My image server has hotlink prevention enabled which only allows whitelisted referrer domains to display the image. I have my CMS(HTTPS) server which is running TinyMCE does not display the image when inserted from UI. The image becomes 403. I have set my Nginx server header add_header 'Referrer-Policy' 'origin'; but no use. I don't think TinyMCE has header response enabled for SSL environment. Anyone know how to enable Referrer-Policy in TinyMCE configuration?
I figured it out. I need to add <meta name="referrer" content="origin">
to the iframe: https://github.com/tinymce/tinymce/blob/3.x/jscripts/tiny_mce/classes/Editor.js#L541
t.iframeHTML = s.doctype + '<html><head xmlns="http://www.w3.org/1999/xhtml"><meta name="referrer" content="origin">';
Related
I'm working with a landing page that uses cdn plyr
<script src="https://cdn.plyr.io/3.3.10/plyr.js"></script>
<script>const player = new Plyr('#player');</script>
I moved a video from local files to a server and changed the src="to new address form server", but the video stopped working and I'm getting this error:
page.html:1 Failed to load https://www.video.mp4: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://111.0.0.0:12121' is therefore not allowed access.
I tired different things, and even added another videos from other servers and it worked. except my video. The only thing that work is to add crossOrigin="anonymous" to the video tag and install Chrome extension But this wont work for other users, I need something permanent.
I also looked in to many answers:
How does Access-Control-Allow-Origin header work?
Videos not playing due to no Access Control Allow Origin
HTML5 video doesn't play with crossOrigin=“anonymous”
Please any ideas how to make this work?
This is a problem caused when you try to send request from a server that is different from the server you send request to. As in the comment was indicated, only the server you have uploaded your video to can control the header. But if it's your own server you can easily manipulate the code to allow request from different servers.
Try this for a reference on how to enable on your server W3C CORS Enabled
so I'll start from the very beginning.
Basicly I purchased a template off themeforest and I manually edited the code in a markup editor to match my preferences.
As I was finished, I decided to host my website on github pages - I uploaded my code directory to a repository as you do.
Here's a link to my repository:
https://github.com/KristofferHari/kristofferhari.github.io
Here's a link to my current website URL:
https://kristofferhari.github.io/ (As you can see, everything's kinda buggy)
So I managed to contact the seller and this is what I was provided with:
The reason for that is because the resources are using a http connection and they can’t be loaded on https connection website. So
you have to upload all the resources (scripts/stylesheets) to github
in order to use them on github.
So I suppose that through my browser, I am trying to connect to my website through a https connection rather than an http. (Is this what is actually causing the problem, and what's the difference between a http connection and a https?)
Secondly, how would I upload all my resources (scripts/stylesheets) to github?
Thanks in advance!
There is a relatively simple solution: to use a protocol-relative URL format.
e.g. your error
Mixed Content: The page at 'https://kristofferhari.github.io/' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=Open+Sans:400,700,300,900'. This request has been blocked; the content must be served over HTTPS.
The problem is you are loading
http://fonts.googleapis.com/css?family=Open+Sans:400,700,300,900'
from
https://kristofferhari.github.io/
The page is secure (HTTPS), but it's loading insecure content (HTTP).
To fix it, you basically need to change the stylesheet to:
https://fonts.googleapis.com/css?family=Open+Sans:400,700,300,900'
But a more flexible solution is to use a protocol relative format:
//fonts.googleapis.com/css?family=Open+Sans:400,700,300,900'
which will then work on either http or https.
Apply this change to all included resources.
I'm trying to send a subscription call, but got an error saying the the URL is invalid.
This is the URL I used:
https://us14.api.mailchimp.com/3.0/lists/<list-id>/members/
then I get this back in the response:
<HTML>
<HEAD>
<TITLE>Invalid URL</TITLE>
</HEAD>
<BODY>
<H1>Invalid URL</H1>
The requested URL "http://%5bNo%20Host%5d/3.0/lists/41e44e1bde/members/", is invalid.
<p>
Reference #9.cc6a1db8.1483891456.16189371
</BODY>
</HTML>
which translates to:
http://[No Host]/3.0/lists/<list-id>/members/
us14 is definitely the right data center according to the documentation so I'm not quite sure what's wrong.
