How does Blazor hijack the Browser-Back button? - browser

Blazor-Server apps use the SignalR circuit.
I can somewhat understand how there is JS that change events happening from the DOM, so instead of sending a new HTTP GET request the framework manipulates the DOM and displays the new blazor page.
But how is it even possible that the circuit is still active and working on page back button? This is a BROWSER FEATURE, not some html element, which can be changed, right? Would it not be a security issue if the browser back button behavior can be manipulated in different ways?
Not firing a new HTTP GET request on page back seems pretty hacky. Wouldn't that allow for malicious websites to do the same? Can websites access the last page visited with that??
How does the browser "know" that the last page should also use the same websocket circuit?
Is it then possible to tell the browser that it should establish a websocket on a past page, that didn't even have any before (would seem like a security risk)?
How does the back button differ from hitting "enter" in the address bar (which will always cut and establish a new circuit)?
Is the back button exactly the same as calling JS history.back() ?

Related

Checking other users are viewing this page in Node Express

I have a NodeJs Express app and when a particular user goes to a page/route would like to identify and display if another user is currently viewing the page as well. So for example it would say "Jerry currently viewing this page" and someone else goes there.
Is there any easy/lightweight way to do this?
First off, with a regular web page, the server only knows who and when a page was requested. It doesn't, all by itself, know whether that user is still viewing that page or not. The user could have closed the browser, typed something else in the URL bar, the computer could have gone to sleep, etc...
Second off, even if the page is still being displayed in the browser, you can't know if someone is actually there at the computer or not. The best you could do is to try to keep track of activity in that web page (last mouse click, recent mouse movements over the web page, etc...).
Then, to even have any idea of the web page is even still open in the browser, you need some way of tracking that notion. There are two possibilities I can think of.
You can have some Javascript in the web page that regularly (say once every few minutes) sends a small little ajax call to your server that basically just says "I'm still here". This wouldn't know immediately when they left the page, but if the server finds that the usual every few minutes ajax call didn't come, then the server can change the status of that user on that page to not there any more.
If that web page makes a webSocket or socket.io connection to the server and keeps that connection alive, then whenever the browser closes or the user closed that tab or navigates to another page, that webSocket or socket.io connection will get automatically closed and the server will be notified that the socket got closed. Using this technique, the server can know pretty much right away when the user leaves the page.

How to implement logic based on external redirects?

I'm building a website for a client (real estate), and on the website are links to a different website (adverts for properties). My client routinely activates and deactivates these adverts when he rents out a certain property.
The hrefs on my links look something like this:
<a href="https://domain.xx/estate/idxx/des-crip-tion-xx-xx-x-xx/">. If the advert is indeed active, it just takes them to the advert. If it is not active, however, the website in question redirects the user to https://domain.xx/estate-for-rent/city/, effectively sending the users to my client's competition.
I wish to implement some logic where, before handing the users over to the other website, the server checks to see if it is redirected to https://domain.xx/estate-for-rent/city/, or some similar logic, and if so, uses preventDefault, or something, and notifies the user that the advert is not available instead of sending them to the other website.
I wonder if I can use the fact that only if the advert is active does the resulting url in the users browser window (after they've been directed to the other website) match the url in my href. Can i somehow get the server to try to access the url in my href, and have it see where it gets redirected, and then do something based on that? On the back-end, I'm running NodeJS with Express by the way, and if it matters, I'm relying heavily on EJS for templating. Thanks in advance for any help!
This sounds more like a problem you could solve on the client as opposed to the server. For example, at a high level here's how I would do it:
Handle the click event for each link (really simple to do a catch-all with jQuery)
Fire off a HEAD request via AJAX to the destination URL (this would be much more efficient than a GET but depends on the external service supporting this verb)
Use the status code to determine what to do next (e.g. 2xx allow redirect, 3xx pop a message and block)

After clicking Browser back button, BeforePageLoad-Code not run

My problem is that after clicking the Browser back button the code in the BeforePagesLoad-Event not triggered. There is a function to get set an object in a manged bean.
I dry to set the cache control to no-store but that don't work. the-order-of-events-in-xpages
Is there a way to trigger a event after clicking the browser back button?
I am no x-pages expert, but it looks to be a server side technology, meaning that a server call must be made in order for the code to run.
The first thread is a solution for forcing a page reload via cookies, while the second involves javascript/jquery. The second also may touch on some cache control of different browsers.
Force a page refresh when page visited from back button
Is there a cross-browser onload event when clicking the back button?

