This is mainly for privacy concerns. If I open up an email on Gmail (or any other email provider) containing a link to a website and I end up clicking on the link, does Gmail send out a referer header? (ie. Will the destination website know that I came from Gmail? And would they know the email address that I was using when I clicked on the link?)
Lastly, if they do, is there any way to disable it?
No, if you use gmail's web interface referrer header won't be set, but destination may still guess that you came from gmail.
Here's what happens when you click http://example.com/something link in gmail:
actual destination is changed to GET https://www.google.com/url?hl=en-GB&q=http://example.com/something&source=gmail&ust=TIMESTAMP&usg=HASH.
In reply to this HTTP GET google.com replies 302 Moved with Location header to redirect to actual link: Location: http://example.com/something. When processing this reply chrome will request something like this:
GET /something HTTP/1.1
Host: example.com
... regular headers ...
X-Client-Data: %HASH%
If you make that request by typing the URL in address bar the request will be identical except there won't be that X-Client-Data header. It seems that this X-Client-Data header is set by Chrome while accessing Google servers and it seems that no such header is set when using non-chrome browsers. If you open your browser in incognito/private mode and click that link in gmail then X-Client-Data header isn't set and on server side it looks as if you typed the URL in your address bar directly.
Related
System I have to update has http-handlers that are accessible via address like
http://<server>/handlers?name=some-handler-name
I added http form with action tag that directs to one of this handlers like this:
<form ... action="/handlers?name=some-handler-name" >
My form is a part of a system and located right on the same server. Basically its accessible via adress like
http://<server>/handlers?name=my-handler-with-form
But when I submit my form - nothing is posted to some-handler-name handler because my http-request receives code 302 (redirect).
Do I use correct address in action method (what I want is my form data to be posted to address like http://server/handlers?name=some-handler-name)?
Is it possible to post data to url that has query string parameters?
I guess that system intercept my postback and for some reason redirects it
Correct address is important
Yes, it is possible to post data with query params
There would be some redirect rule set at the server side. You would need to work with server side dev or read server side deployment/code documentation.
I am trying to search gmail api with custom header (this case it is named notification-id), but it does not work. Request I am making:
GET https://www.googleapis.com/gmail/v1/users/tme/messages?includeSpamTrash=true&q=notification-id%3A560d01cef318893c3c000016
I tried the same query using default header (rfc822msgid) from google mail api and it works with this request:
GET https://www.googleapis.com/gmail/v1/users/me/messages?includeSpamTrash=true&q=rfc822msgid%3A560d01d068c_6690c6f31857290%40ip-172-31-12-127.mail
Any ideas why it does not work with custom header?
I tried to do this myself a while back, and came to the conclusion that it was not possible. Someone please correct me if I'm wrong.
According to the Advanced search-documentation, you can search for the following headers:
from, to, subject
list:
Messages with the words info#example.com in the headers, sent to or
from this list
deliveredto:
Any message with username#gmail.com in the Delivered-To: field of the
message header (which can help you find messages forwarded from
another account or ones sent to an alias).
rfc822msgid:
Locates the exact message with the specified SMTP message-id.
Since iOS 7 blocked the spoofing of http://www.apple.com/library/test/success.html I am looking for another way to block the Captive Network Assistant login page. Since Apple has the devices checking 1->m websites I can not be sure all are blocked on the company's open network.
If there is no way to block it I would be open to changing it to a webpage with an accept button, like a terms page, but I can not find a method to do that either.
Since IOS7 apple now test more than 200 random URL too see if its on internet, you can not open for one and one page.
The way to handle this is to create a filter that looks for User Agent UA CaptiveNetworkSupport.
If portal sees this, it should return Success back to client.
User Agent:
CaptiveNetworkSupport
HTTP header:
HTTP/1.1 200 OK
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
HTTP Response:
<HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML>
On thing you might try, is always redirecting to a https page, the Captive Network Assitant expects a 302 redirect to a http url.
So, if whenever an http request comes in on your captive portal, you return a 302 redirect to an https page, the CNA won't appear.
Example request
Request URL:http://www.somepage.com
Request Method:GET
Response Headers Contain:
...
HTTP/1.1 302 Hotspot redirect
Location:https://www.mycaptiveportal.com
...
