I've managed to link my native application to a website and launch the same on a button click. As the website is trusted, the URL bar is not visible. In the launched website there is a button which then further redirects to another website. I've created a digital asset link for both and have added the JSON file in <websitename>/.well-known/<json-file>.
Both the websites have also been referenced in strings.xml under
asset_statements. However, on launching the first website and then redirecting to the second website from the first, the second website launches as a regular custom chrome tab with the URL bar visible.
Is it possible to hide both the URL's? If so, how?
To enable multi-domain, you need to check 3 things
Each origin has a .well-known/assetlinks.json file
The android asset_statements contains all origins
Tell the Trusted Web Activity about additional origins when launching.
It seems you have the first two points covered, but not the last one.
Using the support library LauncherActivity:
If using the LauncherActivity that comes with the library, you can provide additional origins by updating the AndroidManifest:
Add a list of additional origins to res/values/strings.xml:
<string-array name="additional_trusted_origins">
<item>https://www.google.com</item>
</string-array>
Update AndroidManifest.xml:
<activity android:name="com.google.androidbrowserhelper.trusted.LauncherActivity"
android:label="#string/app_name">
<meta-data
android:name="android.support.customtabs.trusted.ADDITIONAL_TRUSTED_ORIGINS"
android:resource="#array/additional_trusted_origins" />
...
</activity>
Using a custom LauncherActivity
If using your own LauncherActivity, launching with additional origins can implemented like this:
public void launcherWithMultipleOrigins(View view) {
List<String> origins = Arrays.asList(
"https://checkout.example.com/"
);
TrustedWebActivityIntentBuilder builder = new TrustedWebActivityIntentBuilder(LAUNCH_URI)
.setAdditionalTrustedOrigins(origins);
new TwaLauncher(this).launch(builder, null, null);
}
Resources:
Article with more details here: https://developers.google.com/web/android/trusted-web-activity/multi-origin
Sample multi-origin implementation: https://github.com/GoogleChrome/android-browser-helper/tree/master/demos/twa-multi-domain
Related
I am using MVC 5 to build an application. In my web.config I have defined a custom section which I will use to display menu to user. It is something like:
<Menus>
<Menu>
<MainMenu Title="Home"></MainMenu>
<SubMenus>
<SubMenu Title="Page1" PageName="home/index" ADGroup="BusinessUsers">
<SubMenu Title="Page2" PageName="home/index2" ADGroup="ITUsers">
</SubMenus>
</Menu>
<Menu>
<MainMenu Title="About Us"></MainMenu>
<SubMenus>
<SubMenu Title="Another Page1" PageName="about/mypage1" ADGroup="BusinessUsers">
<SubMenu Title="Some Other Page" PageName="about/mypage2" ADGroup="OtherUsers">
</SubMenus>
</Menu>
</Menus>
I am using Windows authentication and everyone will have access via AD groups. By default I have denied access to all users using authorization rule in web.config like below:
<authorization><deny users="*"/></authorization>
Is it possible to define authorization rules based on MENU above in Application_Start at runtime? Something like:
Global.Filters.AuthorizeUser("BusinessUsers", "home/index, about/mypage1");
Global.Filters.AuthorizeUser("ITUsers", "home/index2");
What you're doing here isn't a standard way of defining a menu, so there is no standard way of enforcing authorization on it. You will need to implement it yourself.
Somewhere in your code during a request, you will have to loop through each SubMenu and use HttpContext.Current.User.IsInRole("DOMAIN\\GroupName") to test whether the user is in the appropriate group. I can't give you any further direction than that without seeing more of your code.
I'm sure you have your reasons for putting this in web.config, but what I have done in my own projects is define the menu in a partial view and check the roles right in the view:
#if (HttpContext.Current.User.IsInRole("DOMAIN\\GroupName") {
Some menu item
}
If you're worried about being able to update the menu items without recompiling the whole project, then that's still fine since the cshtml files aren't compiled anyway - you can update it on the fly.
The Favicon Generator assembles a package for webmasters to use in order to have icons available for many different devices. The page comes with a file called site.manifest which is linked to via the following tag in the web page's document <head>:
<link rel="manifest" href="site.webmanifest">
According to Mozilla: "The web app manifest provides information about an application (such as name, author, icon, and description) in a JSON text file. The purpose of the manifest is to install web applications to the homescreen of a device, providing users with quicker access and a richer experience."
Unfortunately if you are using Microsoft's Internet Information Services (IIS), you'll get a 404.3 error if you try and access the site.webmanifest file.
The exact error message is as follows: "The page you are requesting cannot be served because of the extension configuration. If the page is a script, add a handler. If the file should be downloaded, add a MIME map."
