Cockpit generates an ID (cmsTicketId) related with the session in order to store the preview and show it. The problem seems that the content associated with cmsTicketId is not properly generated and it is empty or does not exist, for this reason I can not see the preview.
This is very strange because in my local environment sometimes works in Chrome or Opera but never in Firefox.
Anyway is not working anymore in other environmets.
Anyone can give me a clue about what can I do?
Regards,
Martin
Hybris log:
WARN 16:13:05 [hybrisHTTP21] [] [] [] [ContextInformationLoader] Cannot find CMSSite associated with current URL (https://localhost:9002//previewServlet?cmsTicketId=6475866320580704c9dd84aa-ed00-4fe4-88f1-7e92cd0f95a5)!
Browser log;
HTTP/1.1 302 FoundServer: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=04D8A8EE7DD8DDA58232935EB3A4E712; Path=/; Secure; HttpOnly
Location: https://localhost:9002/preview-content?uid=md-customer- communications&cmsTicketId=6475866320722032b3feb2da-29ab-4545-b2a6-8fba42dc4e48
Content-Length: 0
Date: Thu, 07 Apr 2016 13:43:57 GMT
you should check that the WCMS is "cleaner". Check the URL in the Hybris configuration (via hmc):
- WCMS -> Websites -> WCMS Cockpit Properties
- WCMS Cockpit Preview URL should be contain only your site information or anything; generally it should contain only the following information "?site=mysite" where "site" is the ID (in this case "mysite") of the Website you have currently open.
Best regars,
Gianluigi
Related
My website's theme is broken when I am serving JS and CSS via CloudFront. Further troubleshooting shows that some JS and CSS contents are different from the origin and I suspect this is the reason. Is it possible that CF has some kind of optimization features that modify our JS /CSS content? If yes, how can we disable or fix this problem?
I believe it is not a caching problem due to there isn't any changes to the origin's file after CF enabled. Also, I've tried to invalidated /wp-content/uploads/sites/2386/bb-plugin/cache/* but still getting the same behavior. As shown in the print screen below, I've also set query string to "Forward all, cache based on all".
Below are the JS and CSS files that are different by comparing the origin and CF, and my CF settings print screen:
JS
(Origin) https://www.seeustosee.com/wp-content/uploads/sites/2386/bb-plugin/cache/2650-layout.js?ver=774d199e19697e00bc26b83ff78afa2c
(CF) https://da4e1j5r7gw87.cloudfront.net/wp-content/uploads/sites/2386/bb-plugin/cache/2650-layout.js?ver=774d199e19697e00bc26b83ff78afa2c
CSS
(Origin) https://www.seeustosee.com/wp-content/uploads/sites/2386/bb-plugin/cache/2650-layout.css?ver=774d199e19697e00bc26b83ff78afa2c
(CF) https://da4e1j5r7gw87.cloudfront.net/wp-content/uploads/sites/2386/bb-plugin/cache/2650-layout.css?ver=774d199e19697e00bc26b83ff78afa2c
CF Behavior Settings
https://imgur.com/XiPDq0X
CloudFront does not modify payload. Even when Compress Objects Automatically is enabled (which it isn't), the compression is transparent gzip that results in a response body identical to the original, after decompression.
But take a look at your response headers, and you'll see the problem. Your origin server is Nginx, but you don't have CloudFront configured to use that server as the origin for these requests. You have CloudFront sending the requests to an Amazon S3 bucket. The JS file there is from August 28, 2019.
Content-Type: application/javascript
Content-Length: 18371
Date: Fri, 31 Jan 2020 02:21:42 GMT
Last-Modified: Wed, 28 Aug 2019 06:53:02 GMT
Server: AmazonS3
I'm working on a chatbot project. I want users to be able to enter list items onto a Google Sheet. The chatbot is on DialogFlow, I created the intent, and toggled the webhook on. I am now in Google Cloud Functions and creating a function to POST the new item on the google sheet. I have already been successfully able to read (GET) the list of items from the sheet to be displayed to the user in the chatbot.
