Mixed Content: HTTPS site without specification - mixed-content

I am writing a program which will look for Mixed Content within a URL. The aim of this script is to extract all links in a page and convert these links to absolute links, and then to see if the content is mixed.
lets say we have this page https://www.example.com/xxx1/ i'm assuming that any reference to links within this page will ALWAYS connect through to the HTTPS site, unless the link is explicitly told otherwise?
E.g
/index.html = will be HTTPS
http://www.example.com/img/insecureImage.jpg = Will be HTTP - and therefore insecure?
True?
Thanks,

The situation with mixed content depends on whether the content is active or passive. If you have an HTTPS site, all active content will be blocked. If it is passive as in the case of the image you provided, it will be displayed by default, but users can choose in their browsers to block this too.
The example you give is of an image file, so that is passive mixed content and that would not be blocked by default, but could be by the user's settings as mentioned.
The following resources fit into that class:
img
audio
video
object
The guide I link to explains the active/passive mixed content quite well.
MDN Guide on Mixed Content

Yes, independent of mixed content or not, if you see a relative link it is intended to be appended to the origin domain, so in your example /index.html should be interpreted as (https://www.example.com/index.html).
If they are absolute links, determining if its mixed content is exactly like you suggest - check the uri scheme. To reference mixed content, even from the same server, you need to use absolute links, so it makes your task kind of easy.
You're on the right track.

Related

How do certain badges on shields.io avoid using base-64 in their url

I'm attempting to create a badge using shields.io for a GitHub project I'm involved in. Shields.io allows you to add your logo with base-64 encoding. Pretty cool, however it's pretty unwieldy to place into your readme. Given that I want to make it convenient for associated projects to paste our badge into their project, I don't want the markdown to be ten lines long.
I've noticed that not everyone has this problem. Gitter, for example has a very simple url for its shield that contains a logo.
Bithound also has a very nice badge url.
Are these special deals that they've worked out with Shields.io? Or is this sort of slickness available to everyone?
Shields.io has default support for a number of vendors displayed on the front page. Some of those custom integrations rely on corresponding logos: https://github.com/badges/shields/tree/master/logo.
I understand how having a large URL can be inconvenient. However, referencing external resources in images can yield unfortunate results, and is therefore disallowed (as does GitHub, which has had its share of sneaky DDoSes in the past years).
However, I believe using a URL shortener like bit.ly or goo.gl can help you have small URLs in your project files.

text/html return from REST Service

I am returning text/html(MediaType.TEXT_HTML) from REST web service which I want to show in browser.
Return string from web Service Method=<html>
<body background=\"WEB-INF\\DSCN0651.JPG\">
<h1>Hello World!!!</h1>Visit W3Schools.com!
<audio autoplay><source src=\"WEB-INF\\Coolest_Sms_All_Time.mp3\" type="audio/mpeg"</audio>
</body></html>
The problem I am facing is the background = DSCN0651.JPG is not rendered in browser
The audio autoplay is not working as I am not able to hear sound in browser.
Though I am only able to see Hello World!!! and link www.w3schools.com! in browser after REST call.
I checked the deployment area both image and mp3 are deployed fine under WEB-INF folder
I am using IE/chrome browser to make a call to my WebService get method.
Please let me know what I am doing wrong.
To link images or audio (or whatever resource), you need to give a relative URL which the client browser can understand, by asking the server for that resource. If you have a webpage like the above at URL http://example.com/foo/bar, the browser will try to look up http://example.com/foo/bar/WEB-INF\DSCN0651.JPG, but that's an invalid URL. I suggest you check that by trying out the real URL yourself, and by seeing with Developer tools what the browser does with your page.
That URL is invalid at least because it uses a backward slash \ instead of a forward slash /. That's wrong in URLs.
Actually, what you're showing uses \" and \\, but those should appear only when you embed them as a string in source code, to represent respectively " and \. You might want to inspect the output to ensure that's correct.
Moreover, that URL contains WEB-INF. I assume you're using a Java application server. However, the content of the WEB-INF folder is handled specially by Java application servers — in fact, resources there are not accessible to the public! So you should probably move them elsewhere and update the path (the right place depends on what you're exactly doing). Probably moving them up, outside of WEB-INF, and updating the URLs already works.

