I'm trying to add screen-sharing feature in my app using webrtc and Firefox browser,I'm facing the same error that described here:
Twilio screensharing on localhost in firefox?
The problems is that I need to set the flag(media.navigator.permission.disabled) to make the screen sharing work but for security reasons we can't do that in the code, what I'm trying to do is to make Firefox prompt the user to change this flag.
Is this possible? can we make Firefox prompt the user to change this flag?
any suggestions?
Thanks in advance!
For security purposes there is no way for JS code to change flags. Giving JS code the ability to do that would have really dangerous implications.
Screen sharing is only allowed on HTTPS origins. So you really need to get your self a certificate for your test page, e.g. from Lets Encrypt.
Related
Is it possible to set some flag in my browser so that I always get the RECAPTHCA image challenges? Sometimes when you click on the "I am not a robot" button, it gives you a pop up challenge with something like "Click all the images which contain a car", but sometimes it just checks off the box and takes your word for the fact that you're not a robot.
I would like to test the UI of my tool both on a desktop and on mobile, and make sure that the challenge pop up shows up and interacts well with other elements of the page.
In other words, as a developer, I want Google to think that I'm a robot so that it always gives me the visual challenge.
Is there any way to force this behavior?
Note: I've done some research and was unable to find any relevant questions or blog posts that might yield an answer.
Force Google recaptcha to use simple checkbox click challenge asks for a way to force Google to NOT use the visual challenge, only the checkbox
How to force recheck user with reCAPTCHA? talks about forcing a recheck of some kind, but has no answers
https://groups.google.com/forum/#!topic/recaptcha/2ed-s3KK3Do actually asks my same question, but users did not seem keen on providing answers, with one user just suggesting not to use RECAPTCHA at all!
https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha-v2-what-should-i-do is straight from Google, but it does exactly the opposite of what I want - it sets your site up such that the captcha appears on the page but is actually a test captcha that always lets you pass, and NEVER gives you the challenge. I want the exact inverse of this.
The methods told here should generally work, but there is no guarantee of the same. There is a very easy way to guarantee that Google reCAPTCHA challenge always show up. All you need to do is to add a custom BOT device in developer tools and then use the same to test.
In Chrome Dev Tools, open Settings. Open Devices after that.
Add a custom device with any name and set User Agent String to Googlebot/2.1
Finally, in Device Mode, at the left of the top bar, choose the custom device that you created (the default is Responsive).
Thanks to the SO users who had put it up in the answer and follow-up comment here.
I too have been looking for similar functionality. While I have not found a code-based solution to force the challenge, I have found a fairly reliable hack.
Grab a VPN tool (I happen to use IP Vanish), then connect to a remote server (I've had success connecting to China). Then, open up a private/incognito window and fill out your form.
From my testing, the combination of the remote IP and the blank user session triggers the challenge.
Here are a few things you can try. In my experience all of them will increase your chances of getting a challenge.
Log in at https://www.google.com/recaptcha/admin and edit your
reCAPTCHA settings. Under Security Preference choose Most Secure.
Use a VPN + incognito mode (as suggested here)
If you're using the invisible reCAPTCHA, I found that using explicit
rendering + immediately calling grecaptcha.execute() after
grecaptcha.render() will usually trigger the challenge. I suspect
this is because Google's AI expects a user interaction of some kind
to trigger grecaptcha.execute() and not the onloadCallback itself.
I use reCAPTCHA's SDK in Android, and I also encounter the need to force validation when testing. I tried it many times. At last, I turned off or turned on the flight mode, which can be verified in the retest. I guess it may be that Google put my IP on the white list in the background, so I passed the verification without any challenge.
That should be possible, because when LinkedIn forcefully logged out an user for excessive usage, it showed captcha on next login, and there always was the challenge.
Unfortunately, LinkedIn switched from Recaptcha to another provider just few days ago, so I cannot just look up into their JavaScript code.
It is what makes me believe that Recaptcha does have an undocumented option to force the challenge.
2022 and later
It seems to be increasingly harder to trigger the recaptcha challenge of the invisible recaptcha. Using the UserAgent of a bot, going into incognito mode is not enough anymore. A VPN might work, but I do not trust free VPN services.
I am however still able to trigger the recaptcha challenge when I'm only using the keyboard while filling in the form fields and pressing the submit button with the enter key. It seems like the Google Recaptcha is now also following your mouse movements to determine if you are a real user. Make sure to never hover your mouse cursor over the webpage and only use the keyboard.
I was looking for something like this and after some research plus trial & error what worked for me is to use the invisible recaptcha and invoke the challenge with JS.
After you have loaded the recaptcha script on your page then do
grecaptcha.execute()
and the challenge might be invoked.
I ´m trying with Ad Block Plus, Ghostery, Disconect and Self-Destruct Cookies in Firefox.
Can you recommend some tips to stop the tracking?
The "Do Not Track" feature in Firefox is useful for telling sites that you do not want to be tracked. A detailed guide on enabling this feature is available on Firefox's support page : http://mzl.la/WL6fUP .
Besides, if you want an extra level of security, I would suggest you to use the "NoScript" browser extension(https://addons.mozilla.org/en-US/firefox/addon/noscript/). NoScript blocks JavaScript and other executable content on website thus effectively protecting you from tracking codes on websites.
