Office add-in without SSL - ms-word

I have created a manifest for a Word add-in that refers to a web page that is not secured by https. I get errors in the Word host and can tell Word to temporarily accept this but cannot find how to tell it to ignore the warning on every launch.

It will actually be an issue in the Online versions of Office because the apps themselves are always https, and thus generate mixed content (both http and https) if your app isn't.
Also, it is generally a bad idea to have an unsecured add-in. You're allowing an application to read the documents you're working on, without https you'd never know if you're actually allowing a 'fake add-in' to read all your data and save it somewhere else.
Lastly, the Office store does not allow non-https add-ins at all, so if you're planning in distributing your app through the store you will definitely need SSL.

What are the error that you get in Wordhost? Word does normally not complain when a http:// address is used in a taskpane. Do you maybe have mixed content in the website?

Related

Database info not showing when previewing site on mobile?

I have made a simple full stack application that uses a postgreSQL database. When previewing the site on desktop it works fine and is able to retrieve all the information with no problem so long as my backend server is on. I am trying to preview the site on my phone using my IP address followed by the port number and it comes up just fine but only the frontend is displaying on my phone. I am unable to see any information from my backend or database. Does anyone know why that is or how I can fix that to display on my phone (without hosting the site)?
1.Maybe it's just cashing issue.
check your mobile phone browser cash setting.
In general, browsers use caching technology for performance reasons. Caching refers to storing values that you previously requested locally and then reusing old values without using new values when a similar request comes in.
2.Maybe it's a front-end css problem.
If design-related elements such as css are not accurate, problems that cannot be seen on the screen may occur even if server data is imported normally.
3.Or maybe front-end can't get data from the server at all.
In this case, it is necessary to debug the server source, check whether it is sent normally on the screen, and check whether the response is received normally through the network terminal.
After checking the three above, even if you can't solve the problem,
At least you'll know exactly what the problem is.

Capture HTTPS traffic from VSTO in fiddler

I am using an Excel VSTO add-in and I want to capture the HTTPS traffic using Fiddler (v4.5.0.0). The add-in downloads data (reports) from the server into the spreadsheet, it has also a pop-up that allows authentication and selection of the elements of the reports.
I am able to capture and decode traffic from all browsers and I have already imported the cert using Internet Options...
I have set Excel's Trust Centre options to the minimum security allowing as much a I could.
Yet when I enable capturing in Excel, no matter if with or without decoding, the addin does not work, and if I enable it after log in using the VSTO's pop-up it shows me a "connection impossible" error.
Any suggestions?
Thanks
I believe the issue is not related to VSTO because there is no difference between a regular .Net application and VSTO add-ins from the Fiddler point of view. Try to reproduce the issue with a regular .net application and Fiddler.
I have found a (temporary and shabby) workaround:
I try several times enabling and disabling the decrypt option and after a few attempts it works. Note that I had already tried to repeat the request without disabling decryption with no result.
I have also enabled all the SSL and TLS versions supported by Fiddler for good measure.
I will try EmilLaw's suggestion to see what IE says, but for now I am under time pressure as I need to debug a few reports for customers.
Thanks guys for the suggestions!!

Is it possible to send a file from the client computer on a perl web application without uploading it to the server first?

