I have implemented WAF on CDN . When I download docx, excel file via CDN through android app , file is downloaded successfully and url looks like https://data.mydomain.com/doc_file
But when I try to download pdf and audio wav file via CDN though android app request, the file doesn't open and prompt message "Cannot be displayed " and url looks like http://data.mydomain.com/pdf_file. Http comes instead of https. But when I disable WAF file is downloaded from this link http://data.mydomain.com/pdf_file.
How to redirect Http to https for pdf download when accessed through CDN and WAF enabled? I have enabled Redirect HTTP to HTTPS in CDN behavior.
Related
Is there any way to set up IIS in a way that no file can be downloaded? (without xml configuration and using the IIS UI only).
I know I can remove all mime-types but that is inconvenient, I'm looking for a better option.
You cannot stop of css or js as the server cannot differentiate between a normal
request and a download request when it comes to css or js.
Say you have a CSS or js included in your webpage any html page .This css file will need to be downloaded by the browser.So at server side(IIS) you cannot differentiate a normal download request or browser request. You can deny the download request if the referrer is not matching.For example if someone take sthe URL and directly copying and pasting it in another browser,the referrer header will not be present.Similarly if someone else hotlink to your resources(css,js files),you can stop that too.
By deny download based on Referrer using URLRewrite
With SSL enabled in my Node.js (Sails.js) app, I am not able to upload large files. My upload was working fine without SSL. At the moment, with SSL configured, I can only upload very small files. I am using "let's encrypt" for SSL certificates. I also realized that this behavior is only visible in google chrome (Version 47.0.2526.106 m), where if I upload over 100Kb files it returns me a 302 Moved Temporarily. Firefox seems to be doing fine.
If a web page that's only served over HTTPS tries to load data (e.g. JSON) that's only available over "insecure" HTTP, Chrome blocks the request with a message that "This page is trying to load scripts from unauthenticated sources".
Is there a meta tag that can be added to the HTML page to override this, allowing the data to be loaded?
This is up to the browser and user now. It's not something you should try to disable.
Here's what you can do:
Change your external URLs to https if the external servers support it
Copy external scripts and serve them from your local server, if possible
If the above are not possible, you will need to setup a reverse proxy and serve them from there. Ex. if external content is at http://external.com/script.js , then change the URL to https://me.com/proxy/external.com/script.js, and have your proxy grab the insecure content and return it as required.
Similiar question: https://stackoverflow.com/questions/22311597/get-vk-video-direct-links-on-client-side-ip-html5
VK.com is a Russian social network sites which also allows you to host videos. They allow you to embed their videos but because of their cross-domain policy, you can't use ajax/flash requests to get the video page on the client side. However, this swf file does that without loading a cross-domain file? (I sniffed the network traffic, it seems as if the flash file doesn't request a crossdomain.xml file but rather directly load the vk.com page http://vk.com/video_ext.php?oid=196471971&id=167752304&hash=9fd63185df970616)
The URL for the swf file is
http://www.jethdfilmizle.com/veka.swf?file=vk.com%2Fvideo_ext.php%3Foid%3D189406059%26id%3D163663575%26hash%3D388c8150742ccb2f&otobaslat=0
Can anybody explain how this works?
I have used p:fileUpload to upload an image. I don't really need to upload the image to the server but I just need to get the full local URL(ie.c:/.../../..) of the file(image) which is saved in the local disk, I tried but I just got the filename with the extension. This is an web application which is used locally, so both sever and client are on the same machine. The URL need to be saved in database.
For security reasons, browsers don't send the full client side file path. They only send the file contents and the file name. Ancient browsers and MSIE are the only browsers who expose the security bug of still sending the full client side file path along with the file upload. You should not be relying on this security bug in your application.
You're supposed to grab the file contents in flavor of InputStream of byte[] and write it immediately to a more permanent storage location yourself by FileOutputStream or perhaps via a #Lob to a BLOB column in DB. You can if necessary use File#createTempFile() to autogenerate an unique filename.
Note that a local disk file sytem path can't represent a valid HTTP URL which the client could use to obtain the file. Browsers like Firefox refuse to serve file:// URLs when the initial webpage itself is opened by http:// instead of file://. So you really need to serve those uploaded files back via a web server. It's recommended to just store only the file name (not full path!) in the DB. You can then configure the webserver to publish a certain folder to the web, or create a simple servlet to serve a certain folder to the web.
See also:
How to save uploaded file in JSF
How to convert Part to Blob, so I can store it in MySQL?
Load images from outside of webapps / webcontext / deploy folder using <h:graphicImage> or <img> tag