How can I hide api service request from the network tab of the browser developer tool?
Any suggestion
Although I would strongly disadvice from doing so (as it won't stop any serious user), it would be possible to for example send it through flash or for that matter any other plugin with such functionality. The easiest way to achieve this would be to use a flash-enabled XHR proxy object like the one provided by the flXHR project (though you would have to force it to also function on the same domain, rather than only cross domain). Let me finish once again with not advicing you to do so, as the use of plugins will cause for a significant subset of your users messages to appear or not to work at all, which is in no way a good experience.
Related
I want to implement a tool (a website that can edit a user's own websites) that receives uploads from the browser and stores them in a website specified in the request. However, I want to protect the user from other sites creating requests to my endpoint and doing dirty things with the user's data.
The industry standard for this is to include a randomized token in every rendering of the page, submit it together with the input data, and check the validity of the token on the server side before processing the submitted request.
Is there an automated mechanism for this in the Boomla framework, or is something like this planned?
Implemented, no. Planned, yes.
Currently (v0.9.1), I believe Boomla does check the Referer header, but it stops there. So long, maybe you could implement a cryptographic solution yourself?
How pressing is the issue for you?
Consider that currently, side effects are not possible (eg. send data), thus data leaks are not possible, it won't cause data loss, since we have built in version control. (We are going to expose a casual version control mechanism that works automatically, without commiting, so you'll be backed up even without commiting.) Thus, in effect, your users are safe.
Please disagree if you think otherwise.
I'm trying to make a Firefox addon with the Firefox Add-on SDK and API, and I have some questions about their possibilities before I start using them.
My college's Wi-Fi authorization expires every 30 minutes only to have fun pissing off their students. There are already some autofill addons available on many browsers but it's still destructing to move the mouse pointer onto the "Login" button and click it when there is one second left to turn in a midterm paper. I've heard my friends complaining like this for months and I myself think the thing is actually annoying sometimes, so I decided to develop a Firefox addon that takes charge of the job so that the authorization process will feel not even existing once the addon is activated. (I just want to impress my friends honestly.)
For ease I would like to develop the addon within the Firefox add-on SDK. I found that my addon would be utilizing the page-mod, password and request APIs; page-mod to detect the Wi-Fi service's auto-redirection into their authorization page, password to fill in the page's form by a student ID and password stored in the individual Firefox browser, request to redirect the "Login Successful!" page into the originally given destination.
So I guess it should be possible to achieve my goal with this SDK and APIs, but there are still some questions that I need to ask before I proceed:
Is it possible to pass a callback function to page-mod::PageMod (not as a String or a URL to another JavaScript file)? If not, can it be done using the lower level API?
Is it possible to actually redirect a page in a tab into another page only using high level APIs?
Is it possible to remember the original destination's location (with the request method and contents) and call it in the process of page-mod::PageMod (in order to re-redirect out of the authorization page)? If not, can it be done using the lower level API?
Is it possible to perform the addon's redirection function on inactive (background) tabs where the opened webpages automatically keep connecting to the Internet and get redirected to the authorization page?
Thank you so much for reading and please spare a little bit of your time for me. Thank you again!
Is it possible to pass a callback function to page-mod::PageMod (not as a String or a URL to another JavaScript file)? If not, can it be done using the lower level API?
No, everything that goes through the port is serialized using JSON serialization (See docs). Instead you would probably emit an event from your content script to execute the callback method with parameters you pass it in the module scope and hardcode parts that need to be done in the content script with port event listeners.
Is it possible to actually redirect a page in a tab into another page only using high level APIs?
Totally, if you're in a content script, you can just set window.location, or in your modules you set the location of a tab, see https://developer.mozilla.org/en-US/Add-ons/SDK/High-Level_APIs/tabs#url.
Is it possible to remember the original destination's location (with the request method and contents) and call it in the process of page-mod::PageMod (in order to re-redirect out of the authorization page)? If not, can it be done using the lower level API?
Possible? Yes, depends a lot on how the redirection from the W-LAN works. Generally all the SDK offers you is getting load/ready events for tabs and reading a tab's current URL. So if you get a ready event at the point of the redirect you're fine. If your college login remembers the redirect target using a get parameter in the URL you're fine. If your college doesn't adjust the URL, you're fine. If you really need to dig through the request, you'll have to ge a bit deeper than even what the SDK offers you, but it is possible.
Is it possible to perform the addon's redirection function on inactive (background) tabs where the opened webpages automatically keep connecting to the Internet and get redirected to the authorization page?
