Let me explain by an example.
My website domain is http://example.com.
I want to configure my server that tells browser to disable every <script> tag from client where src attribute point to 3rd-party domain like <script src="http://code.jquery.com/jquery-2.1.4.min.js"></script>
There are some questions seem be similar to this, but all of their answers do not satisfy me.
Thank you.
Related
I am not sure the title of the question is correct, but I'll try to explain what I need.
We host multiple web applications on a single machine, so
https://localhost:8080
and
https://localhost:8081
point to different applications.
Meanwhile, API gateway maps request without dropping the URL suffix:
https://api.domain.com/service1/Home/Index
turns into
https://localhost:8080/service1/Home/Index
and
https://api.domain.com/service2/Home/Index
into
https://localhost:8081/service2/Home/Index
I would like the app's root ~ to resolve to hostUrl+suffix where suffix is a configured value.
I used this blogpost to globally prefix all the routes for controllers and pages, but now I struggle with static files.
I am able to virtually move wwwroot:
app.UseStaticFiles(new StaticFileOptions
{
RequestPath = $"/{GlobalPrefix}"
});
but <link href="~/bootstrap/css/bootstrap.css" rel="stylesheet" /> does not contain GlobalPrefix part when rendered.
So I would like to add this GlobalPrefix to whatever base URL site is hosted at. Be it a self-hosted app or in IIS.
P.S. RTFM =)
Using app.UsePathBase("/myPath")(https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.usepathbaseextensions.usepathbase?view=aspnetcore-2.2) is working in that case.
There have been changes in ASP.NET Core 2 regarding that (http://github.com/aspnet/Announcements/issues/226). Also, be aware of a strange behavior: http://github.com/aspnet/HttpAbstractions/issues/893
I saw some code for something called rocketscript. I searched the name and it only came up with stuff about WordPress, but I finally found something on the cloudflare website. It just gives information about what it is, and what it does, I seen on another site that the snippet of code they have like the one below is custom, and has their domain / a unique id in it.
I was wondering how can I get my own code for my website? I can't find any page where cloudflare will give me the code, or tell me how to implement it into my website, do I just copy the code from another website? I don't think I do as each code has the websites domain and a unique id.
<script type="text/javascript">
//<![CDATA[
try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok3v=1613a3a185/"},atok:"0c520450ae00f93ad3c6d427e6175e11",petok:"39b2bad3263429bff6b9dfc54bc4b070f517b5df-1443920379-1800",zone:"fabborp.co.uk",rocket:"a",apps:0}];document.write('<script type="text/javascript" src="//ajax.cloudflare.com/cdn-cgi/nexp/dok3v=e9627cd26a/cloudflare.min.js"><'+'\/script>');}}catch(e){};
//]]>
</script>
<script type="text/rocketscript">
//<![CDATA[
try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok3v=1613a3a185/"},atok:"cc7792bcd37b11acfe5d52854c3c31cb",petok:"60a72fe01a43af4ce7bfedbb9aa1557bd41221e9-1437754506-1800",betok:"b5597544ec58644c04609e45c7005743deab17c5-1437754506-120",zone:"fabborp.co.uk",rocket:"a",apps:0}];document.write('<script type="text/javascript" src="//ajax.cloudflare.com/cdn-cgi/nexp/dok3v=e6ea9bd6c9/cloudflare.min.js"><'+'\/script>');}}catch(e){};
//]]>
</script>
Main question is, how do I get my OWN code? for rocketshare..
CloudFlare's Rocket Loader system...
is a general-purpose asynchronous JavaScript loader coupled with a lightweight virtual browser which can safely run any JavaScript code after window.onload.
You can use Rocket Loader by adding the website you would like to enable Rocket Loader on to CloudFlare. CloudFlare automatically adds the code to every page on your website using DNS, no need for you to add it in yourself.
Sign up for CloudFlare.
Add your website to CloudFlare using CloudFlare's easy to use wizard that should appear after you login.
Select your site from the list that should appear on your screen. A list may not appear as you have only one site in your account.
Select 'Speed' in the navigation bar:
Scroll down to Rocket Loader and select the desired option, probably Automatic.
Give it a little while to propagate, stuff like this doesn't happen instantly.
Hope that works for you!
I've installed mod_pagespeed and I'm trying to figure out if this is possible to do.
