Leverage browser caching - html

I have a website and when I check page speed with Google plug-in, I receive:
Leverage browser caching
The following resources are missing a cache expiration
Searching only returns information on using htaccess under Apache, but my site is running on Windows 2003 Server, in plain HTML language, and I don't even have access to the server.
Is there any way to specify expiration and gzip compression, as it recommends?

Have a look at Content Expiration, that should do the trick for you on the caching.
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0fc16fe7-be45-4033-a5aa-d7fda3c993ff.mspx?mfr=true
To set the expiration of Web site content
In IIS Manager, double-click the local computer; right-click the Web Sites folder, an individual Web site folder, a virtual directory, or a file; and then click Properties.
Click the HTTP Headers tab.
Select the Enable content expiration check box.
Click Expire immediately, Expire after, or Expire on, and type the appropriate expiration information in the corresponding boxes.
Click OK.

You can also Gzip by adding the code below to the top of your PHP pages.
It works great.

Related

How to disable parent directory access in web file browsing without web server

I am writing a command line application that produces an index.html with links to other generated HTML files, but also some links to filesystem subdirectories. Here is an example of such a link:
Invoices
The intention for sharing this content is for the user to zip up the directory tree and send it to other parties for review. However, some users might think to use ngrok, or use screen sharing, to share their web browser to allow other people to access their local system. With ngrok they would be running a web server and might be able to configure the web server to protect against this, but with screen sharing that would not be possible. (Consider the case where a user might leave their web browser open to the remote user and step away, not realizing that the remote user can now examine their entire filesystem.)
The problem is the "Parent Directory" links. Using those links, the others could navigate above the intended directory root and navigate their entire filesystem. Here is an image to illustrate:
The directories linked to can have arbitrary numbers and levels of subdirectories, so hard-coding links on custom pages would probably be prohibitively complicated.
There is no web server involved here; the files are displayed by just opening index.html in a web browser, so .htaccess is not a solution. Also, I don't want to disable navigation, I only want to limit its upper bound.
Is there a way to prevent this access?
If there is no web server involved at all, there is no way to prevent that behaviour.
Edit:
You could of course write a browser plugin that limits the access to the parent directory using JavaScript. But every client would have to install that plugin.

Open local files(file://) using Chrome

I have an page with some forms. All the links work fine in IE. They open in a new tab nicely when the hyperlink is click by the user; however, I realized that when Chrome is use the link doesn't open. I keep clicking but nothing opens. The only way of opening the file is copying the hyperlink, opening a new tab in Chrome, paste and go.
Form1
Is this something that browser do? Because I tried it with FireFox and doesn't work either?
It there a way of going around? without installing anything in the browser? Because my user loves Chrome.
Thank you in advanced for the responses.
You can't access to files outside your server or "SandBox", sandbox include the files that user push to the browser or to your server.
If the access from browser to a pc files from web pages was possible, it would be a security problem.
The answer is that you can't with your approach and more importantly you shouldn't. Chrome behavior is in fact the right behavior and it protects you from having malicious users and/or scripts accessing your local resources.
The FILE protocol will access local or defined network named resources which will not be available to a remote user that visits the same page. In other words, you may have outsideserver mapped as a network resource/drive but someone else will not (This does not apply to IPs)
Here's what you can do:
Move the code to a server side script(php, asp, etc) and stream the file back out. Found a quick example here on SO. I did not verify it though. Streaming a large file using PHP
Install a webserver on outsideserver and map a new site to the shared folder. You can then reference it via http (http://outsideserver.com/form1.pdf)
Use the below extension for chrome. It will work.
Enable local file links
Below both options are working and tested.
Link 2
Link 3

How to solve this issue with the HTML5 manifest?