And if you want real privacy use a proxy or VPN. Another good idea is to use the tor browser ( torproject.org/projects/torbrowser.html.en).
I am running a site. Some of its pages are not working in Firefox, but work perfect in Chrome. In Firefox it shows me a gray shield next to the URL and when I click on that shield and manually click on disable protection on this page then my page works fine. So now the problem is that there are many users on my site, and some of them don't know how to do it so I want to handle it on my site so its users don't need to do that.
How can I do it? I Googled and found a setting of Firefox in about:config named security.mixed_content.block_active_content. If we set it to false then it works. So is there a way to do it programmatically or other way so that users just view that page without seeing that shield?
As I understand it, content that is blocked by default by Firefox now is http content that is accessed from an https page. Common types of content that fall foul of this are external stylesheets and images.
As far as I am aware the way to prevent the problem on your site is to make sure that if a page is served by https, any and all other files that it references are also served by https.
Hi Friends,
The reason you see this error in Mozilla Firefox is because your
website is a Mixed Box that is, your website has many internal links
which are not SSL protected.
In order to avoid this error from showing up in Mozilla Firefox you
will have to make sure all the internal links on your website are SSL
protected.
So, Use https:// in your page not http://
I hope I was clear enough in answering your query.
firefox has blocked content that isn't secure means there are some contents on your website are not secure.
I had same issue as my fonts were downloading with http://google.apis.something instead of https
Then I change to //google.apis.something and problem get solved.
To know what is not secure in you website use this link
I'm trying to figure out how to disable programatically the fishing site warnings that pop up when you enter a user name and password along with the url to a secure website, such as.
https://UserName:PassWord#Https://Secure.Website.com
Before the url comes up the warning dialog pops up first, since I know that the url I programmed is secure, I don't need the fishing site warning to pop up.
If anyone has any Ideas, I would greatly appreciate it. Thank you in advance.
You just cant do this.
This behavior is in private UIKit apis that you can't alter without being rejected from AppStore.
And for once, there is a good reason to this, a security reason :)
EDIT (after comments below)
I think you can disable these warnings in device settings : Settings App > Safari > Fraud Warning
Note that you can't do this with code from your app. You can only ask user to do so, or maybe by using Enterprise deployment facilities.
EDIT 2 About security concerns
Again, there are very GOOD reason to this security, especially for a company concerned by its confidentiality/security.
It is not because you set a static URL in a UIWebView that this is the URL you will get, phishing is not only from websites servers, it can also come from a middle man attack on the TCP/IP connection, DNS spoofing, or who knows, an admin going nuts :)
Modifying private APIs is not easy, there is no source code, just assembly code that you can disassemble/analyze to figure a way to override/inject code doing what you want. It takes time that sorry I have not.
In other words : you should find an alternative solution, like another URL without https (ask webmaster) but another security, not requesting data from UIWebView... I'm afraid there is no easy workaround. And I guess you know that URL authentication like you are trying to do is highly unsecure, any intermediate could just get the query and login/password.
It is phishing and not fishing :)
Do you know you can edit your comments on stackoverflow?
I'm making a website using Facebook Connect and decided to use Facebook's XFBML tags like "fb:profile-pic" since they are so easy to use.
I haven't been able to make them work no matter how hard I look online but then I noticed that it worked on all the browser's instead of Firefox.
I also realized that even on Facebook's own "The Run Around" sample app they don't work!! You can check it out here: http://www.somethingtoputhere.com/therunaround/index.php
If you log in with Firefox your picture is not shown, but if you use another browser it is shown. This happens with the fb:profile-pic tag or any other tag like fb:name.
I haven't found any information online so I'm asking other people that have worked with this: Are these tags simply not compatible with Firefox ? Do they have outages or something like that ? Has this happened to anyone before ? Any ideas on how to resolve this ?
I guess they do have "outages". I've spent the whole weekend trying to resolve this and now they post they had a problem and have resolved it.
From the Platform Live Status website:
http://developers.facebook.com/live_status.php#msg_497
We are experiencing a possible config
problem with api.connect.facebook.com.
If you are including Connect JS
library through
http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php,
all API requests through JavaScript
would fail. This affects rendering of
XFBML tags (such as fb:name and
fb:profile-pic) as well. While we are
fixing this issue, you can work around
the problem by changing
http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php
to
http://static.ak.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php.
It's also safe to keep url change
permanently because
connect.facebook.com is just an alias
to facebook.com.
I wish they had updated that sooner, now I'm looking for a place to find out about this stuff before I spend days working on something before realizing it's not a problem with my code!
Open up Firefox > Preferences > Privacy and make sure "Accept third party cookies" is checked. This is needed for Facebook Connect to work. Also, when using Connect, make sure all your tags are fully closed, i.e. <fb:profile-pic></fb:profile-pic> and not <fb:profile-pic/>. From the docs:
The user's browser must be set to
accept 3rd Party Cookies in order for
it to stay connected between clicks.
Source: http://wiki.developers.facebook.com/index.php/Logging_In_And_Connecting
FWIW, I wouldn't use "the run around" as a sample app. That thing has been the same since they introduced Connect and is pretty hacky.
do check in connect section under the canvas option.
there should be a link of your physical file.