I am new to nodejs and admittedly don't know much about Oauth, but I set my sheet to be able to be edited by anyone on the internet and I have a working API key as well. To try to just get down to basics, I went on https://apitester.com to test the HTTP request there. I can GET a response easily that returns the list of items I already have. However, my POST response is still returning issues, although the site did indicate that the request "PASS"ed.
My POST request
https://sheets.google.com/v4/spreadsheet/<SPREADSHEETID>/values/A1:append?includeValuesInResponse=true&key=<MY_API_KEY>
where <SPREADSHEETID> and <MY_API_KEY> match my credentials.
My request body:
{
"values": [ ["Hello", "World"] ],
"range": "Sheet1!A1:B1",
"majorDimension": "ROWS"
}
Response:
HTTP/1.1 301 Moved Permanently
Location: https://docs.google.com/spreadsheets?usp=direct_url
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Thu, 18 Oct 2018 07:31:14 GMT
Expires: Sat, 17 Nov 2018 07:31:14 GMT
Cache-Control: public, max-age=2592000
Server: sffe
Content-Length: 248
X-XSS-Protection: 1; mode=block
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"
I looked up the 301 error code and found that it is a redirection message that signifies a server-side error. I read that it should be self-fixing as your request will just be-redirected to the appropriate site in the Location value above. But I also copied the Location link and found it just took me to my personal Google Drive. I read elsewhere that this may occur because Google is communicating over a secure link. I checked my Google sheet just in case, but nothing had changed there.
Anyway, is it possible to test the append request before I code it into my Google Cloud Function? If so, where can I test and how can I make sure that the request goes through (with hopefully just an API key and no Oauth creds)?
I tried doing this on the documentation page (https://developers.google.com/sheets/api/reference/rest/v4/spreadsheets.values/append) ("Try This API" on the right-hand side) but I just get a never-ending red progress circle.
Please help! If the only answer is Oauth, please help me past directing me to the Oauth documentation, as I have not found that very helpful.
Thank you!
EDIT 1
Okay, I have been trying some things out. Oauth playground wasn't working for me, but this website (https://developers.google.com/apis-explorer/#p/sheets/v4/sheets.spreadsheets.values.append) allowed me to POST a new row to my spreadsheet. (I had to toggle Authorize OAuth 2.0 to ON.)
So now I have the Oauth working, how can I translate this into my Google Cloud Function using node.js? Do I save my Oauth tokens to certain variables and then add them to headers?
In the browser's address bar, I can specify a resource using any extension or none, e.g., http://www.something.com/someResource.someExtension. How does the browser determine what to do with this resource? e.g., should the browser parse it as an HTML document, or treat it as some script? Is there a notion of a resource type? Thank you.
P.S. I could not believe what I was thinking! :( (see my flaw in the comment to Luka's answer). How could the browser look at a resource locally! The browser is a client, and the resource resides on the server side. Duh! (I've found myself on this "mental" drug occasionally)
The HTTP response returned by server typically contains "Content-type: text/html" or similar line (application/octet-stream, etc).
Here's an example (the easiest way to view similar results is to open firebug's Net tab):
Cache-Control public, max-age=60
Content-Encoding gzip
Content-Length 9334
Content-Type text/html; charset=utf-8<----------------here's it
Date Sat, 05 May 2012 20:34:36 GMT
Expires Sat, 05 May 2012 20:35:36 GMT
Last-Modified Sat, 05 May 2012 20:34:36 GMT
Vary *
It looks at the Mime Type of the document.
HTML pages have the mime type text/html, JPEG images have image/jpeg
More information: http://en.wikipedia.org/wiki/Internet_media_type
It does using MIME types http://en.wikipedia.org/wiki/Internet_media_type.
I'm currently trying to pass PCI compliance for one of my client's sites but the testing company are flagging up a vulnerability that I don't understand!
The (site removed) details from the testing company are as follows:
The issue here is a cross-site
scripting vulnerability that is
commonly associated with e-commerce
applications. One of the tests
appended a harmless script in a GET
request on the end of the your site
url. It flagged as a cross-site
scripting vulnerability because this
same script that was entered by the
user (our scanner) was returned by the
server unsanitized in the header. In
this case, the script was returned in
the header so our scanner flagged the
vulnerability.