How can I properly serve site.webmanifest files in IIS?
By default, IIS does not serve any files that does not have a MIME map associated with it in its (IIS) core settings.
To address this challenge, you will need to map the .webmanifest file extension to its appropriate MIME type.
To accomplish this, open IIS and follow the steps below;
On the left hand side, select either your web site or the entire server in the "Connections" menu.
If you select the server, your MIME mapping will apply to every web site on the server.
If you select a web site, it will only apply to a single web site.
Next, select "MIME Types" from the IIS menu:
Once there, click "add..." from the right hand menu.
In the dialog box that opens specify .webmanifest in the file name extension box application/manifest+json in the MIME type box.
Click "OK".
Congratulations; you've just defined the MIME type for .webmanifest on IIS.
For Azure I added this as the web.config
<?xml version="1.0"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap fileExtension=".json" mimeType="application/json" />
<mimeMap fileExtension=".webmanifest" mimeType="application/manifest+json" />
</staticContent>
</system.webServer>
</configuration>
For those using ASP.NET Core (I am using 2.1) you can configure the MIME types that can be served in the application Startup.cs file as per the static files docs:
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
FileExtensionContentTypeProvider provider = new FileExtensionContentTypeProvider();
provider.Mappings[".webmanifest"] = "application/manifest+json";
app.UseStaticFiles(new StaticFileOptions()
{
ContentTypeProvider = provider
});
app.UseMvc();
}
Easier solution is to rename your manifest file to site.webmanifest.json and link as
<link rel="manifest" href="site.webmanifest.json">
IIS should already have a MIME Type for .json files
This is also helpful if deploying to Azure where its not so easy to change the IIS settings.
Adding to #Ben's answer: if you have a SPA you should put StaticFileOptions code into the UseSpaStaticFiles() call:
FileExtensionContentTypeProvider provider = new FileExtensionContentTypeProvider();
provider.Mappings[".webmanifest"] = "application/manifest+json";
app.UseSpaStaticFiles(new StaticFileOptions()
{
ContentTypeProvider = provider
});
I found that the IIS server had ".json" listed in the Request Filtering feature saying it was not allowed.
Removing that allowed the file to be served.
We have a main public site, abcd.com, which is using SharePoint Office 365 and another replica SharePoint site using this format - abcd-public.sharepoint.com.
For some reason,
<link rel="canonical" href="http://abcd-public.sharepoint.com:80/Pages/Home.aspx" />
shows up on every page our main public website (abcd.com). The path above changes depending on the page the user is on.
If I understand this correctly, this could be one of the reason why our site does not show up on google search result at all. If possible, we would like to reverse the behavior so the SharePoint version of the site has the canonical url = abcd.com.
or
Is there a way to completely remove the canonical url from the main website (abcd.com)? Or is there some sort of a setting that could help our site to show on google search result?
I had the same problem and the only solution that I found is create a webpart to put in the masterpage and in the prerender event of the webpart put this lines of code:
protected override void OnPreRender(EventArgs e)
{
base.OnPreRender(e);
HttpContext.Current.Items["CanonicalURLWithParameters"] = "http://example.com/customurl";
}
Sergio
Our site is not currently safe from clickjacking, so I went into the web.config and added
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>
</system.webServer>
This is very straight forward code. My issue is that it's just not working. The questions I have are:
Is there a way for me to see if the X-Frame-Options is in the header response? I looked for it with httpfox and got nothing, so I can't verify if the web.config is actually putting things in the header.
Why is this not working? What can I do to test or move forward?
I did try to add it in the Global.asax in the Application_Start method, but I cant seem to "hit" this method when I debug; it does not hit breakpoints.
private void Application_Start(object sender, EventArgs e)
{
// Code that runs on application startup
HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
LogHelper.Info("Cost of Care Web Application Starting");
}
I would like to add that I have tried to add it straight into the head tag and I've also tried to add it in a meta tag like so
<meta http-equiv="X-Frame-Options" content="deny">
The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
Open Internet Information Services (IIS) Manager.
In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
Double-click the HTTP Response Headers icon in the feature list in the middle.
In the Actions pane on the right side, click Add.
In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN or DENY in the Value field.
Click OK to save your changes.
Since my comments answered the question here's the end result:
For some reason setting the X-Frame-Options in web.config doesn't seem to actually work even though the documentation makes it sound like it should.
