I have a intranet site that allows users to log in and get excel
reports. The user clicks the name of the report and it opens it from a
folder for that user. Easy enough. The problem is that the path of the
folder for that user is displayed in the Status Bar when it is being
downloaded. I've discovered that users are grabing that path, changing
the folder name, and can then access other folders. I don't want that
to happen.
According to a financial website I tried to access without javascript:
"the site uses JS for security reasons."
How would using JS improve security?
I have an application which runs with secure access. User logs in,
uses the services, and logs out. After logging out, if the user click
the back button, it actually takes them to that page. How can I
prevent this?
Is there a way, that if the person clicks the back button or access a
browser history, how can I make sure that the latest page is displayed
instead of just the cache. Or, clicking the back/history should
refresh that page.
I was wondering if using Javascript to redirect a user, on the client
side, to different pages depending on what they entered was insecure.
I do not want the user to be able to view the source of the page. I
am having the user enter in some input using the input dialog box and
then using a window.location redirection based on their input. Is it
possible to view the source of a page after the input box has closed
but before the new page has loaded, ie. while the browser is
requesting the new page?
I'm working on an html form that will be launched from within another application, but every time it launches the form none of the JS coding works because of the stupid IE security. If I launch the form from outside the application I just have to select "allow blocked content" from that stupid information bar that says "to help protect your security IE has restricted the webpage from running scripts...."
I added the application site to our trusted sites and basically turned off security for that zone but it still doesn't work. Obviously there is a way to run JS without allowing the content, but I don't do enough coding to know how that is done.I need the JS to run automatically without that information bar appearing at all.
If my Ajax is set up like
html <--->ajax(js)<--->server(php)
it would be easy for someone to copy the html and javascript pages to their site and then access my server pages. I don't suppose it matters much if someone did that as long as the php page had proper validation but is it possible to block someone linking to my server pages like that.
As most Javascript coders probably know by now, IE on Windows XP SP2 likes
to prevent our code from running right away (the user is asked to give
permission the first time). Although I can see the danger in allowing all
scripts to run, the fact that IE makes it sound like we are going to install
some huge, horrible application when we are simply adding rollovers or
client-side validation or some other simple little thing really frustrates
me. Specifically what stuff does IE block? Does it check for certain methods
in the script? Does it block everything until you say it's OK? What can
places do to allow their scripts to be run without the need to be validated
by the user? I have heard about "Signed Scripts", but I feel that it would
be hard to modify and develop when a script had to be "Signed" every time.
Any comments?
Is there a way to test for security settings in a users browser AND
their firewall. Lets say someone is using zonealarm. Is there a way
to test for their setting in zonealarm, so I can then redirect them to
a specific page.
The reason I am asking is that I have a flash front page. A user
cannot see the page because he has his security settings set so that he
does not see activex controls. I want to be able to test for those
settings then redirect him to a static page.
It's a security setting "Access Data Sources across domains" you've
got lowered security for whatever zone you accessed the page in.
I am looking for the official javascript security specification for web
browsers. EMCAScript and DOM spec does not seem to contain a section on
security, so I assume none exists and the security policies are
implemented as the vendor pleases. If so, do security specs for IE and
Mozilla exist?
I am writing a script that uses xmlhttp.open, when i attempt to open a protected page I get the login prompt for my htpasswd. Is it possible to detect if there is a login requirement before the login prompt and if there is a login just do something else? I can use xmlhttp.status and check for 200 but if I do this then it would happen after the login prompt.
View 1 Replies View RelatedI have a webpage in which my users complete a form in order to get through to page 2. I cannot use PHP to check as it must be on-the-fly checking.My idea was like the following:
<script type="text/javascript">
function check(x)
{[code]...
And for the images to actually be PHP files that check further details of the user and insert details to DB. Then when the user clicks the next button it will check to see if all 4 users have loaded under that users details.However, I would much prefer it if I could use more PHP as I'm a Javascript n00b. Preferably I would like to use PHP to create unique keys for the images so that once I have obfuscated the javascript code the user will not figure out how to cheat the system even if they manage to reverse engineer the code.
E.g.
<?php
$pic = "picture.jpg";
?>[code]...
Or is this not at all possible?
Edit: I know how much simpler that first script could have been, was just trying to simplify from my double as messy full script which will probably confuse you even more!!!
Some may remember a security flaw in Firefox 1.0.1. It basically goes like this: HTML Code:
<a href="[TRUSTED_URL]">
<table><tr><td>
<a href="[MALICIOUS_URL]">download
</a>
</td></tr></table>
</a>
and with it the developer can trick users into going to or downloading files different from what the user expects.
I recently discovered that you can spoof the status bar in any Javascript enabled browser by the following method, and I'd like to know:Is it a real security flaw?If not, how is it less dangerous than the above method?If so, do I get bragging rights for discovering it, or is it already known? Code:
I pass values from a child window to a parent window as in this code. Is this secure, and if not how can I pass this data securely?
<script langauge="javascript"> function post_value(){
opener.document.editform.ownerid.value = document.lookupform.ownerid.value;
opener.document.editform.petowner.value = document.lookupform.oname.value;
opener.document.editform.ostreet.value = document.lookupform.ostreet.value;
self.close();
}
</script>
I have a textbox in which users can enter some text. And after entering this text I show it for them with help of innerHTML. ( befor it - I replace smiles with <img> tag ) I'v tried to enter some JavaScript there, and have found that it is not working. The question is how safe is that?
