I'm doing a scrapy project for fun and wanted to upload the code to Github. My user-agent is in the code and I was wondering if It's safe to share this information publicly.
Related
I'm enjoying developing cross-browser web extensions, the main target being Chrome, so much that I started to think to develop one for my company. I find a chrome extension quite a cheap and efficient way to deploy internal apps. The main purpose is to host a couple of dynamic dashboards that fetch data from various APIs by using cross-domain ajax in background scripts. I finalized the app and I was also able to implement the authentication via chrome.identity and Azure AD.
However, I am struggling to find a safe way to customise the content.
I mean, when the extension is installed it requires to login to azure via the chrome.identity flow. Then I get a token that I use to query ms graph and get the user ID, name, email and basic info.
Until I get this information I want the browser action (popup) to be unavailable to the user as well as any other extension pages. After a successful login I would like to show the content on the pop up and to let the user access the pages, but here I want to customize the experience.
I know how to use the user id retrieved from the api call to customize the extension, but I think it is not safe because all the code is in the client.
If I code something like
if (user === logged) show something
it will be damn easy for a malicious user to look at the code and bypass it, or even to impersonate another user. And chrome extension cannot be obfuscated.
Any help?
Thanks
I recently developed a new REST API for a company. I've created a Postman collection including some sample requests for real-world scenarios. I need to share this collection with other members of the organization.
I found a "Publish Docs" menu option for Postman collections which is pretty cool. It publishes web pages of the documentation and then displays the url for where the documentation can be accessed:
https://documenter.getpostman.com/view/1401123/RWML234Hd
One issue is that the documentation is publicly available to anyone who has the url. Meaning that anyone on the internet could potentially access the documentation. This is a corporate API and should only be accessible within the organization.
Another issue is that it appears that the published url changes every time I "Publish Docs." That's a problem b/c I need to provide a static url for Postman examples on the corporate intranet page listing API resources. My manager won't spend any money on this. I like the documentation feature but:
The documentation should have a static url
The documentation should not be accessible by anyone on the internet who gets a hold of the url
Would I need to pay license costs to satisfy the 2 requirements listed above? What would be my best free option? The default free option for me would be to save off the collection json to a shared drive on the network.
I've been asking this very question for a while now. Finally decided to implement a simple tool that generates an HTML document similar to what postman does.
hope this helps -
https://github.com/karthiks3000/postman-doc-gen
Theortical question here.. Is it possible that WebRTC would be misused to push files to everyone browsing the site?
Here's a scenario:
A malicious player shares a malicious file via a WebRTC platform and once someone has browsed that platform that file would be pushed into his system and preform its malicious act.
I know that when trying to access the webcam, WebRTC asks for the users permission, is it the same with file sharing?
Javascript doesn't have APIs that execute a file on the users system, for a number of good reasons.
WebRTC doesn't add such an API (and in itself, does not have a filesharing API).
We are hoping to upload a chrome extension and publish it as unlisted (as the visibility option) via the Chrome Webstore Api.
So far we have been able to upload but not publish using this documentation -- we can't publish because extensions have a whole bunch of required parameters (like a screenshot or small-tile image) which we can't figure out how to attach. We are really hoping that one of these parameters will be visibility, and we can set it to "unlisted".
If any kind soul has any knowledge of the Chrome Webstore API, or how to set these parameters, our whole development team would be very appreciative.
The documentation on this is very sparse: https://developer.chrome.com/webstore/webstore_api/items/update
Quoting Using the Chrome Web Store Publish API:
Note: Currently, there is no API for setting an item’s metadata, such as description. This has to be done manually in the Chrome Web Store Developer Dashboard. More detail about the Web Store API can be found here.
So, to the question whether you can supply all the metadata programmatically - the answer is "no". And the Publish method does not seem to support "unlisted".
I'm using the dropboxd service under Linux, which requires you to log into their website e.g. https://www.dropbox.com/cli_link?host_id=2173bf325f94beee3b1879d2c7b49e69 to link the machine to your account.
Is there any programatic way to do this (ideally using Java)? To access the website above it seems you need to login using forms (which seems tricky to do programatically), and their basic REST API (https://www.dropbox.com/developers/core/docs) doesnt seem to cover the cli_link command.
I could write an app to do the sync using their full API, but it seems like overkill since aside from the cli_link requirement the basic dropboxd does all that I need.
The official Dropbox desktop client is unrelated to the API, though both the API and the Linux CLI require user interaction on the Dropbox web site (once per link) to authorize the linking. Also, note that automating/scraping the site itself is not allowed by the terms:
https://www.dropbox.com/terms#acceptable_use
Not really a solution for DropBox users, but in the end we just moved over to use MediaFire instead. That has a full REST API and doesnt require any manual intervention.