I have an html page into which an swf is embedded, and this swf has some information which should not be disclosed, however on security scan GET request to this swf is exposing that information. I thought of using the filter rule in dispatcher as below
/0048 { /type "deny" /glob "* *sample.flash.swf *" } #
After that the page itself is not able to access the swf, so I think the above method of restriction is wrong.
May I know how we can make this swf accessible only to the page where this swf is embedded and else where this needs to be restricted from getting accessed.
I am sure its not possible to handle this at dispatcher.
Ideally you should not put any sensitive information in the swf file in the first place.
If you must, consider rendering the content through a servlet that will require a token which is available only on the page. Also see CSRF Protection Framework
Related
I coded an html login form file with a js file to correlate. The action only allows the validated information to access my library page as directed; however, when I type the address to the library page in my browser it goes to the page without blocking it. What should I do?
I want to know the difference between Follow Redirects and Redirect Automatically while recording with Jmeter.
Also what effect will both these have when used with Retrieve all Embedded Resources from HTML
Redirect automatically, will not consider redirect as a separate request
where as Follow redirects will consider each redirection as a separate request.
This difference can be visualized in the Listener (View Results Tree).
If Retrieve all Embedded Resources from HTML is checked, it will give you Page Load Time, since apart from response time it will keep on calculating the time taken till all the supporting files of html page have been downloaded to Local (CSS, Images, Javascript files.. etc.)
Also if any values needs to be captured from redirect request you need to set configuration a follow redirect otherwise will not be able to capture those data using extractors (set cookie values for example)
Hope this will help.
I've run a Pingdom.com test on my page and found out that identical JS files from Facebook are being loaded twice. Once from http://s-static.ak.facebook.com/ and another time from http://static.ak.fbcdn.net. Pingdom is reporting that the page size is 753.7kB. That's a lot, and if you exclude Facebook resources, the page size goes down more than 60%—what a waste! Is there any way to mitigate this problem? Thanks!
You may need to use a channel file:
The channelUrl parameter is optional, but recommended. Providing a
channel file can help address three specific known issues. First,
pages that include code to communicate across frames may cause Social
Plugins to show up as blank without a channelUrl. Second, if no
channelUrl is provided and a page includes auto-playing audio or
video, the user may hear two streams of audio because the page has
been loaded a second time in the background for cross domain
communication. Third, a channel file will prevent inclusion of extra
hits in your server-side logs. If you do not specify a channelUrl, you
can remove page views containing fb_xd_bust or fb_xd_fragment
parameters from your logs to ensure proper counts.
The channelUrl must be a fully qualified URL matching the page on
which you include the SDK. In other words, the channel file domain
must include www if your site is served using www, and if you modify
document.domain on your page you must make the same document.domain
change in the channel.html file as well. The protocols must also
match. If your page is served over https, your channelUrl must also be
https. Remember to use the matching protocol for the script src as
well. The sample code above uses protocol-relative URLs which should
handle most https cases properly.
I'm coding a "one page" app inside facebook (using the canvas app approach). While the user moves inside the app I'm changing the location like: apps.facebook.com/my-app#current_location and loading stuff via AJAX.
Unfortunetely, when someone loads http://apps.facebook.com/my-app#current_location in their browser, the canvas app doesn't see the url fragment #currrent_page.
How can I get around this limitation?
Although I cannot answer properly your question, (and as I think it's kind of old already) the info below should help other people understand better these # (hash) things. They are called URL Fragments.
http://blog.httpwatch.com/2011/03/01/6-things-you-should-know-about-fragment-urls/
Any URL that contains a # character is a fragment URL. The portion of
the URL to the left of the # identifies a resource that can be
downloaded by a browser and the portion on the right, known as the
fragment identifier, specifies a location within the resource:
Fragments Are not Sent in HTTP Request Messages
If you try using fragment URLs in an HTTP sniffer like HttpWatch,
you’ll never see the fragment IDs in the requested URL or Referer
header. The reason is that the fragment identifier is only used by the
browser – it doesn’t affect which resource is returned from the
server.Here’s a screen shot of HttpWatch showing the traffic generated
by refreshing a fragment URL:
The URL fragment is only read on the client-side (users' browsers), so Facebook won't and can't sent that on the POST request it makes to your server.
What you can do is catch all URLs with the same route, regardless of the server-side language of your choice, encode them somehow, and send them to the client to be read by client-side Javascript which would then be responsible for navigating.
Example: the user loads http://apps.facebook.com/my-app/current_location (notice the / instead of the #). You serve your single page, where you'll have something like (ERB):
<script>MyApp.navigate("<%= request.path %>");</script>
Your navigate function could do the following:
function navigate(path) {
window.location.href = "#" + path;
}
Yeah, the Hash urls are nice to use for navigation within your site, however, not so good when sharing the url. The solution is to create canonical URLs for each of your objects.
So, when someone can access specific information like http://yoursite.com/#artists/styx, you also have a way for your server to serve content from http://yoursite.com/artists/styx. This way someone can share http://apps.facebook.com/yoursiteapp/artists/styx and then get to the correct content within your site.
I am writing an app within a facebook iframe and am unsure how best to write this. I originally wrote all the code within the main canvas.php file but found everything was running too slow before results were being loaded into the iframe.
I then tried using the php header location method so to try and load different pages into the iframe, thus reducing page load time. However, the header location is ignored.
I have also tried using javascript to get the page to load within the iframe instead, this does load in the new page but the page experiences lots of problems. It wil not pass parrameteres to itself using $_GET.
Basically, I need to perform some checks when the canvas page is first loaded in the iframe and then re-direct to another file to avoid the checks being perfomed on every page load as this seriously shows everything down. I then need to have page reloads with different parrameteres in the URL to populate the iframe with different results, again this is very slow as it has to perfomr all the checks again.
Therefore, how can I achieve a smooth workflow as a normal site within a facebook iframe?
[EDIT] Just thought is Ajax a valid option?
Many thanks in advance.
Most people experience slow response times due to not having a channelURL specified. See http://developers.facebook.com/docs/reference/javascript/
Channel File
The channel file addresses some issues with cross domain communication
in certain browsers. The contents of the channel.html file can be just
a single line:
It is important for the channel file to be cached for as long as
possible. When serving this file, you must send valid Expires headers
with a long expiration period. This will ensure the channel file is
cached by the browser which is important for a smooth user experience.
Without proper caching, cross domain communication will become very
slow and users will suffer a severely degraded experience. A simple
way to do this in PHP is:
The channelUrl parameter is optional, but recommended. Providing a
channel file can help address three specific known issues. First,
pages that include code to communicate across frames may cause Social
Plugins to show up as blank without a channelUrl. Second, if no
channelUrl is provided and a page includes auto-playing audio or
video, the user may hear two streams of audio because the page has
been loaded a second time in the background for cross domain
communication. Third, a channel file will prevent inclusion of extra
hits in your server-side logs. If you do not specify a channelUrl, you
can remove page views containing fb_xd_bust or fb_xd_fragment
parameters from your logs to ensure proper counts.
The channelUrl must be a fully qualified URL matching the page on
which you include the SDK. In other words, the channel file domain
must include www if your site is served using www, and if you modify
document.domain on your page you must make the same document.domain
change in the channel.html file as well. The protocols must also
match. If your page is served over https, your channelUrl must also be
https. Remember to use the matching protocol for the script src as
well. The sample code above uses protocol-relative URLs which should
handle most https cases properly.