Here is the test I ran from my
terminal to duplicate this:
GET
/?osCsid=%22%3E%3Ciframe%20src=foo%3E%3C/iframe%3E
HTTP/1.0 Host:(removed)
HTTP/1.1 302 Found
Connection: close
Date: Tue, 11 Jan 2011 23:33:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.(removed).co.uk/index.aspx?osCsid="><iframe src=foo></iframe>
Set-Cookie: ASP.NET_SessionId=bc3wq445qgovuk45ox5qdh55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 203
<html><head><title>Object moved</title></head><body>
<h2>Object moved to here.</h2>
</body></html>
The solution to this issue is to
sanitize user input on these types of
requests, making sure characters that
could trigger executable scripts are
not returned on the header or page.
Firstly, I can't get the result that the tester did, it only ever returns a 200 header which doesn't include the location, nor will it return the object moved page. Secondly, i'm not sure how (on iis 6) to stop it returning a header with the query string in it! Lastly, why does code in the header matter, surely browsers wouldn't actually execute code from the http header?
Request: GET /?osCsid=%22%3E%3Ciframe%20src=foo%3E%3C/iframe%3E HTTP/1.0 Host:(removed)
The <iframe src=foo></iframe> is the issue here.
Response text:
<html><head><title>Object moved</title></head><body>
<h2>Object moved to here.</h2>
</body></html>
The response link is:
http://www.(removed).co.uk/index.aspx?osCsid="><iframe src=foo></iframe>
Which contains the contents from the request string.
Basically, someone can send someone else a link where your osCsid contains text that allows the page to be rendered in a different way. You need to make sure that osCsid sanitizes input or filters against things that could be like this. For example, I could provide a string that lets me load in whatever javascript I want, or make the page render entirely different.
As a side note, it tries to forward your browser to that non-existent page.
It turned out that I have a Response.redirect for any pages which are accessed by https which don't need to be secure and this was returning the location as part of the redirect. Changing this to:
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location", Request.Url.AbsoluteUri.Replace("https:", "http:"));
Response.End();
Fixed the issue
Alright, my website has some issues that I'm not sure what's causing them. Visit this page http://online-file-sharing.net/tos.html and click one of the bottom footer links... it redirects you to your localhost in the address bar. I have no idea why it does this. I'm hosting this website on my own server, which is this computer, and using Xampp. If this information helps. Anyways any help would be greatly appreciated! I'm also using DYNDNS as my nameservers.
I've already ask this question on superuser and webapps QnA sites neither could help. They said to come here. Another thing to note is that this website runs on one script and not multiple scripts (upload.cgi). However there are three files that aren't dynamic and aren't part of the upload.cgi file... these are about.html, browse.html and tos.html.
Another thing to note is that my homepage which is upload.cgi can only be accessed by manually typing in online-file-sharing.net/cgi-bin/upload.cgi (which isn't it's real location but it seems to recognize it this way... but redirects me to my localhost).
.htaccess file code:
DirectoryIndex upload.cgi
My upload.cgi path code:
my $version = "4.14";
$ENV{PATH} = '/bin:/usr/bin';
delete #ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
($ENV{DOCUMENT_ROOT}) = ($ENV{DOCUMENT_ROOT} =~ /(.*)/); # untaint.
#$ENV{SCRIPT_NAME} = '/cgi-bin/upload.cgi';
use lib './perlmodules';
#use Time::HiRes 'gettimeofday';
#my $hires_start = gettimeofday();
my (%PREF,%TEXT) = ();
The script I'm using is FileChucker.
I hope this information is enough to find an answer... if not please let me know and I'll post as much information as you need!
Your footer links are:
Home –
Download Files -
TOS
which point to localhost, so it's doing exactly what you told it to do.
For your upload.cgi, the headers I get back are:
HTTP/1.1 302 Found
Date: Sun, 26 Dec 2010 02:39:06 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Location: http://localhost/?&number_of_files=0&ip=xxx.xxx.xxx.xxx&host=&duration=2 seconds&act=upload_result
Content-Type: text/plain
Content-Length: 0
Connection: close
Notice the Location: http://localhost/... in there, which redirects the browser to localhost.
I have opened your site and checked that url in href is localhost. So it could be you are running any kind of development server and is running under localhost? The server my be thinking it's name is localhost!