From my experiences so far, I've concluded that the HTML5 Manifest scheme was really terribly designed.
My site serves a manifest file when a user is logged in. Unfortunately, when they log out, they can still access the cached protected materials. Can anyone think of a way to fix this?
A manifest file is designed to take a website offline and still be able to navigate. It essentially just tells the browser to download and keep that stuff in cache. If your adding secret stuff to the manifest and the user goes offline, he needs to be able to still access it - or whats the point of having a special logged-in-manifest-file if he has to be loggedin (therefor online)?
You could add javascript that checks if the user is online again and if he is, tries to validate the "login state" and redirects or removes the secret stuff from localstorage (if you would use localstorage to save the "secret" stuff and javascript to display it instead of a manifest file )
Lets say the secret stuff is an image and you are not using a manifest file, but just displaying images when the user is logged in and its crusial, the user cant view that image after logout, you would need to set the http headers to no-cache and cache-expire to some random date of the past, so that a normal user would see it anymore. Problem then is, that the image is downloaded everytime somebody visits the website..
You need to approach the HTML5 Application Cache in a different way. It is not useful for caching server-side dynamically generated pages, especially those that require a login to reach. The Application Cache has no concept of logins, nor securing a page from somebody with a different/no login.
It is much more appropriate for an AJAX-based site, where all HTML/CSS/JavaScript is static and registered in the Application Cache, and data is instead fetched via AJAX then used to populate pages. If you need to cache data in the application for offline use, then use one of the offline data storage mechanisms such as Local Storage/Session Storage, or IndexedDB, for data.
You can then make your own judgement on how much data you want to cache offline, since there's no way to validate a login without making a call to the server that is naturally inaccessable whilst offline.
What if when the user logs out or is not logged in they get a manifest with only network:*

How do I create a link to a saved html page on my computer?

I'm working on a web application that caches html pages and saves it on the user's computer. I want to create a link, so that the user can click on the link and access the cached webpage.
Following is my link to a cached page:
BBC
When I click on the link, nothing happens. I'm not even getting any error.
Can someone please suggest how to create a link to a cached html page?
First of all, not all browsers handle local files equally, indeed, not all computers will be running windows or have a C: drive. Secondly, you don't have much control over a user's cache. Cached pages are usually handled by the browser automatically. You can use headers to specify how a browser ought to cache files, but it's not even required to do so. You can read the W3C recs on caching for more information.
It's unclear what you're trying to do here, but it sounds like it might make more sense for you to use HTML5 local storage or offline files than trying to mess around with their file system directly. The security model of most browsers is such that web apps don't interact with local files, which may be why it's not working for you with your current setup. Dive Into HTML5 has a good overview of HTML5 local storage and offline pages.
Edited based on comment below:
Most browsers' security settings won't let a page on a website access files stored locally. Only locally saved files can link to other locally saved files. Therefore, if the page with a link is on a website, your link won't work. Try creating a link to your file from another locally stored file and see if that works.
Instead of providing the .html extension in the main page where you provide the link you should do something as below:
< href="file:///C:/Users/xxx/yyy/bbc">BBC</a>

How to display web page without getting blocked by the firewall?

I want our app to show the online help page (so it's always up to date) or even a local page. However, it's likely to be blocked by the Firewall (Zone Alarm).
BTW, I tested this with Zone Alarm. It blocked access to a local .html file as well as to an .asp file on the internet. (I.e., tried to display a page in Internet Explorer and got the Zone Alarm dialog asking if I wanted to give permission to display
Is there a way around this?
Perhaps displaying the web page in the Web Browser Control?
It's actually very unlikely that web traffic is blocked at the firewall (unless you mean the file type is blocked?). What you may need to do in such a setting, however, is use the same proxy that IE uses, because direct traffic may be blocked.
The simplest way to do that is to use a high level windows API or IE itself, and HTTP download the latest helpfile if there is a new one - these mechanisms should know about any proxy.
Of course, your users may not be using IE, even if most are. So you might need to allow the user to specify the proxy, or be able to auto configure the proxy in the same way that the browser does it.
edit: I see you mean zonealarm is part of the problem. yes, that is tricky as you will have to either get your application 'blessed' centrally by whoever manages zonealarm in the customer organisation, or (if there is no central management) then the user will have to allow the app to communicate. Perhaps you should bite the bullet and have the online help simply be a website, and spawn the preferred browser via 'executing' the URL as suggested in another answer.
If the web browser isn't blocked the firewall then they probably open port 8080 for any app and thus your app shouldn't be blocked.
If the firewall only allowed port 8080 to IE; you would have to punch a hole in the firewall to use a new browser like firefox or chrome.
To open a web page using the user's preferred browser (with appropriate proxy and authentication settings), use something like ShellExecute with the URL of the document to load. Something like this would do it (where page is the URL to load):
HINSTANCE r = ShellExecute(NULL, "open", page, NULL, NULL, SW_SHOWNORMAL);