JS execution for Add-ons is not paused based on a tabs state.
We are currently working on a web client that communicates with the server using AJAX with JSON. The client is based on gwt, and communication is over https.
The communication can be easily inspected by browser tools - is there some reasonable approach to hide this from the user, i.e. securing the protocol?
Other than standard authentication and encryption techniques used by all browsers, whatever method you come up with, it must be initiated by your JavaScript client. This means that a good hacker can deconstruct your JavaScript and figure out how you submit data.
Security usually deals with either third parties trying to intercept communication or pose as legitimate users, or malicious users trying to get access to where they are not supposed to. Once you verified that a user is legitimate, why would you try to hide user's data from the user? Maybe you can describe your use case.
EDIT:
The only way to prevent bots is to ask a question that only a human can answer (e.g. Captcha) somewhere in the workflow (i.e. before submitting important data). It's usually annoying for users, but there is no other way. Since you build a gaming platform, ask your designer to come up with some fun verification.
Just to Round off Security Checklist
1) HTTPS - you have got it set up already :)
2) Json and XSS/XSRF Web Security -
https://developers.google.com/web-toolkit/articles/security_for_gwt_applications#json-xsrf
https://developers.google.com/web-toolkit/articles/security_for_gwt_applications#json
3) BOT attacks - A decent captcha - Captcha in GWT Widget
4) Miscellaneous - https://groups.google.com/forum/?fromgroups=#!topic/google-web-toolkit/_gViO5aZ-WQ
I am developing a Django app that functions basically as a data entry tool for websites. The use case has a trusted user or paid technician browsing the web. As they browse they enter data into an overlaid bar similar to what you see on many proxy websites, but containing a form that allows user to write metadata about the website (in this case, training classification data for an ML algorithm) and submit it to my app.
See http://hidemyass.com/proxy/ for an example of a proxy website that inserts an overlay into browsed sites.
I have heard conflicting suggestions on how to approach this.
Serve Websites as Proxy
Pipe all url requests through the django app with something like http://httpproxy.yvandermeer.net/, and rewrite the responses to include the header.
Pros
I can process the responses with sexy scientific libraries like the NLTK
AJAX-free failover. Users can submit human data (albeit with more of a hassle) without the need to submit computed data.
Cons
Greatly increased traffic. Now my webapp has to retrieve all websites and upload them to the user.
Some websites might block proxy requests. My intention is to deploy this on Heroku, but they might frown on an app that generates so many requests.
User Browses in an iFrame
The overlay is separated from the content by an iFrame, and I use javascript to inform the overlay on the page that is currently being browsed
Pros
Distributed Computing. User machines are used to make requests and do any necessary computations. The server is no longer a bottleneck.
Tighter Ajax integration. I can just post a JSON object representative of my entire Model.
Cons
iframes weren't really designed for full-scale browsing. Some websites force themselves out of iframes, and I worry that it won't be a reliable method of browsing.
I don't get to use all those sexy python libraries. My language processing will have to be done in javascript.
Question
I've never done anything like this before. I'm pretty new to all the tools involved, and seriously having trouble choosing between the two very different approaches.
Which method would you suggest? Why? Are there any considerations I have missed?
OKFN's annotator provides imho a good basis for what you are trying to accomplish http://okfn.github.com/annotator/
I am creating a web service which uses REST web services. The client side code is written in HTML/JavaScript. My dilemma is whether I
should use the REST resource directly using AJAX calls?
or
should I create Servlets/JSPs (where REST calls will be made and data will be sent to client(AJAX/JAVSCRIPT)).
I have seen many web apps which follow the 2nd procedure but seems to me that it's doing the same thing as 1st in an indirect way.
Is there any advantage of using 2nd procedure over first?
What is the standard way to use REST services by HTML/javaScript client?
Please let me know if I am even thinking in the right direction and if not please give your valuable insight.
You can use either approach but note that browsers will enforce the same-origin policy on scripts, so if the REST service lives on a different domain than the script you will need to use a servlet/script on the same domain as the script to proxy the call to the other domain. I suspect this is why you are seeing the second approach used.
A proxy/middle-man servlet may also be useful if not all of the response is needed; you could use the servlet to strip out information that is not needed by the JavaScript to reduce the amount of data sent to the browser.
Directly accessing the resource(s) via AJAX has the obvious benefit of less overhead and is IMHO the more elegant solution, however it is also important to note that not all browsers support PUT and DELETE requests natively.
To get around this, you'll likely want to support the common "_method" hack. This stackoverflow question mentions this approach.