An easy work around is to set the headers manually using:
Response.AddHeader("X-Frame-Options", "DENY");
If you need this set for every request with no exceptions you can add the Application_BeginRequest to Global.asax:
protected void Application_BeginRequest()
{
Response.AddHeader("X-Frame-Options", "DENY");
}
The answer of siva.k does not work in connection with MVC5 as the header is generated twice here. The following code should work:
protected void Application_Start()
{
// MVC5 generates the "X-Frame-Options SAMEORIGIN" header by default, the following line disables the default behaviour
System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}
protected void Application_BeginRequest()
{
Response.AddHeader("X-Frame-Options", "DENY");
}
The SuppressXFrameOptionsHeader flag was mentioned here: https://stackoverflow.com/a/20262211/3936440
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src: https:; frame-ancestors 'self' X-Frame-Options: SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
Your web.config entry needs to be under content security policy to make use of current coding not previously depreciated. The value under content security policy of value="default-src: https: is unique to your website.
The content that matters is what comes after 'value="default-src: https:' but most importantly is contained within Content Security Policy.
Here is another thing to consider:
If you have a separate back-end and UI projects (as is very common for REST based sites), make sure that you put X-Frame-Options in the UI web.config. Your API is probably allowing cross site calls so adding the header to your API project would make no sense.
I found that some file types (.asp and .htm files) were getting the X-Frame-Options header added by this mechanism and others (.js) weren't. Using the IIS Admin utility I removed the header from the application level and added it at the server level, and then all files were getting the header added.
I have created a simple site definition for WSS 3.0 which uses a feature, this feature provisions a master page into the masterpage gallery.
This works absolutely fine, and once I've created a site from the definition I can go into the masterpage gallery and view my provisioned file.
If, however, I set the MasterUrl in my Configuration node of onet.xml and then create a new site from it, it fails. After clicking create it redirects me to the new site automatically but presents me with a file not found error. So I type in the url to the settings page and click to view the masterpage gallery which then gives me a file not found error again.
I'm not sure what's going on, but it looks to me like setting the MasterUrl prevents it from creating the correct lists to which the feature can provision the masterpage to. Can anyone shed any light on this matter for me please?
Here is the webtemp*.xml:
<?xml version="1.0" encoding="utf-8"?>
<Templates>
<Template Name="MasterPageTest" ID="10902">
<Configuration ID="0"
Title="MasterPageTest"
Description="Testing master page deployment"
Hidden="FALSE"
ImageUrl="/_layouts/images/stsprev.png"
DisplayCategory="Test"
/>
</Template>
</Templates>
And the onet.xml (with the masterurl attribute removed):
<?xml version="1.0"?>
<Project Title="MasterPageTest" Revision="3" ListDir="$Resources:core,lists_Folder;" xmlns:ows="Microsoft SharePoint" xmlns="http://schemas.microsoft.com/sharepoint/">
<!-- _locID#Title="camlidonet1" _locComment="{StringCategory=HTX}" -->
<NavBars>
</NavBars>
<ListTemplates>
</ListTemplates>
<DocumentTemplates>
</DocumentTemplates>
<Configurations>
<Configuration ID="0"
Description="Testing master page deployment"
Title="Master Page Test"
Name="MasterPageTest"
>
<!-- MasterUrl="_catalogs/masterpage/MasterPage.master" -->
<Lists>
</Lists>
<Modules>
</Modules>
<SiteFeatures>
</SiteFeatures>
<WebFeatures>
<!-- Masterpage -->
<Feature ID="8175B375-38F5-44E2-950A-9600D5427E17"/>
</WebFeatures>
</Configuration>
</Configurations>
<Modules>
</Modules>
<ServerEmailFooter>$Resources:ServerEmailFooter;</ServerEmailFooter>
</Project>
My first thought was: Why in the onet.xml?
I usually do this using a process called Feature stapling. It is impossible to remove / disable functionality created from a site definition later on (off course you could by hand, or a feature + receiver to remove say a list you don't need for a particular site created from the onet.xml, but you probably get the point).
By using feature stapling, (your / the) site definition stays clean and stays what it is meant to be: a definition of a site, that can be selected during site creation. IMHO, it should be nothing more than an empty container.
Feature Stapling binds features you want activated when a site is created to a (custom) siteTEMPLATE. You can even use this to attach features you want activated on out of the box site definitions as well. For instance, feature stapling is the preferred way of enabling features in the "MySite" and "My Site Host" definitions. The original sitedefintion remains untouched, but your features are activated too!
Now to actually answer your question: The masterpage is probably not available yet when the site definition is used, the onet.xml is processed before any features are activated.
If your site is a publishing site (meaning the publishing related features are activated in the site collection), you can set the masterpage in the Publishing Feature with the ChromeMasterUrl property.
If the site is a regular site, you can do 2 things:
deploy the master page from the onet.xml by moving the <Module> from your masterpage feature to the onet.xml, more info here (figure 1).
don't set the masterpage url in the onet, but use a feature + featurereceiver to set the masterpage url, more info here (downloadable code in article).