Following this post: Facebook.com and the iOS7 Captive Portal Detection
The IOS 7 devices check for the following domains:
www.appleiphonecell.com
captive.apple.com
captive.apple.com
www.apple.com
www.itools.info
www.ibook.info
www.airport.us
www.thinkdifferent.us
So if you'd open(unblock) those domains (like you did before with the success page), it should revert to the old behaviour.
However, there are also rumors that Apple now checks about 200 domains (which would then make these domains irrelevant), but i did not see confirmation of that.
I hope this helps.
Regards,
I'm trying to pass some variables to my facebook app from the url, i.e. using GET variable app_data like facebook wants.
At some point I've stopped getting the ['signed_request'] part of the $_REQUEST. When I print_r($_REQUEST) I'm getting: ['doc'], ['user'], ['__utmz'], ['__utma'] and ['session'] values, but not signed request :(
Any ideas of why this might be happening?
Check the tab/canvas url is EXACTLY the same as required. If there is a redirect to another page, then signed request and other values will not be sent. You can check using a browser sniffer, if a call to the page responds with a 300 (301/302 etc) redirect, then you need to change to what it redirects to.
Examples:
https://example.com/ may need to be https://www.example.com/ (add www., or remove www. depending on how server is set up)
www.example.com/ may need to be www.example.com/index.php (add index.php, or the right page).
Check you are using http:// and https:// correctly in the URLs, and that https:// returns a valid page.
I've only been able to get the signed request in https://, i get no request at all in http.
Currently have a bug on FB, but no word on fixing it yet; http://developers.facebook.com/bugs/264505123580318?browse=search_4eb3ef23eb18d6649415729
EDIT:
http://SITE.com was redirecting to http://www.SITE.com, so I was loosing the request variables.
Had a similar issue, for me it was as simple as a mismatch of the app id and app secret! However in facebook developers backend I have noticed that the URLs all need to have that trailing slash!
Some browsers do redirect your request to https automatically if you have been on this particular site on https so if you are in http mode on facebook there is situation:
facebook requests http version of your app, browser redirect this request of facebook to https and POST data and thus signer_request are gone in this process...
i see this problem in chrome 23, if you delete browsin data (particulary Deauthorize content licenses) app should run back on http
I need to include some secure (BASIC authentication) application.
when I open the application URL in the browser, the browser asks me to enter your credentials ...
what I know is that:
The browser ask the server to get
some URL -- the url of the app
The server checks the request header
for the Authentication header and
didn't find it
The server sends 401 to the
browser back
The browser interpret this response
code into a message dialog that
shows to me asking me to enter the
username/password to send back to
the server in the Authentication
request header
So far... so good, I can write some page (in JSP) that send this required http request header to the request that is calling this page..
So I'll call this application through my page..
The problem here is, this application (in fact a GWT application) contains a reference to some Javascript and CSS files that is coming from the server that hosts this application. the application page that I import looks like:
<html>
<link href="http://application_host/cssfile.css" />
<link href="http://application_host/javascriptfile.js" />
.....
</html>
So, again I found the application asks me for the authentication crenditals for the css and js files!
I am thinking of many solutions but don't know the applicability of each
One solution is to ask the browser
(via Javascript) to send the request
header (Authentication) when he
asks the server for the js and css
files
please give me your opinions about that... and any other suggestions will be very welcomed.
Thanks.
I think you're running into some weirdness with how your server is configured. Authentication happens in context of a authentication realm. Your assets should either be in the same authentication realm as your page, or (more likely) should not require authentication at all. The browser should be caching credentials for the given realm, and not prompt for them again.
See the protocol example on http://en.wikipedia.org/wiki/Basic_access_authentication
Judging from your story, something tells me your problem is with the authentication method itsef. Not how to implement it. Why do you want to bother with the request header so much?
As far as i know, you can configure your container (ie Tomcat) to force http authentication for certain urls. Your container will make sure that authentication has taken place. No need to set http headers yourself whatsoever.
Perhaps you can explain a bit better what you are trying to achieve, instead of telling implementation details?
Why css & js files are kept in protected area of server? You need to place files into public area of your server. If you don't have public area, so you nead to prpvide for it. how to do it depends from serverside software architecture & configuration.