View 8 Replies View RelatedWhat I'm trying to do is put my favorites online so that I can access them from any computer. A friend of mine does this, but he's just relying on it not being bookmarked by anyone and not having his email and being in an obscure directory on his website. I'd like to take it a bit further for myself.
I had considered that the file would be something simple like f.html. f.html would get user input, from me, as a "password". However, the code would not validate the proper password (readable by a smart person) but the password would instead be a directory name. The javascript in f.html would then concatenate the variable received into a string that would be the name of the .js file to include (stuck out in some obscure directory). The included file would then proceed to write all the links. Code:
is there any way we can access the security settings of a browser or at least the status of the SECURITY level?
View 1 Replies View RelatedI am trying to convert a slide show script to install as Web Content on the Windows2K Active Desktop. My ideal implementation would just display all the image files in a specific directory rather than having to edit the script each time I add or remove an image.
I have written a script that uses the File System Object and works fine, but it puts up an alert box when I instantiate the FSO. I am hoping someone can advise me on how to run this particular script without the alert, but I am not willing to give any old script that happens to run access to any important directories.
Password Strength meter: Looking at ways of improving site security:
[url] is a great security feature (in my humble opinion) and I seem to think Ebay, Hotmail, or maybe Amazon use a similar tool. It looks at a proposed password, counts the upper and lower case characters used as well as the use of numerical and other symbols such as #@~? Etc. then rates the password on its perceived unbreakability. Thus it encourages users to use a strong password and therefore improves the security on my site and maybe on other sites too
So far I have linked to this site with success, but I would like to integrate the feature into my site. Does anyone have the code or something similar?
Firefox is throwing a DOM security error. I've used toDataURL() before, and it's never done this. I need to get this little app fixed, so that I can use it on my TabletPC for taking notes in class. The line of code that is throwing this error is:
var Note = document.getElementById("SketchPage").toDataURL();
Here's the full error from the Error Console:
Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "file:///C:/SketchBook-Dev/SketchBook.js Line: 236"]
Here is the JS file:
var PenSize = "3";
var PenShape = "Circle";
var PenColor = "Black";
var LoadFile = "";
var UIstatus = "visible";
var CurrentNote = 0;
var BGcolor = "#C7C1A3";
var DataPath = "Data\";
var ImageExtension = ".img";
var FileList = [];
var SystemPath;
var UIstatus = "visible";
var Server = "localhost";
var NxtNote = new Image();
document.onkeyup = ToggleUI;
function Init() { .....
After lot of research I found that its impossible to disassemble the source code view in the window toolbar.. but finally I found this site that have the function that I am describing..
Start addy here:
mortgagecalculators.ws
/
mortgage-payment-calculator
.
php
End of addy:
The address is separated in pieces because I cant post links and don't forget to include the extension php with the dot at the end of the address but note that if you click on the back history button and then the forward. The java does not work. I get into the source looking for some java call... but nothing found related to security disable source code...
My client currently has a Flash book reader on his site that provides a UI for reading a book.Each page of the book is a GIF, and there are hundreds of books available.Now, my client would like to change this reader, and I've convinced him to let me rebuild the reader in jQuery.The hiccup is that, for copyright reasons, the images of the pages in the book must not be downloadable or accessible in the source code.(In other words, there shouldn't be a way to steal the book other than taking a screenshot of every page.)I want the reader to be powered by jQuery, it is, by definition, in-browser.
View 9 Replies View RelatedI've just started my venture into HTML5 localStorage. I now have a javascript my server sends to those who visit my ip address. I store all their data using localStorage. I have a few security questions regarding the HTML5 localStorage situation:
1. Can a script that did not create the local storage retrieve/modify the localStorage of another script just by guessing the key maliciously or unintentionally?
2. Can another script use the clear() method to remove my scripts data? Edit: I just tried this myself. And, yes, I deleted my data, all of it with clear() using a different script. Is there any way to prevent this? Is it only my end that will be able to do it or could I load a script from a site has a hidden clear() method and destory all other javascript apps data?
3. If item (2) is true, any ideas on how to protect my scripts data for the user from the clear method?
4. if item (2) is false, cool, my first idea is to create a uniqnue string random string and ask the user to creat a password to encrpt that string and just use that string with enumeration added to it for the keys.
5. Does anyone know where localData is stored? Is it encrypted already, in plain text, in well-known or hidden location?
Using Ubuntu 10.x with default user www-data I can view the page that I normally have that uses a slideToggle function that works outside of Apache.
It's not working when hosted on Apache. The rest of the site is viewable using [URL]..
I am implementing Captcha security check on the register page and seem that I am unable to find the Captcha image/picture. Does anyone know where can i download such images?
CAD
PS: I am currently doing a project on security of the site and i hope that all the threads started by me will benefit people in this forum. ;)
I have been trawling everywhere, I cannot find a solution anywhere for the following:
I need a webpage with two list boxes and a text box, I want the two listboxes to be dynamic/cascading (the second dependant upon the choice in the first).
And the textbox dependant upon the selection from the second listbox.
This data has to come from a XML file stored on the local PC or Network drive.
Most importantly I do not want the user of the page to be prompted with the activeX warning.
The PC's are secure so I cannot tweak the reg, it gotta work completely with XML, XSL, Javascript etc only Can this be done if so please can someone post a simple example.