Favicon only showing with www.websitename.com not websitename.com

Favicon only showing when I type www.websitename.com not websitename.com
Why does this happen and how can I make favicons show up on websitename.com.
The default favicon is simply downloaded from the current Host of the HTTP request, plus `/favicon.ico'--and this Host is different in your two examples. There is nothing that says the host preceded by a "www." has anything in common with the host without the preceding "www."
There are three cases that may apply to you.
The favicon might be served from a literal file named favicon.ico and located in your document root. In this case, you need to check that your server's vhost (virtual host) configuration is set up to resolve both hosts "www.websitename.com" and "websitename.com" equivalently to the exact same set of files. (Although in general, this is not a good idea. See N.B. below.)
The favicon might be served from a file (named almost anything and located either inside or outside of your document root) which is set as your favicon by a server configuration. So check the server configuration and make sure that the rule determining the location of the favicon is applied to both hosts without and without a leading "www." Once again, these are in general completely different hosts, and a server does not normally assume there is anything in common between them.
You might be specifying the favicon individually in each file with a link HTML tag. If so, then make sure that the same HTML files are being loaded at each Host, as in answer 1, and follow this format for you link tag. (Your current rel attribute does not look like it will trigger most browsers into displaying the icon.)
Necessary to add link tag for favicon.ico?
N.B. There is a good reason why those hosts are not considered equivalent. Consider the case that half of your visitors randomly link to an article at your site with the "www." and half of them don't. And imagine this happens for every other website as well. Then slowly the internet, search engines, bookmarks become uselessly filled up with multiple links for every resource. Everything gets crawled at least twice as often for each distinct link, and resources are continually wasted forever and ever.
It is a good idea, therefore, to make your main body of content accessible only under one Host (whichever you prefer), and redirect the other host to the home page of the correct one. In the long run this will help your own server and will also help both you and the internet. By allowing only canonical links to work in the short run, one ensures that only canonical links will exist in the long run.

tinymce file browsers multiple file source

I am doing some updates to a site I have developed over the last few years. It has grown rather erratically (I tried to plan ahead, but with this site it has taken some odd turns).
Anyway, the site has a community blog ( blog.domain.com - used to be domainblog.com) ) and users with personal areas ( user1.domain.com, user2.domain.com, etc ).
The personal areas have standard page content that the user can use, or add snippets of text to partially customize. Now the owner wants the users to be able to create their own content.
Everything is done up to using a file browser.
I need a browser that will allow me to do the following:
the browser needs to be able to browse the common files at blog.domain.com/files and the user files at user_x.domain.com/files
the browser will also need to be able to differentiate between the two and generate the appropriate image url.
of course, the browser access to the user files will need to be dynamic and only show those files particular to the user (along with the common files)
I also need to be able to set a file size for images
the admin area is in a different directory than either the blog or the user subdomains.
general directory structure
--webdir--
|--client --
|--clientsite--
|--blog (blog.domain.com)
|--sites--
|--main site (domain.com)
|--admin (admin.domain.com)
|--users--
|--user1 (user1.domain.com)
|--user2 (user2.domain.com)
...etc.
I have tried several different browsers and using symlinks but the browsers don't seem to be able to follow them. I am also having trouble even setting them to use a directory that isn't the default.
what browser would you recommend? what would I need to customize to make it work.
TIA
ok, since I have not had any responses to this question, I guess I will have to do a work around and then see about writing a custom file browser down the road.

How to add RESTful type routes in Jekyll

The root of the site http://example.com correctly identifies index.html and renders it. In a similar manner, I want, http://example.com/foo to fetch foo.html present in the root of the directory. The site that uses this functionality is www.zachholman.com. I've seen his code in Github. But still I'm not able to find how it is done. Please help.
This feature is actually available in Jekyll. Just add the following line to your _config.yml:
permalink: pretty
This will enable links to posts and pages without .html extension, e.g.
/about/ instead of /about.html
/YYYY/MM/DD/my-first-post/ instead of YYYY-MM-DD-my-first-post.html
However, you lose the ability to customize permalinks... and the trailing slash is pretty ugly.
Edit: The trailing slash seems to be there by design
It's actually the server that needs adjusting, not jekyll. Be default, jekyll is going to produces files with .html extensions. There may be a way around that, but it's unlikely that you really want to do go that route. Instead, you need to let your web server know that you want those files served when a URL is called with the file's basename (and no extension).
If your site is served via an Apache web server you can enable the "MultiViews" option. In most cases, you can do that be creating an .htaccess file at your site root with the following line:
Options +MultiViews
With this option enabled, when Apache receives a request for:
http://example.com/foo
It will serve the file:
/foo.html
Note that the Apache server must be setup to allow the option to be set in the htaccess file. If not, you would need to do it in the Apache config file itself. If your site is hosted on another web server, you'll need to look for an equivalent setting.