Example URL:
<script src="/assets/build/js/test.js"></script>
The above URL is rewritten to this:
<script src="/assets/build/js/test.js.pagespeed.jm.QCz72nUS30.js"></script>
What I would like to do is for the URLs to be rewritten to the base of the website or to a folder that I specific. For example, I would prefer the rewritten URL to appear like this:
<script src="/test.js.pagespeed.jm.QCz72nUS30.js"></script>
Or something like this:
<script src="/sample-folder/test.js.pagespeed.jm.QCz72nUS30.js"></script>
Is this something that's possible to configure with mod_pagespeed? I want to do this for all images, javascript, and CSS files. Thanks in advance for any help you may be able to provide!
No, this isn't possible with mod_pagespeed. Here are the only URL rewrite control options available to you:
https://developers.google.com/speed/pagespeed/module/restricting_urls
You can rewrite the URL's with Apache's mod_rewrite. However, note the following limitations when doing so:
https://code.google.com/p/modpagespeed/issues/detail?id=676
This isn't possible, because at least as described it wouldn't work. Let's say on your site you have two different files called test.js:
/assets/build/js/test.js
/testing/test.js
And imagine you could tell PageSpeed to put everything at your webserver root:
/test.js.pagespeed.jm.QCz72nUS30.js
/test.js.pagespeed.jm.8U69T_7wiB.js
This would work as long as these resources stayed in PageSpeed's cache: it could use the hash portion of the url to look into its cache and find what resource the user wants. But what happens when the cache gets full and something gets evicted? Then a request comes in for one of these, it's not in the cache, and PageSpeed doesn't have enough information available to reconstruct the original url so it can regenerate it. PageSpeed would have to 404 the request, which would break the page.
I want to share some dynamic content on google+. For this I checked it https://developers.google.com/+/web/share/interactive#rendering_the_button_with_javascript
<head>
<script type="text/javascript">
(function() {
var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
po.src = 'https://apis.google.com/js/client:plusone.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
})();
</script>
</head>
<body>
<button
class="g-interactivepost"
data-contenturl="http://www.pubandbar-network.co.uk/"
data-clientid="102180630313.apps.googleusercontent.com"
data-cookiepolicy="single_host_origin"> Share
</button>
</body>
But when executing I am getting this error
Error: origin_mismatch
Request Details
scope=https://www.googleapis.com/auth/plus.login
response_type=code token id_token gsession
access_type=online
redirect_uri=postmessage
cookie_policy=single_host_origin
proxy=oauth2relay554026710
origin=http://www.pubandbar-network.co.uk
state=1995523240|0.4607792083184853
display=page
client_id=102180630313.apps.googleusercontent.com
authuser=0
Please suggest how to fix this
Origin mismatch is normally caused by the Javascript origins not being set correctly in the API project console. You need to make sure that the Javascript origins match the domain from which your requests are coming and to which you are returning the user after sign in.
More details can be found in the developer documentation in the "Create a client ID and client secret" section.
Note: A common mistake here is to add javascript origins for http:// but not https:// (or vice versa). If you want to allow users to access your site from both then you need to list both in the javascript console.
Note (Thanks Bethel Goka): You must include the port number of your server in the javascript origins if a port number appears in the url when users access your site.
It worked for me by removing "www." from google console. I simply used http://example.com and it worked ...
For VS users:
Open Properties of your project and get Project URL:
This is your Javascript Origins
Change also the Redirect URIs. It should be your origins + "/oauth2callback"
For me:
(The error has the answer for you)
need to set javascript origin in google console api As
origin=**http://www.pubandbar-network.co.uk**
scope=https://www.googleapis.com/auth/plus.login
response_type=code token id_token gsession
access_type=online
redirect_uri=postmessage
cookie_policy=single_host_origin
proxy=oauth2relay554026710
*origin=http://www.pubandbar-network.co.uk*
state=1995523240|0.4607792083184853
display=page
client_id=102180630313.apps.googleusercontent.com
authuser=0
My default javascript origins is https://www ,
my website does not support https:// ,
I included http://www. http:// https://www. and https:// ,
it works.
