I have a page that I want to be loaded only from an iFrame.
I use the solution on this link to do it.
How to identify if a webpage is being loaded inside an iframe or directly into the browser window?
but it doesn't work in IE so I use conditional comments like this
<!--[if IE 9]>
<script type="text/javascript">
window.location = "http://mysite.com/nodirectvisit.html";
</script>
<![endif]-->
Together they are now working in IE, Chrome, FF, and Opera.
I just want to ask if there are still other ways to visit my page directly?
Thanks
If a user disables javascript, then your code will not run. Maybe use Sessions to track from where users are coming from?
Anyone with javascript disabled or NoScript would be able to open the page directly. The javascript should prevent the majority of users.
You can check the referrer of the iframe page to make sure it's the page that contains the iframe. The referrer isn't the most reliable field, but if you're more worried about people visiting the page not in an iframe than people not being able to see it at all, that might be the way to go.
Related
I am working on this simple app which requires me to set custom referer value before redirecting.
Suppose A clicks on link X which I posted in Facebook. Now if I check the referer value in my server, then it shows 'facebook.com'. Now A after clicking link X is being redirected to B and B shows referer 'facebook.com'. But I want it to show 'mywebsite.com' in B instead of 'facebook.com'. How can I achieve this?
Please note that I read in MDN about the 'Forbidden Header Names' but there's this website called Hitleap which is a traffic exchange website. They let users set custom referer values for the traffic they send. So I guess it's possible to do it.
This is my route:
router.get('/:id', (req, res) => {
res.set('Referer', 'https://mywebsite.com');
res.redirect('https://boomboom.com');
});
UPDATE
I've found that it's not possible in conventional methods of setting the header. So, I have been thinking of achieving this result by using the following two methods but I don't know if that is going to work. So looking for feedbacks.
Method 1:
So when a user clicks on my link, he will visit a page on my server before redirecting to the final destination. The page on my server will just say "redirecting". And when that happens I will also set the full header for the user, including "Referer" field. Then redirect to the actual page.
Method 2:
Same approach as method 1 but this time I would like to copy the full header from the client but change the referer value when the user is in my "redirecting" page and the redirect to the final destination.
Are any of these processes possible? If you have any other solution please share it here. Thanks
Referer headers in the HTTP protocol go from browser to server, not the other direction. If your server sends one to a browser, the browser ignores it.
Standard commercial browsers make it hard to mess around with the value of the Referer header from browser Javascript. Because cybercreeps. Your plan might be perceived by some websites as an attempt to do a cross-site request forgery attack. So think through your goal carefully.
You could, from your site, serve a page that causes your user's browser immediately to redirect to the desired site. A page something like this may do the trick for you. This means refresh the current page after 0 seconds from the URL https://example.com.
The title tag sets the browser-tab caption to "Redirecting..." while the refresh is in progress. I've found that useful in single-signon redirection. It lets a user know something is coming.
<html>
<head>
<meta http-equiv="Refresh" content="0; URL=https://example.com/">
<title>Redirecting...</title>
</head>
</html>
If that doesn't set the correct Referer, which it might not in all browsers, you can use a little bit of Javascript to load an invisible form and then submit it immediately.
This tiny page might do it for you:
<html>
<head>
<title>Redirecting...</title>
</head>
<body>
<form method="GET" action="https://example.com/">
</form>
<script>
window.onload = function(){{
document.forms[0].submit()
}}
</script>
</body>
</html>
This second approach won't work if your user disables browser Javascript. But, then again, most websites won't work in that case.
You can troubleshoot all this with your browser devtools Network tab. It shows headers for each request.
I have a website that i've set up through google sites. I have a link to an external webpage. What I'd really like to have happen is, if someone clicks the link, it shows a jpg picture for about 5 seconds and then forwards them off to the linked website. Is there a way to do that?
Thanks,
Rich
Adding to following tag:
<META http-equiv="refresh" content="5;URL=http://example.com">
to the <head> section of a webpage will redirect the user to example.com, or whatever the URL value is. You can display an image in the <body> section of this page. This seems like the simplest way to accomplish what you want.
I'm trying to use Video.js to display a small video on our team sharepoint page (Sharepoint 2007). It works great, but the 'Do you want to view only the webpage content that was delivered securely?' alert always displays when you navigate to the page. The security settings on the computers cannot be changed, but is there any way I can avoid this alert being displayed?
Thanks in advance for any help.
Thanks,
Simon
This is happening because the page being accessed is served over HTTPS, but some content loaded remotely comes from HTTP. If you're using the Video.js CDN-hosted files, you'd want to change the include tags to look like this:
<link href="//vjs.zencdn.net/4.3/video-js.css" rel="stylesheet">
<script src="//vjs.zencdn.net/4.3/video.js"></script>
These are called protocol relative urls, meaning it will use whatever protocol the page is to load the files.
Hope that helps!
I have a chrome extension where the popup.html simply has an iframe that loads a page.
I want to allow users to select their language, and as I'm helping a charity do this each language page is very different as they need very different content based on the country!
Therefore, I can't just replace some of the fields like the google developer page example does; I need to change the page that is loaded in the iframe.
e.g. In my directory where the pages are stored I have english.html, german.html, spanish.html all of which are completely different pages.
By default the english.html page loads in the iframe, but the user should be able to go into the options file and select german so when they click on the extension the german.html loads by default every time.
Here is the jsfiddle showing what I currently have in the popup.html, and the popup.js:
http://jsfiddle.net/hemang2/EDV82/
You'll see the flickr API being called, but that's only there because I wasn't sure how to get rid of it!
So essentially my question is how to link the options file to change the default url loaded in the iframe.
Use the setPopup method: http://developer.chrome.com/extensions/browserAction.html#method-setPopup
It allows you to set any html file as your popup.
I'm currently building a website for our business, where the website is expected to work perfectly, even back to the earlier IEs down to 7.
URL - https://secure.marietta.at
The page does not load any insecure content in Chrome, but I can see in IE that there is a GET param sent to http://marietta.at, which in turn redirects to http://en.marietta.at
I have no idea where I've specified this. I tried deleting scripts, checking the css, debugging with IE's own debugging tool and in HttpWatch Studio. I can't find the offending piece of code.
Are there any particular gotchas in IE that might trigger this warning?
Your HTML source contains the line
<script type="text/javascript" src="js/jquery.min.js"></script>
which makes the browser try to fetch the URL https://secure.marietta.at/js/jquery.min.js. However, this URL doesn't actually return any JavaScript code like you'd expect it to, but instead redirects to http://marietta.at/.
The fact that you later load another, working copy of jQuery from another URL hides this problem.
I would suggest either of the following solutions:
Remove the broken jQuery URL from the page.
Put an actual copy of jQuery at that URL so that it works (and remove the other, now redundant copy from the page).
I'd also suggest configuring your webserver so that it doesn't redirect from HTTPS to HTTP URLs, as that may violate the user's security expectations in general.
Load your page in IE and view the source code. There are quite a few hard coded references to http://en.marietta.at. Seems like some of your jQuery calls might be loading that "insecure" content
Ok, I've figured it out - never load JQuery twice (esp. from with an invalid URI). I've mistakenly left it in the <head> and just above the <body> tag which resulted in the SSL error. Deleted one, which got rid of the error.