A trigger.io blog post states:
You can load content from the trusted_urls directly into the main view of your app by specifying the window.location. JavaScript in that page can make use of Forge APIs.
I can't find anything else in the documentation in reference to this.
I want to load a trusted, 3rd party URL using window.location to replace the main web view, then interact with native modules from that 3rd parties javascript. I expected that I coudl access the forge object but it's undefined within any javascript from the loaded 3rd party site.
It's strongly recommended that you NOT use a 3rd party URL within the main view.
In general, if you want to host 3rd party sites it is best to embed them within an iFrame on your index.html page and use HTML5 messaging to marshall communication between the two pages.
Related
CONTEXT
I am developing a web application with RAILS as the API-JSON backend with React in front-end. Recently, we need to integrate a commercial Javascript library which requires to be initialized at the client-side. I need to input the license key during the initialization process, which I have 2 options from their API:
Use the license key directly: commercialLib.setup(configWithLicense);
Via license file URL: commercialLib.setup(configWithLicenseURL);
Apparently, I don't want the first options since it can easily expose the license. However, with even with the latter, the license file content can easily read via the browser developer tool.
One more thing makes me confused is the vendor has their demo/sample page, which they are using the second approach (they sent me the source as an example for using, and also I can easily check the javascript source with the developer tool). But in their site, the request to the license file URL is not displayed, and I absolutely have no idea how they do that.
QUESTION
How can I secure my license in this scenario? And how could I hide a browser request from being traced in the developer tool?
I'm trying to embed a DocuSign document into an ASP.Net MVC 4 page. Unfortunately, I do not have any guidance on how to do that. Could you refer me to the specific documentation on how to embed a DocuSign document and then how to detect when all the fields are signed? Thanks.
If you are using .Net I would first of all take a look at the DocuSign .NET SDK.
This is available throught NuGet
Eitherway, you are going to need to have the following built into your site:
Envelope Creation Call (The recipient who is going to be the embedded signer needs to have clientid parameter specified as part of the call). Embedded signing is covered on the following page Link
Post Recipient View. This will return a url which you can place in an iframe. In the headers of this request you can specify return url parameters, which provide ways to capture when different events happen on the envelope. This call is covered on the following page: Link
How does one set a cookie in rails and access this information across third party sites? For example most sites have facebook and google tracking cookies associated.
The use case is I would like to provide custom content on 3rd party apps via an API call with a user I'd from a cookie.
You can't set a cookie in one domain and access it in another. What you probably need is to embedded a script you host (usually JS, like Facebook and Google does) in the third party website, so the code setting and reading the cookie is from the same domain.
So, i made a responsive website i would like to include that inside an iframe and push it to phonegap so that i can easily create a mobile application without coding a new.
What i'm wondering about is:
How to embed the website from the url? (best practice)
Apple will reject my app if i'll use an iframe ? (if yes why)
Which other tips to follow for achieve this?
You don't need an iframe, the config.xml have a parameter for the starting url, it can be an url on a server
Most likely, yes, apple reject apps that are just a web wrapper. You can try to use a iOS like UI and some native functionalities.
I think if you follow 1 and 2 you can achieve this, but it's always better to use local html, css and javascript and use ajax calls to communicate with the server
I want to let users create "apps" (like Facebook apps) for my website, and I'm trying to figure out the best way to make it secure.
I have a REST api
i want to run the user apps in an iframe on my own site (not a safe markup language like FBML)
I was first looking at oAuth but this seems overkill for my solution. The "apps" don't need to be run on external sites or in desktop apps or anything. The user would stay on my site at all times but see the user submitted "app" through the iframe.
So when I call the app the first time through the iframe, I can pass it some variables so it knows which logged in user is using it on my site. It can then use this user session in it's own API calls to customize the display.
If the call is passed in the clear, I don't want someone to be able to intercept the session and impersonate the user.
Does anyone know a good way to do this or good write up on it? Thanks!
For modern browsers, use the cross-window messaging interface provided by HTML 5
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
For older browsers, emulate the above messaging interface by creating a third IFrame on the same domain as your application, below the second external IFrame. You can then have bidirectional messaging from the 2nd to the 3rd and from the 1st to the 2nd by modifying the fragment part of the URL. The 3rd and 1st IFrames can communicate bidirectionally in javascript, because you're hosting them on the same domain.
You should be able to wrap both of the above methods into a single script, and maybe source one of these messaging layers to save you some time:
http ://json-rpc.org/wiki/implementations
If you have a REST API, you have no need for an iframe, in fact, iframes are considered very poor practice in modern web applications. An iframe would be useful if you have content on an external site that is not easily manipulated with javascript on the client side, or with your application on the server side. This content is usually in the format of an HTML document.
You've already stated that you have a REST API, so you can likely manipulate the data returned by a resource in any way you see fit. For instance, if the resource responds to JSON or XML requests, you could format and organize that data via Javascript from the client (web browser) or you could use your web framework to gather the data from the REST API and manipulate/organize it, making the result available to your application.
In order to secure the data as it is transferred back and forth between the client and the server, you could provide an API Token (lots of sites do this, e.g. Github, Lighthouse, etc.) for each user from the service provider and require users in your application to provide their API Token. The token could be passed in the HTTP headers to the REST service provider separating the token from the request and response data. HTTPS (SSL) is a must for this type of traffic to prevent eavesdropping.
Let me know if this is too general, I could give you a few specific examples.