IE MIME/content filtering - internet-explorer-6

I'm looking into ways to develop an extension for IE6+ that will allow handling of custom MIME types.
As an example, I need to be able to take a document with a custom MIME type that is returned by the server, perform some processing on it, and then change the MIME type back to something that IE can natively handle, such as text/html or image/jpeg.
I am familiar with the urlmon MIME filters, but they have a huge weakness; they are only invoked for the top level document, and not for any of the additional page content such as images and the like.
The one way that I can think of that will work is to hook the HTTP/S protocol handlers using vtable/iat patches, similar to the way Google Gears works, to be able to intercept the response headers, and modify the headers and response body when a document with the specified MIME type is received.
I'm wondering if anybody else has any good ideas on how this could be accomplished in a less hacky/intrusive way.
Edit:
Just thought I'd follow up on this and mention that I went with the vtable patch into the HTTP/S protocol handlers, and it worked much better than I expected. If anybody else is looking to do something like this, I highly recommend taking a look at the HttpHandlerPatch class in Google Gears for some inspiration.

Several years ago, I wrote such extensions, BHO, IE toolbars, etc., based on a book called Shell Programming in VB6. The book I used is this one: http://oreilly.com/catalog/9781565926707/ This book tells you how to hook and trap messages coming into IE. I wrote a kind of screen scraper (post-render style not like a spider that doesn't execute the javascript first). It was based on IE5 but the extensions still work with IE6. I probably still have the VB6 source somewhere. I am not offering to upgrade it to .Net for you though.
PS. The review on that page by Haroeris Astrum is by me :)

Related

How to write a Navigator object standard W3C proposal?

Based on the w3schools site: "There is no public standard that applies to the navigator object, but all major browsers support it.".
I somehow see the navigator object as rather important, and with the rate at which browsers change their versions today even more so. So it rather baffles me that there is no standard for it.
What baffles me even more is that none of the browsers seem to have come up with the idea to include the two most important properties into this object:
navigator.browserName
navigator.browserVersion
We all have to parse the darn navigator.userAgent and hope from version to version that stuff in there did not change too much. Like it just did in IE11 for example...
How can one even write a W3C proposal for a new standard?
Thanks to #Alohci and some more digging, since the Navigator object has a standard, the way to go about proposing a change to it is to send an email to the public-html#w3.org

how to identify mime type handlers in google chrome

So I saw a question here that got me thinking, and long story short I'm trying to figure out how to embed xterm into google chrome using mozplugger. (I may be nuts but that is a separate question.) This appears to possibly be theoretically possible, but I have a couple related questions.
How do i determine from a running instance of chrome what mime types a plugin will handle? about:plugins will tell me which plugins are installed but not what mime types they handle.
How do I determine what plugin/extension/external program/whatever will handle a given mime type?
How do i change it?
Bonus: (slightly unrelated) does chrome cache this information anywhere that would need updated if I modify a plugin to handle additional mime types without reinstalling?
also should be tagged mozplugger.

Safe or unpractical to use UTF-8 page names or other text? - User submitted text!

I am working on a site that have an international aim; I.o.w., logged in users can add text in their own language. I am hoping for international page names and content.
An URL example, like the Japanese Wikipedia: http://ja.wikipedia.org/wiki/メインページ (Both pagename and content text).
I know by using UTF-8, I can do this, but how should I control it?
UTF-8 contains way to many languages/letters to control in a script, I guess, so how safe/unsafe is it to allow people to add UTF-8 text?
I can see that someone could add harmful code this way, but how to prevent it?
All information regarding safety/control when using UTF-8 is appreciated!
EDIT: PS! I use PHP and MySQL.
Warning: perhaps a slightly rusty response:
Note: not discussing host name (IDNS) issues.
The only completely safe thing here is to use %-escaped UTF-8. Some browsers will display this as what you want, and some will display the %-escapes. (e.g. http://foo.bar/%ee%cc%cf.html)
If you put 'real UTF-8' in the URLs, many things will work, but there may be unpleasant surprises lurking for some people in some browsers. I'm reading your question as dealing with 100% static content. If you are trying to do this with code behind the site, you have additional issues to work on.
The 'unpleasant surprises' would be (a) people finding the %xx's in the URL unreadable, (b) a browser that melts, (c) some data scraping or aggregating application that melts.
I wish I were more up to date on this, but I'm not, so my recommendation is to deploy a test site and then try to access it with everything you can put your hands on, including mobile phones. Persuade Google to index it, and see what happens there.
For domain names, this is called IDN. For page names, you may want to think of the possibility of IDN spoofs.
It's safe as long as you don't interpret it literally as SQL (SQL injection) or HTML (XSS) or any other language. Just escape any user-controlled input (request URL, request headers, request parameters, request body, etc..etc..) at the point it's going to be used in SQL or HTML.
It's unclear what server side programming language you're using, so I can't go further in detail.