Prevent direct access to some page in JSF

I want to restrict direct access to certain page in my application. Those pages can only be accessible if the user is redirected to those pages by the application.
All the redirections are done via ExternalContext#redirect(url) method.
User can use back and forward button, also can refresh the page by pressing F5 or via browser's refresh button. What I want is user cannot save, or bookmark URLs of some page, also cannot copy those redistricted URL and paste and go via address bar of the browser.
Followings are the cases:
Say, I have Page-A and Page-B.
Redirection is done to Page-B from Page-A.
User can go back to Page-A and can come again to Page-B by using browser's back and forward button.
User can refresh Page-B and he/she will stay in Page-B.
User CANNOT copy the URL of Page-B and access it later time (in new tab or by bookmarking).
Is it feasible? Any pointer would be very helpful to me.
I don't think you can do all that from JSF.
Your obvious alternative is to use Javascript.
I never herd a concept of disabling Bookmark option in Browser using Javascript. However you can always disable the address field if you open the page in new Window.
You can solve it with
JSF Navigation Handler - set a session attribute from some previous page and expire the value after some time with a timer. From the Handler impl check the value of the attribute and restrict access e.g. redirect to some other page in case the value is not present.
You can achieve similar behaviour with web frameworks. Enforcing controlled navigation is a basic feature in most WEB FXs e.g. JBoss Seam conversations or Spring Web Flow controlled navigation implementations.

Google Chrome Extension - prevent cookie on jquery ajax request or Use a chome.extension

I have a great working chrome extension now.
It basically loops over a list of HTML of a web auction site, if a user has not paid for to have the image shown in the main list. A default image is shown.
My plugin use a jQuery Ajax request to load the auction page and find the main image to display as a thumbnail for any missing images. WORKS GREAT.
The plugin finds the correct image url and update the HTML Dom to the new image and sets a new width.
The issue is, that the auction site tracks all pages views and saves it to a "recently viewed" section of the site "users can see any auctions they have clicked on"
ISSUE
- My plugin uses ajax and the cookies are sent via the jQuery ajax request. I am pretty sure I cannot modify the cookies in this request so the auction site tracks the request and for any listing that has a missing image this listing is now shown in my "recently viewed" even though I have not actually navigated to it.
Can I remove cookies for ajax request (I dont think I can)
Can chrome remove the cookie (only for the ajax requests)
Could I get chrome to make the request (eg curl, with no cookie?)
Just for the curious.
Here is a page with missing images on this auction site
http://www.trademe.co.nz/Browse/SearchResults.aspx?searchType=all&searchString=toaster&type=Search&generalSearch_keypresses=9&generalSearch_suggested=0
Thanks for any input, John.
You can use the webRequest API to intercept and modify requests (including blanking headers). It cannot be used to modify requests which are created within the context of a Chrome extension though. If you want to use this API for cookie-blanking purposes, you have to load the page in a non-extension context. Either by creating a new tab, or use an off-screen tab (using the experimental offscreenTabs API.
Another option is to use the chrome.cookie API, and bind a onChanged event. Then, you can intercept cookie modifications, and revert the changes using chrome.cookies.set.
The last option is to create a new window+tab in Incognito mode. This method is not reliable, and should not be used:
The user can disallow access to the Incognito mode
The user could have navigated to the page in incognito mode, causing cookie fields to be populated.
It's disruptive: A new window is created.
Presumably this AJAX interaction is being run from a content script? Could you run it from the background page instead and pass the data to the content script? I belive the background page operates in a different context and shouldn't send the normal cookies.

Resources