we developed an application in java with springs in back end and j query in front end for a client and is working fine in our local, but when moved to customer side testing environment they are facing a security risk warning in Internet explorer. it says that "this page contains information that is not under its control. This poses a security risk. Do you want to continue?"
but in our local environment we never faced such issue.
the application has lot of AJAX calls going on each and every page to load data, and not in all pages the error is coming.. only in some pages the error is coming for the customer.
we need to re create the issue in our local in order to analyze the root cause and fix.
can anyone here help me how to re create the cross domain problem in local.
The problem comes when your web is under hpps (https url) but the browser is calling http for load part of the content (ajax, images, etc.). All references in your page should be to https for avoid the alert in IE. I am afraid there is no other way. Relatives urls will avoid you change from http to https from one environment to another.
Related
I know this might be a broad question but i recently finished developing a laravel 5.6 app. I deployed it to a free hosting service (000webhosting) because i wanted the client to be able to preview it remotely from where they are without having to sign up for domains and hosting accounts and all that jazz.
I uploaded it by zipping my project folder and putting it in the directory of the cpanel. I put all the public files (including .htaccess) into the public_html folder and put the rest of the project into the parent directory.
Long story short, everything works fine except for ajax. Other non-ajax CRUD is functional but nothing ajax related works. It all produces 404 errors. The other non-ajax functionalities are in the same controller as the ajax methods! so i know the project is talking to itself. I have jquery library linked to on the hosted google libraries page. Is there some sort of convention that i'm missing that is limiting this functionality? do some web servers block ajax requests? It's working perfectly in my localhost wamp environment. What could i possibly look into to resolve this ajax discrepancy? If it comes to it, i'll pay for hosting, but i just want to make sure this isn't a consistent topic with many host providers where ajax needs to be specially configured or something.
github.com/maximus1127/drive ....this is the github repo. the file in question is drive/resources/views/auditor_pages/application_review.blade.php.
To login the browser, go to https://makemedrive.000webhostapp.com/ login with "aa#aa.com" pw "password". Click the instructors tab on the left, then instructor application, then view details. The "save notes", "background check/received" buttons are all the ajax features of this page and none of them work. They all produce 404 errors. Please help!
Thanks in advance!
I have a problem with Domino Web Server with an XPages Application which is placed behind some reverse proxy. The problem is, the proxy forwards all requests from the URL like h2tps://organization/test_server/ to the Domino Web Server.
This makes all links in the application brocken. And I don't know how to fix it.
For example, the login attempt will be redirected by the server to h2tps://organization/names.nsf?Login instead of h2tps://organization/test_server/names.nsf?Login
Have you any idea how to fix it?
When using a reverse proxy, we recommend keeping the original URL unchanged. Because many redirects, Ajax requests, cookie are closely related to URL, if the URL changes, almost must go to modify the code.
This problem is especially serious in Domino, because in a lot of Javascript code that will be used in the absolute path, for example /names.nsf. As a comparison of Java applications in general will use relative paths (for example ../login).
The actual way to achieve URL unchanged: map the domain name of the original domino server (for example test.domino.xxx), to the reverse proxy server, and reverse proxy server via http HOST header to determine forwarded to which backend server, without the need to add additional path (for example test_server).
In IBM WebSeal example, this configuration is called virtual host junctions.
Did you create a site document on the domino Server?
I have solved the problem with some efforts.
At first I have moved the DB in the folder /test_server/.
Then I have changed all static HTML links to use the /test_server/.
With the option xsp.application.context.proxy=test_server I have changed the
paths for internal XPages and Extensions Library resources.
At the end I have to add some substitution rules on the Domino
to prevent duplicated paths like /test_server/test_server/.
Now it seems to be working well.
The proposal from the proxy team was to use url rewrite on the Web Server. It can be done with Domino without doubt, but requires to develop a DNSAPI Addon (a dll written in C). And it doesn't look for me like an easy task.
Anyway, thanks a lot for your help!
I have an application running in Azure (trial account). So far so good, everything has been nice, except for a long deploy times (10-15 minutes).
I've done a deploy recently and got a lot of weird bugs I cannot trace. For example, if I log in and thus a cookie is created (I use FormsAuthentication) all I get from the application is a blank page, as in, absolutely nothing is sent to the browser. The application works fine in the ASP.NET Web Dev Server, IIS Express, even the Azure Emulator!
