I have read articles that give various ways to do "URL masking" so that the browser's URL bar does not show the actual location of the content. Such methods include setting up an .htaccess file, showing content in an iframe, or loading content from another source with javascript.
The problem with all of these methods is that the URL shown in the browser can actually be used to view the content I want to protect, even though it's coming from another location.
I need a way to have the browser display protected content while the URL bar displays a URL that will NOT show that content, because I don't want a person who has been given access to the content to be able to share access to that content by giving the URL away to others.
Is this possible?
Maybe you could use something like a randomly re-generated URI. Every time the link is consumed through an authorized channel, the route is invalidated on the server, and a new one takes its place.
Note:
The safest way to prevent unauthorized access to a URL may be to add authentication (user/pass or otherwise) to your content.
Related
This question exists in different flavors, but not for AJAX pages.
I use AJAX to pull a single video into my page and I want a custom FB share button for it. Everything I've read so far says that FB pulls the required title and image from meta-tags in the page's < head> section (og:image and og:title).
I've tried to change the meta properties when the AJAX call returns, before rendering the share button. This hasn't worked. It uses the values that were present upon initial page load. I have yet to encounter a single answer to this question.
Are there data attributes I can add to the 'fb-like' div to specify a custom title and image (similar to data-href)?
Danke!
You need an individual URL for each individual piece of content that you want to share. Open Graph objects (and simple shared links “become” such, automatically) are identified by their URL (og:url).
Now if your whole page is built on AJAX, you still need to create such individual URLs somehow – the Facebook scraper tool does not “speak” JavaScript, and relies solely on the OG meta information that the server delivers for any URL it requests.
Since the hash part of an URL is only of relevance client-side (and does not even get send to the server), “typical” AJAX URLs that rely on those to tell the client which piece of content to load in the background are no good here.
So if you want to share two pieces of content (videos) as http://www.example.com/?v=vid1 and http://www.example.com/?v=vid2, then you have to make sure that your server delivers the meta data for each video under its respective URL.
in my MVC 3 project I have a folder in the project's root where I store some SWF files. The problem is, when I hit the url in the browser's address bar, e.g
localhost:39217/Files/fg/f_l1.swf
obviously I see the download dialog. Is there any way to prevent it ? In the other words, that file would be visible in my page after the DOM is loaded, but if I just type its URL I don't want it to be downloaded. I'm afraid that both scenarios are threated the same in the IIS. Any ideas ?
One way I can see to solve this issue is don't reveal the real physical path to the user. Basically you should deliver the SWF files from a controller action.
If you are embedding the SWF file through object tag then the object tag will refer to this action passing the filename. You can control the action by Authorize attribute or some other ways and once you see the request is properly authorized then you write the flash file into the response.
The idea is clearly explained here though the code is in PHP you can migrate that to MVC.
UPDATE:
If you don't want to change the SWF file path then you have to do little more work in Global.asax.cs.
routes.IgnoreRoute("Javascript/{*catchall}");
routes.IgnoreRoute("Content/{*catchall}");
routes.IgnoreRoute("Scripts/{*catchall}");
routes.RouteExistingFiles = true;
routes.MapRoute("", "Files/Flash/{file}", new { controller = "File", action = "Flash" });
Now eventhough some one tries to access the SWF file directly knowing the path, the requests are handled by the Flash action of File controller and there you can do the necessary auth. check before sending back the SWF.
I couldn't really word the title very well, but here's my problem: I've got a webpage that reads from a database each time the user clicks a button, the content is then replaced for part of the page.
Because it is an ajax load, everything is done in the background, and so the URL stays the same. This wasn't be a problem at all until I realised that I will want to have a different Facebook comments box for each set of content that is loaded - so if someone comments, it is posted to their facebook profile, people click on the link and are then taken to different content.
So... what I need is some way of referencing each set of content, and I've found a site that does exactly that (I'm sure there are a lot of them).
Here's the link.
Each set of content has a different 'hash code' (because I don't know the actual name for it) which is appended to the URL - in this case the code is "#1922934", this allows people to post links to it that specific set of content on Facebook etc. - and also allows a different Facebook comment box for each set of content.
Does anyone know how such a set-up can be achieved or how these 'hash codes' work?
Here's a document from wikipedia on it.
[http://en.wikipedia.org/wiki/Fragment_identifier][1]
The main idea is that URI fragments are used because they don't cause a page reload. They also can be used to refer to anchors on a web page.
What I would do is on page load use JavaScript to read the URI fragment (location.hash) then make a request to your server to load the comments etc. The URI fragment cannot be read by a server and is only found through a client (browser)
Sounds like you want something like SammyJS.
The title ways it all. I want to use a cookie to send some metadata over to the client that is specific to the current page he is viewing. I'd rather not put it in the HTML, mainly because the metadata is only calculated after all the HTML is already generated and the closing </html> tag is in place.
Previously I was simply sticking it in a hidden <input/> after the final </html>, and browsers seem to render it fine, but I want to do the same thing while having standards compliant HTML. Although I want the cookie to be sent back whenever the client makes an ajax call to the server, I want it to invalidate immediately upon leaving the page.
If the page is in an unique path (or can be URL-rewritten as such), then just set the cookie's path attribute to the page's full path. The browser will send the cookie only back whenever the page URL is covered by the cookie's path.
Alternatively, depending on the concrete functional requirement, you could also consider using the HTML5 data attributes.
If you click on a result in Google Instant, the referer sent by your browser to the destination website contains a bunch of parameters, including the all important q=[autocompleted query]
But you're coming from a page whose URL is simply http://www.google.com/ with a bunch of stuff after the # character, i.e. as an on-page anchor.
So the browser appears to be sending a URL as the referer which is different from the URL of the page that you were viewing when you clicked.
There doesn't seem to be an additional redirection, so how on earth do they do that?
Most of the time, a Google search result actually sends you to a Google redirect page rather than directly to the target page. They use JavaScript to switch the target of the link onmousedown as you click on it.
You can see this effect by click-and-holding on the search result link and watching your status bar.
This isn't specific to Google Instant, they've been doing it for quite a long time on their standard results pages.
The page anchor part of the URL can be manipulated client-side without a new request to the server. Even when talking about static anchor links (e.g. Section Foo), clicking on them does not cause a new request to be sent to the server; it is processed completely within the browser.
The javascript being used by Google to make Google Instant work is simply altering the anchor programatically before making a request to the server.
What Google are you using?
My URL after searching is this:
http://www.google.es/#sclient=psy&hl=es&q=something+to+search&aq=f&aqi=g4g-o1&aql=&oq=&gs_rfai=&pbx=1&fp=b0....
It does include the q= part