I have the following very specific bug in my web application, caused by a curious interaction between the History API and the way Chrome caches pages.
User A logs in and uses a page like /home on the site. This page is an SPA type page that uses the History API to maintain a history stack as you navigate within the page. So as you do stuff, the url may change to /home/with/new/state This page also has a message like "Hello, User 1" on it.
User A logs out of the application.
On the same computer and browser, User B logs in and goes to /home, /home/with/new/state. Again, this is not a true navigation, just modifying the url via the history API.
User 2 clicks some link to navigate (for real) to another page on the site.
User 2 clicks the back button
The browser goes back to /home/with/new/state, but to the cached version that still says "Hello, User 1" on it.
Naturally, this is really confusing for users.
I can fix this by setting a more aggressive cache-control policy, forcing a reload of the /home page, but that would increase bandwidth to the site. The vast, vast majority of the time, the existing caching is fine, because the user isn't changing, so I don't really want to do this server side, for all users, always. It also is only an issue in Chrome; somehow the other browsers handle this correctly. I'd prefer a mechanism to bust the cache ONLY when I have this situation of a user change.
How might I accomplish this?
Related
A web page redirects to a Vue app. This Vue app has several pages and it uses Vue-router. Upon initialization of the Vue app we run some logic which is based on the referrer.
Then the user navigates between the pages of the Vue app and at some point decides to refresh the page. In this case the referrer is still the previous page (Why?) - thus the logic based on the referrer executes again. And this is problematic and shouldn't happen.
So - how can I get rid of this referrer after the SPA loads? Or eventually when user navigates inside the SPA?
PS: This happens on Chrome and Safari and doesn't on Firefox. At least on my machine.
There is a bunch of tricks to modify referrer (How to manually set REFERER header in Javascript?)
However all of them are far from perfect. That's because referrer is one of forbidden headers, which intentionally can't be modified programmatically (https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name)
In your case, the only idea I can think about is to put some key into localStorage or sessionStorage when you run your referer-related logic for the first time, and then prevent it from running again if this key is already stored.
The website is developed in WordPress. It looks perfect on chrom/Firefox browsers but its not looking perfect on safari browser
Can someone help to understand what it the issue and how can i fix it?
If Safari doesn't load a page or webpage items are missing
Check Safari extensions, or try removing cookies, cache, and other website data if a webpage or site doesn't load on your Mac.
Use the steps in this article if this happens in Safari on your Mac:
You can’t log in to a secure website.
A webpage repeatedly reloads or redirects.
A message on a webpage tells you to remove or reset cookies.
Some images, videos, or other items aren't displayed on a webpage, but other page elements load.
Check Parental Controls
If you're logged into a user account that is restricted by Parental Controls or other web filtering software, some pages or page elements might not load if those sites aren't allowed. For example, embedded videos might not display if they're hosted on a site other than the one you're viewing.
Check with your administrator to see if you can get access to the site that you're trying to view.
Check Safari extensions
Some Safari extensions that block ads or other website content can prevent some page elements from displaying. You can temporarily turn off extensions, then re-load the page to see if this is the issue.
Choose Safari > Preferences.
Click Extensions.
Select an extension, then deselect the checkbox "Enable… extension." Repeat this step for every extension that's currently installed.
Reload the page by choosing Choose View > Reload in Safari. If the webpage loads correctly, one or more extensions was blocking the content from loading. Re-enable an extension, then reload the page again to determine which extension is blocking the content you want to view.
If the website still doesn't load with all of your extensions disabled, try the next steps in this article.
If Safari doesn't load pages from a specific site
If only one webpage or website isn't working, you can remove data related to that site to see if it fixes the issue. Use these steps to remove cookies, cache, and other data stored by Safari for a specific site:
Choose Safari > Preferences.
Click the Privacy icon.
Click the Details button.
Search for the name or domain of the website whose data you want to remove.
In the results list, click the domain (like example.com) that has data you want to remove.
Click Remove.
When you're finished, click Done and close the preferences window.
remove history, cookies, cache, website data, for a specific site
If you used the Private Browsing feature of Safari when visiting a website, you might not see the site listed here.