If your client id, client secret, and your javascript origins url is correct you might want to check whether the port you're using is exactly the same with the url you put in for javascript origins. I mistyped mine by one digit: e, g localhost:888 instead of localhost:8888 and got that error because my javascript origins was localhost:8888 not 888
Just a little addition to Lee's answer: listing both the www.whatever.ext and whatever.ext forms of your URL in JavaScript origins may get rid of the error. That's what did the trick for my app.
I did a stupid thing which took a few minutes to resolve, so I thought I would post a warning in case somebody else falls in this trap.
In the console, when origins are displayed, 'Redirect URIs' come above 'Javascript origins'. When you open the edit pane, it's the other way around, so if you are not paying attention, you could paste your origins in the Redirect URIs field and ....
1: Open the Credentials page for your project.
2:Double-click on your OAuth 2.0 Web client in the client ID list.
3: Make sure that in the web client ID form, change the Authorized JavaScript origins field to http://localhost:8080 when you are running the server locally.
When running remotely add the corresponding appspot server url.
The most common oversight resulting in this error is forgetting to add both HTTP and HTTPS origins on the consent settings in the App Credentials dashboard.
To fix, go to https://console.cloud.google.com/apis/credentials?project=YOUR-APP-ID
Select the OAuth 2.0 client IDs if you had already created one.If not, you will have to create a new client ID for your origin.
Under Authorised JavaScript origins, add both https and http origins for you app if had not added both.
Log out from all google services from your browser.
I same had the problem for google + api sign in.I was getting Error:origin_mismatch and same details were there as they are in the question .. my javascript credentials had http://localhost:4567
but when I run the python file it opened the link as 0.0.0.0:4567 thats basically a localhost but when i changed the url in browser to http://localhost:4567 now the error was removed .. and my application was able to get the OAuth box .. and all went fine!!! this thing removed my error... Please let me know whether I was correct because I just started learning how to use apis
Please check the origin url set in google console for you WEB application/Android
and check the http or https because your site does not work on https (in general site).
You must read the developer guide here
https://developers.google.com/analytics/devguides/reporting/embed/v1/devguide
Good luck !
I had this error trying to use the "Google Play Games Services Management Demo" and it was because of missing "www" in the URL
I fixed it by change JavaScript origins and redirect URIs in google console from http://0.0.0.0:4567 to http://localhost:4567, remember adding /oauth2callback after redirect URIs and change url on browser to http://localhost:4567
I am getting the security alert: "You are about to be directed to a connection that is not secure. the information you are sending to the current site might be transmitted to a non-secure site. Do you wish to continue?" when I try to login as a customer on my clients oscommerce website. I noticed the link in the status bar goes from a https prefix to a nonsecure http prefix. The site has a SSL certificate, so how do I ensure the entire store portion of the site directs to the secured site?
It is likely that some parts of the page, most often images or scripts, are loaded non-secure. You'll need to go through them in the browser's "view page source" view one by one and eliminate the reason (most often, a configuration setting pointing to http://).
Some external tools like Google Analytics that you may be embedding on your site can be included through https://, some don't. In that case, you may have to remove those tools from your secure site.
If you can't switch all the settings, try using relative paths
<img src="/images/shop/xyz.gif">
but the first thing is to identify the non-secure elements using the source code view of your browser.
An immediate redirection from a https:// page to a http:/ one would not result in a warning as you describe. Can you specify what's up with that?
Use Fiddler and browse your site, in the listing it should become evident what is using HTTP and HTTPS.
Ensure that the following are included over https:
css files
js files
embedded media (images, videos)
If you're confident none of your own stuff is included over http, check things like tracking pixels and other third-party gadgets.
Edit: Now that you've linked your page, I see that your <base> tag is the problem:
<base href="http://balancedecosolutions.com/products//catalog/">
Change to:
<base href="https://balancedecosolutions.com/products//catalog/">
If the suggestion from Pekka doesn't suit your needs you can try using relative links based on the schema (http or https):
e.g.,
I am a 100% valid link!
The only problem with this technique is that it doesn't work with CSS files in all browsers; though it does work within Javascript and inline CSS. (I could be wrong here; anyone want to check?).
e.g., the following :
<link rel="stylesheet" href="/css/mycss.css" />
<!-- mycss.css contents: -->
...
body{
background-image:url(//static.example.com/background.png);
}
...
...might fail.
A simple Find/Replace on your source code could be easy.
It sounds to me like the HTML form you are submitting is hardcoded to post to a non-secure page.