It turned out that if you set HTTP header field "Host" in the request, it will always return this error. I tested this out by removing every fields one-by-one and this was the only one that caused an issue.
Many environments use the Host header for stuff like virtual sites where you are running more than one website behind the same IP Address (i.e. api.mailchimp.com and www.mailchimp.com could be on the same server) It is definitly possible for an error to be received if you set an invalid host since their proxies can't route it correctly. Normally, the host header is set automatically by the browser or HTTP client and usually not something you would override.
Are you still having trouble? If so, would be useful to see a screenshot of something like PostMan or https://ApiRequest.IO to see what your inputs are.
I'm testing clickjacking mitigation with a simple page like this on another domain:
<iframe src="https://my.domain/login"></iframe>
My login page sends the following headers:
HTTP/1.1 302 Found
X-Frame-Options: SAMEORIGIN
Location: https://my.domain/landing
...
I'm surprised to see both IE 10 and Chrome 33 follow the redirect and display my landing page inside the <iframe>. My landing page does not send X-Frame-Options, but I expected the first X-Frame-Options on the login page to trump the redirect. How can I prevent browsers from following the redirect when my login page is displayed in a frame?
I should add that things work as expected (<iframe> is empty/blocked) if the login page doesn't send an HTTP redirect.
From the terminology used in RFC 7034, I conclude that browsers will not apply X-Frame-Options restrictions for HTTP redirects (status codes 301, 302, etc), but rather for any response where the browser processes the content, e.g.:
The use of "X-Frame-Options" allows a web page from host B to
declare that its content (for example, a button, links, text, etc.)
must not be displayed in a frame (<frame> or <iframe>) of another
page (e.g., from host A). This is done by a policy declared in the
HTTP header and enforced by browser implementations as documented
here.
or:
The X-Frame-Options HTTP header field indicates a policy that
specifies whether the browser should render the transmitted resource
within a <frame> or an <iframe>. Servers can declare this policy in
the header of their HTTP responses to prevent clickjacking attacks,
which ensures that their content is not embedded into other pages or
frames.
As an alternative for the login page you could return a HTTP status code 200 and a meta-tag or javascript for redirection, the X-Frame-Option will then apply, but I admit that it's ugly.
I need to include some secure (BASIC authentication) application.
when I open the application URL in the browser, the browser asks me to enter your credentials ...
what I know is that:
The browser ask the server to get
some URL -- the url of the app
The server checks the request header
for the Authentication header and
didn't find it
The server sends 401 to the
browser back
The browser interpret this response
code into a message dialog that
shows to me asking me to enter the
username/password to send back to
the server in the Authentication
request header
So far... so good, I can write some page (in JSP) that send this required http request header to the request that is calling this page..
So I'll call this application through my page..
The problem here is, this application (in fact a GWT application) contains a reference to some Javascript and CSS files that is coming from the server that hosts this application. the application page that I import looks like:
<html>
<link href="http://application_host/cssfile.css" />
<link href="http://application_host/javascriptfile.js" />
.....
</html>
So, again I found the application asks me for the authentication crenditals for the css and js files!
I am thinking of many solutions but don't know the applicability of each
One solution is to ask the browser
(via Javascript) to send the request
header (Authentication) when he
asks the server for the js and css
files
please give me your opinions about that... and any other suggestions will be very welcomed.
Thanks.
I think you're running into some weirdness with how your server is configured. Authentication happens in context of a authentication realm. Your assets should either be in the same authentication realm as your page, or (more likely) should not require authentication at all. The browser should be caching credentials for the given realm, and not prompt for them again.
See the protocol example on http://en.wikipedia.org/wiki/Basic_access_authentication
Judging from your story, something tells me your problem is with the authentication method itsef. Not how to implement it. Why do you want to bother with the request header so much?
As far as i know, you can configure your container (ie Tomcat) to force http authentication for certain urls. Your container will make sure that authentication has taken place. No need to set http headers yourself whatsoever.
Perhaps you can explain a bit better what you are trying to achieve, instead of telling implementation details?
Why css & js files are kept in protected area of server? You need to place files into public area of your server. If you don't have public area, so you nead to prpvide for it. how to do it depends from serverside software architecture & configuration.