If Safari doesn't load pages from multiple sites
In OS X Yosemite, you can delete website data for the past hour, or past few days if websites or pages stopped loading recently.
Choose History > Clear History and Website Data.
In the sheet that appears, choose the range of data you want to remove from the Clear pop-up menu.
Click Clear History.
remove history, cookies, cache, website data
If you want to remove website data for all of the sites and pages you've ever visited, choose "all history" from the Clear pop-up menu. The option to Remove All Website Data in the Privacy pane of Safari preferences does this, too. These options also reset your browsing history and Top Sites.
Situation:
I am writing test automation for a website. There comes a point where there is a link button on my website. Clicking this I am redirected to an external website. There I have to log in and as soon as I do that I am redirected to my original web-page which contains some 'connections' that I need.
Problem:
As soon as cypress clicks on the redirection button it does into a blank page.
Ideal solution:
I would want to automate the entire scenario. If not then at-least a work around.
As suggested in the Cypress Docs, you should really be using cy.request() to log in. You don't control a 3rd party site, and that makes your test very flakey.
For example, a lot of login pages are constantly changing and are A/B tested for the purpose of preventing a bot from logging in, including testing bots. The data:, url is probably the result of a http redirect.
Thankfully, using cy.request() you can 'fake' logging in by making a request to the server through code (which doesn't change as much) and you will never have to leave your app to log in
Here's a recipe for Single Sign-On for example.
Hope that makes sense!
I'm curious if chrome extension overlays are delivered securely and unadulterated, and whether or not someone can "listen" to internal events.
If a user were to enter a password via a chrome extension, could I guarantee that no other browser script has recorded the password? I will hash the password with 2FA so the network request is secure, but I'm curious if anyone can get the innerHtml of an <input> within a page action.
I'm asking because I know that generally iFrames are insecure if they're hosted in an unsecure environment where they could be "replaced" with lookalike, man in the middle, phishing palettes
Thanks
Only if you injected some element into a web page it will be a part of the web page (e.g. code in an injected <script>) open to any other page script.
Internal pages and scripts of an extension like page action or toolbar popup or background page and even content script environment (variables/functions) are inaccessible from the web. With a few exceptions, you can't even directly access one from another inside your extension as those are just like different tabs/windows: messaging should be used.
The only way a web page can know what happens inside your extension is to explicitly provide it with the information from your extension. You would have to explicitly send the info via DOM messaging, for example. Or via an explicit externally_connectable mechanism.
Maybe other scripts can't record the password, however you would also need to protect the input from native components like KeyLogger, they can always get what you typed before bubbling up to browser process. So I guess a native component is also needed, it could fight with malicious keyloggers and ensure they can't get valid user input.
I have a mvc4 web app that sits behind ADFS 2.0 authentication, it's configured using the web.config file. The application can be visited by going directly to a URL or as an iframe inside of CRM 2013.
The application works in all (tested) browsers when visiting the URL directly, both redirection to login form and handing the user back to the web app with the proper information in the ClaimsIdentity.
However, when visiting the app as an iframe inside CRM2013, internet explorer goes into a continous login loop. You are asked to provide the credentials (which are the same as for logging in to CRM) and when you click ok you get redirected back to the same login page again, to my knowledge the app never receives the hand off.
In Safari, Chrome, Firefox, and Opera the users are able to log into the application inside of CRM as well as outside without any problems (I'd even go as far as saying that it works better than expected for these browsers).
Does anyone have any idea of what I can try or what the problem could be for IE?
EDIT 1
I'm thinking it has to do with some security setting and am playing around with the settings in IE. Unchecking this box stops the login form from showing in IE at all and I get an empty page instead.
Is the iFrame on the same (sub)domain as the site inside? You can use Fiddler to view your redirect flow, are the cookies added as expected?
I've seen cookies that are overridden by the iFrame host, in that case you lose the auth cookie. Browsers react differently on same domain cookies.
Another problem might be X-Frame-Options, do you see any warning in the F12 console of IE?