan")
{
//If the C++ application sends an error message
if (LastMacSession != null)
LastMacSession.Send("ErrorScan");
}
else//call the 3D Scanner from the web page
{
LastSession = session;//Keeps in memory the last session to be able to answer via a socket message
//Calls the C++ exe with parameters to save the scan in the related folder.
//In could be don in this same application if I had a solution to consume the scanner in C#.
var proc = System.Diagnostics.Process.Start(#"C:\Program Files\MyProjectFolder\MyScannerAppC++.exe", projectID + " " + param);
}
}
I hope it will help.
Use System.Diagnostics.Process.Start() method.
protected void LinkButton1_Click(object sender, EventArgs e)
{
System.Diagnostics.Process.Start("notepad.exe");
}
You'll have to use C#, but since that's on your post, it should work. You'll also need the full path, if the file is not in your environment path that's loaded in memory.
For a 'regular link' you'd still need to place this in an ASPX page.....
Click me
We're getting really fugly now though.
You can't run an exe file on a website. (First, if it's a Linux server, exe files won't run on it and second, if you're on a Windows server, your host would kill the program immediately. And probably terminate your account.)
That link (assuming it was Play Now!) will just allow your user to download the file. (C:\Program Files\World of Warcraft\ exists on your computer, but it doesn't exist on the web server.)
You could setup a custom protocol on your local OS, if it's Windows, in regedit.
Check out this and this.
Then you create a simple HTML page, and place a link, something like this :
Start!
Given that you registered your custom "presentation" protocol, and configured it correctly in the registry, the application should launch when you click that link.