What could be the issue? Searching the web hasn't been much help, with only a couple of unrelated issues.
I tried logging into the site (if I correctly understood from one if the comments, the url is versulo.com) and I didn't get any blank page with 404 status code.
However, there is another problem I spotted. Your site seems to be implementing caching inappropriately. The main page, the one from which you trigger the login and which is dynamic in nature contains an Expires header set at 5 minutes after the pages first load. That means that each call or redirect to that page within 5 minutes since it was first loaded, will be served from the browser's cache.
Because of that, after I login into your application I am redirected back to the home page which looks like I am not logged in. If I force a F5 refresh on the browser, then the page will indeed show me as logged in.
If instead of a refresh I try to login again (which is what I did in my first trials, since it looked like the login didn't work in the first time), I am getting an error page with the following message:
Sorry, there has been an error on the server.
500
The page looks like an application error page and even if it displays the 500 number, it is actually served with an HTTP 200.
So, while I am not 100% sure if this is also the cause of the problem described by you, you should remove the Expires headers from the dynamic pages your application is serving.
This can be because you're combining Forms Authentication with multiple instances. Are you using multiple instances? If that's the case, could you:
Try to change it to 1 instance. Does this fix the issue?
Try to make the following change to the web.config (configure machineKey): http://msdn.microsoft.com/en-us/library/ff649308.aspx
some partial views are not rendered at all;
Do you mean some pages are working fine, but others are not? It would be better if you can point out a pattern on what’s working and what’s not? For now, please make sure all referenced assemblies (except for default .NET assemblies and Windows Azure runtime) have Copy Local set to true. For example, MVC assemblies are considered as extensions to .NET, so please set Copy Local to true. In addition, you can also try to use Fiddler to monitor the requests to see what’s returned from the server.
Best Regards,
Ming Xu.
Could you provide a link to the application, or perhaps some source code?
When you say 'blank page', what is actually returned, a 404 / 500?
Have you inspected the IIS logs, or added some trace information to your code?
Have you tried accessing the service using it's ip address rather than domain name?
I have a virtual shop hosted under HTTPS domain, for example, https://www.myshop.com
I need to insert an external link of another domain name not hosted in my server to my site. This link can be http or https, no matter.
The only way to insert it is through a script like this:
I'm working with Classic ASP and I have a Windows 2008 server.
I redirected external domain to internal one in web.config
externalSite (secure) -> myshop.com/extSite (secure)
So I changed my code to:
Redirection works perfect.
My problem is that I want that warning in IE of "mixed content" desappears. I'm searching in lots of forums but I can't found any answer that works.
Could someone help me to solve this problem? Is ther any way to avoid this annoying warning?
Thank you.
No you can't avoid it. The message is there for a reason. The page they are viewing is not secure, despite the fact that they visited a secure URL.
I am loading content from another page and depending on the content of page, changing content of my page and this is giving me cross site scripting issues.
When i use iframe, since the content is from other domain, content of iframe becomes inaccessible.
When i use ajax and try to inject the content as plain html code, XmlHttpRequest object throws permission denied exception due to cross site scripting.
When i use JSONP, such as getJSON in JQuery, it only supports GET protocol and it is not adequate for further processing.
I wonder what other options i can try. Heard that DOJO, GWT,Adobe Air do some XSS, but dont know which one is the best.
Thanks,
Ebe.
Without JSON-P, your only option is to run a proxy script on your own server that fetches the content from the external site and pipes it back to the browser.
The browser fetches the content from the script on your server, hence no cross-domain issues, but the script on your server dynamically fetches it from the external site.
There's an example of such a script in PHP here: http://www.daniweb.com/code/snippet494.html (NB. I haven't personally used it).
If you have control over both domains, take a look at EasyXDM. It's a library which wraps cross-browser quirks and provides an easy-to-use API for communicating in client script between different domains using the best available mechanism for that browser (e.g. postMessage if available, other mechanisms if not).
Caveat: you need to have control over both domains in order to make it work (where "control" means you can place static files on both of them). But you don't need any server-side code changes.
To add to what RichieHindle says, there are some good script (Python+Cron) that you can plonk on your server and it will check for changes to a POST/GET location and cache the changes on your server.
Either set your triggers low (once every 10 mins/ 1 per day) or you might get blacklisted from the target.
This way, a local cache won't incur the HTTP overhead on every AJAX call from the client.