I've looked for this around the internet without getting any good answer so far, so here's the issue:
I have a perl web application used by a small group of people (accessed by their web browser on windows computers, around 100 users) , on an intranet (this application is on a RedHat Apache server) , this application gets the user's inputs and uses WWW::Mechanize to send everything to another page on (a different server, which shouldn't be used directly), process a form and return the result (I know it may not sound optimal, but it was done according to what was required), the issue here is that I need the users to be able to send a file (most likely it will be an image of ~500kB, either through WWW::Mechanize along with the other form data that gets submitted, or by an email with an attachment, either option is equally acceptable), and I know the file can be sent/attached if it's already on the server, my question is simple:
Is it possible to send a file from the client computer (running the perl web application on the browser) without uploading it to the server (that will send it) first?
P.S. This is not one of those "give me the code" questions, I'm not asking for any specific code, I just want to know if this is something that could be done (and if it is to have an idea how), or if I absolutely have to upload the file to the server running the perl application first (I already have a script for that). If this is not possible it's ok, I just want to be sure if I need to upload to the server first before sending the file.
Assuming I understand you correctly, yes, you can upload a file through WWW::Mechanize. See the pb-upload example.
Yes it can be done if the client computer has a mail client that is configurable enough to allow a commmand of the type "mail $TO $SUBJECT -attachment $ATT_FILE". Even then you need user to cooperate by launching the action.
Otherwise, no. You can't do it via JavaScript AFAIK due to sandbox restrictions.
I don't know enough about Flash to know if that's an option.

How to send data to webserver and know it comes from a certain application?

I'm trying to send data from my application to a webserver.
The catch is that I want to encrypt the sent data and also make sure it comes from my application. (From what I've read so far it's easy to decrypt the data if it's not sent via HTTPS. On the unique application I didn't find anything except the Application ID Apple provides for each application but I don't know how that works).
The data sent are various highscores and achievements that the user can enable. The thing is that the user doesn't have to type in anything but his username and having that associated with the UDID it should be enough.
But how to make sure it's from my application?
Edit:After reading some responses around here I still didn't understand something:
If someone extracts the IPA and reverse engineers it wouldn't he have access to all my .h and .m so he can look up anything in there?
You could generate a client certificate for the iPhone app, and use mutual authentication for your SSL handshake. Then you know that data submitted to the server come from a particular user of the app, and that your app is communicating with the correct server.
Regarding your edited update, yes if someone reverse-engineeres your app they can probably work out how the high-scores are protected. But seriously, how much trouble do you expect most people to go to in order to fake a high score in a game? Are you offering a cash prize or something?
If you are using HTTPS then you can just put an identifier key in your POST to the web server, either as a field or perhaps an HTTP header that identifies your app. The entire connection is encrypted so it will be protected. If you do this you will want to encrypt the key even in your binary and decrypt it as you send it over the connection, that way no one will be able to pull it out with a hex editor.
Another approach if all you want is to know that the data comes from an authentic instance of your application is to use message authentication codes (MAC). I leave deciding how strongly the key needs protecting as an exercise to the reader - you know your security requirements better than I do.
You can use CommonCrypto - part of the iOS SDK since forever - to actually generate the MAC.

Is there any way to allow failed uploads to resume with a Perl CGI script?

The application is simple, an HTML form that posts to a Perl script. The problem is we sometimes have our customers upload very large files (gt 500mb) and their internet connections can be unreliable at times.
Is there any way to resume a failed transfer like in WinSCP or is this something that can't be done without support for it in the client?
AFAIK, it must be supported by the client. Basically, the client and the server need to negotiate which parts of the file (likely defined as parts in "multipart/form-data" POST) have already been uploaded, and then the server code needs to be able to merge newly uploaded data with existing one.
The best solution is to have custom uploader code, usually implemented in Java though I think this may be possible in Flash as well. You might be even able to do this via JavaScript - see 2 sections with examples below
Here's an example of how Google did it with YouTube: http://code.google.com/apis/youtube/2.0/developers_guide_protocol_resumable_uploads.html
It uses "308 Resume Incomplete" HTTP response which sends range: bytes=0-408 header from the server to indicate what was already uploaded.
For additional ideas on the topic:
http://code.google.com/p/gears/wiki/ResumableHttpRequestsProposal
Someone implemented this using Google Gears on calient side and PHP on server side (the latter you can easily port to Perl)
http://michaelshadle.com/2008/11/26/updates-on-the-http-file-upload-front/
http://michaelshadle.com/2008/12/03/updates-on-the-http-file-upload-front-part-2/
It's a shame that your clients can't use ftp uploading, since this already includes abilities like that. There is also "chunked transfer encoding" in HTTP. I don't know what Perl modules might support it already.