IE secure and unsecure items issue

I'm trying to get rid of the error pop-up window that appears in IE saying "page contains both secure and non-secure items". I have made sure all the links are pointing to https:// rather than http://. I have also looked at the fiddler and firebug logs to see that all the requests are being made to https:// links only.
Here's a similar question asked on SO : IE - "This page contains both secure and non-secure items"
The guy whose answer was accepted hit right on target. I wish I knew how he debugged to narrow down to that solution.
Any help is appreciated.
Thanks
You don't need to actually load a resource in order to trigger the warning, a reference is all it takes. The <object> used to load a Flash applet is enough (if you reference the HTTP URI for the Flash Plugin).
The easiest thing to do is to open up the source and search for 'http:' with your editor. If that doesn't turn up anything, do the same with the output of document.getElementsByTagName('html')[[0].innerHTML.
You could either do a top-down or bottom-up approach to try to track down the issue. Top-down is where you'd start commenting out stuff until it goes away while in the bottom-up case you strip out everything and then slowly start adding back in things like Flash, Javascript, and CSS as it may be some include or function that is the culprit.

Block all content on a web page for people using an Adblock-type browser add-on/extension?

I wish to block ALL my content from any users using an ad-blocking browser extension (ie. Adblock Plus for Firefox, Adthwart for Chrome).
How can I acheive this? Is there a server-side solution? Client-side?
Edit 1
This question regards the detection of ad-blocking browser extensions:
Detecting AdBlocking software?
I'm concerned with post-detection action.
Edit 2
A duplicate question was asked after mine, so I thought I'd link to it here:
Prevent Adblock Users from Accessing Website?
To detect if the user is blocking ads, all you have to do is find a function in the ad javascript and try testing for it. It doesn't matter what method they're using to block the ad. Here's what it looks like for Google Adsense ads:
if(typeof(window.google_render_ad)=="undefined")
{
//They're blocking ads, do something else.
}
This method is outlined here: http://www.metamorphosite.com/detect-web-popup-blocker-software-adblock-spam
It's like trying to block users from reading your contents while standing rather then while sitting. It's silly, and it's likely to drive visitors off your site. The last time i saw a "you're using adblock, that hurt web developing bla bla" i jst blocked that div with the element hiding helper. It was fun i admit. Most sites are almost unreadable as now, with flashing ads and pale contents. A good quantity of ads are, also, malevolent, disguised as part of the site they're in takes the user to bad places.
That's why you should not. If you still want to, bad news, you can't. As long as i can write $('.ad').hide() in my console, nobody can stop me from adblocking something. I sometimes give up when ads divs have a very generic class, id, or they haven't any, so that it's difficult to target them with the adblock element hiding helper (of course if they are not in the lists, in that case i dont even know they exists). So the best you can do probably is give to ads a class of .content or something you use also in other parts of the site. It's not much, but it' all you can do. And just because you can, it does not mean you should. The web marketing model have to change, and it will.
That I know of this is not directly possible. Most add blockers work by locking at the URLs that are being "requested" and either blocking directly, or looking at the content/mime-type and blocking based on that.
You might be able to do something by looking for signs of the adblocker, but this will be difficult at best.
Although I love my adblocker, it's about answering questions. You could check if an url that would normally be blocked by an adblocker is reachable, and continue only if that image/bla in question is loaded. otherwise, you just don't.

Resources