POST data over HTTPS is secure enough? - post

I have a page where i need to send parameter (say param1) via post and site is running
over HTTPS, would it be secure can anyone hack this information, what is the correct
solution to send info over https ?
Below is the JSP page, indeed the info is send via HTTPS but user can see view source to
see value of param1 and param2, would we use some encryption standard or jsp taglib so
that user is not able to view source ass well as not able to read param1 and param2 values.
testPage.jsp
This is a parent page , in this a second jsp is included
<form id="myForm" target="iframe" method="post" action="http://www.abc.com/jsp/dGrid.jsp">
<input type="hidden" name="param1" value="77"/>
<input type="hidden" name="param2" value="SS"/>
</form>
<iframe name="iframe" width="1500px" scrolling="no" height="1170px" frameborder="0" allowtransparency="">
</iframe>
<script type="text/javascript">
document.getElementById('myForm').submit();
</script>

Related

Issues with using d2l remote plugins (insert stuff cim) example not working

I am new to Brightspace and been fiddling with the remote plugins sample (logo). I can load the sample logo project, but cannot get it to insert into the page. I have uploaded the file but get a 404 error on submit. Can someone `
$( document ).ready(function() {
$('#submitFormButton').click( function() {
$.ajax({
url: "/getisfdetails",
data: {
image: $("input[name='image']:checked").val()
},
success: function(response){
$("input[name='lti_message_type']").val(response.lti_message_type);
$("input[name='lti_version']").val(response.lti_version);
$("input[name='content_items']").val(response.content_items);
$("input[name='oauth_version']").val(response.oauth_version);
$("input[name='oauth_nonce']").val(response.oauth_nonce);
$("input[name='oauth_timestamp']").val(response.oauth_timestamp);
$("input[name='oauth_consumer_key']").val(response.oauth_consumer_key);
$("input[name='oauth_callback']").val(response.oauth_callback);
$("input[name='oauth_signature_method']").val(response.oauth_signature_method);
$("input[name='oauth_signature']").val(response.oauth_signature);
$("#isfForm").prop('action', response.lti_return_url);
$("#isfForm").submit();
}
});
});
});
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
src="https://code.jquery.com/jquery-3.2.1.min.js"
integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4="
crossorigin="anonymous"></script>
<body>
<h3>Select an logo:</h3>
<input type="radio" name="image" value="brightspace-logo.png"> <img src="../content/isf/brightspace-logo.png" alt="Brightspace Logo"><br />
<input type="radio" name="image" value="d2l-logo.png"> <img src="../content/isf/d2l-logo.png" alt="D2L Logo"><br />
<div hidden>
<form id="isfForm" method="POST">
<input type="hidden" name="lti_message_type" />
<input type="hidden" name="lti_version" />
<input type="hidden" name="content_items" />
<input type="hidden" name="oauth_version" />
<input type="hidden" name="oauth_nonce" />
<input type="hidden" name="oauth_timestamp" />
<input type="hidden" name="oauth_consumer_key" />
<input type="hidden" name="oauth_callback" />
<input type="hidden" name="oauth_signature_method" />
<input type="hidden" name="oauth_signature" />
</form>
</div>
<br />
<button id="submitFormButton">Submit</button>
</body>
` how do you set this cookie in the javascript? I believe a cookie needs to be set??? and I do not see how to set it? or maybe I am missing something else that is not noted in the documentation.
I would highly recommend you consider using LTI Advantage/1.3 instead of Remote Plugins. LTI provides a standards-based integration approach & a better developer experience.
https://community.brightspace.com/s/article/LTI-Integration-Guide
If you are working with a partner of D2L please get in touch with the partner team and technical assistance is available. Your information here is appreciated but we are glad to examine the full context and use case as these errors are not hugely uncommon during dev. Otherwise, I echo Paul's suggestion, but I understand if it is not immediately possible.
partners#d2l.com or talk with your team that knows D2L!
Depending on which browser you are in you might be seeing the recent effects of the third-party cookie blocking that the browsers are adopting. Because LTIs (both 1.1 and 1.3/Advantage) typically launch into iframe any access to those cookies are regarded as third party. This effectively means two things
You need to be aware of the cookie access routines where a user action must be taken to request access to the browser storage API using document.requestStorageAccess()
You need to be marking your cookies appropriately with the new SameSite cookie directives
Without these the browser will mark your cookie request as a 'Tracking cookie' and refuse to serve it along with the request or make it accessible via javascript.
An alternative is also to detect that the LTI launch is happening inside the an iframe and to bust that iframe out to a new window, or alternatively configure the launch inside Brightspace to not use a iframe at all.

Amazon s3 form post/upload redirecting to bucket after success on iOS safari/chrome only how to stop?

I have a web app that allows users to upload photos to an S3 bucket via HTML form. It works exactly as expected on all desktop browsers, which is to do nothing after a successful upload. However in iOS safari and iOS chrome, it redirects to the bucket. If I "Handoff" the page over to safari on my mac it is an xml response of the entire bucket, it appears.
Does anyone know why this would happen and how to fix it? Normally I can find something via google and the forums but I'm finding nothing!
We are not specifying "success action redirect" or "success action status" on our form.
Also, it works as expected in chrome on an android device.
We do not want any sort of redirect to occurs, we handle things on the client after clicking the submit/post button.
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
<div id ="mainContent">
<form action="https://s3.amazonaws.com/{!awsKeySet.Name}" method="post" enctype="multipart/form-data" id="uploadForm">
<input type="hidden" name="key" id="key" />
<input type="hidden" name="AWSAccessKeyId" value="{!awsKeySet.AWS_AccessKey_Id__c}" />
<input type="hidden" name="policy" value="{!policy}" />
<input type="hidden" name="signature" value="{!signedPolicy}" />
<input type="hidden" name="acl" value="{!acessType}" />
<input type="hidden" name="Content-Type" value="{!Content_Type}" />
<!--input type="hidden" name="success_action_status" value="201" /-->
<!--input type="hidden" name="success_action_redirect" value="{!ForRedirect}" /-->
<h4 class="fileToUpload">Select a File to Upload in AWS</h4><br />
<div class="row">
<input type="file" size="50" name="file" id="file" />
</div>
<div id="fileName"></div>
<div id="fileSize"></div>
<div id="fileType"></div>
<div class="row">
<input type="submit" value="Upload" id="btn_submit" />
</div>
<div id="progressNumber"></div>
</form>
</div>
<script>
$(document).ready(function () {
var _requestBucket;
$("#btn_submit").click(function(event){
//alert(1);
event.preventDefault();
var _file;
_file = $("#file").val().replace(/.+[\\\/]/, "");
console.log('_file '+ _file);
$("#key").val(_file);
$("#uploadForm").submit();
});
});
</script>
Thank you!
I wish someone could have shed more light on this but sadly, this is a bug in iOS webkit browsers. It appears to have been fixed in Android and Desktop. So, if anyone stumbles on this problem, included is the bugzilla link for it
Bugzilla link for Proper handling of HTTP 204
More detail : According to the amazon s3 docs
If the value is set to 200 or 204, Amazon S3 returns an empty document with a
200 or 204 status code.
If the value is set to 201, Amazon S3 returns an XML document with a
201 status code.
If the value is not set or if it is set to an invalid value, Amazon S3
returns an empty document with a 204 status code.
According to HTTP 1.1 -
10.2.5 204 No Content
The server has fulfilled the request but does not need to return an
entity-body, and might want to return updated metainformation. The
response MAY include new or updated metainformation in the form of
entity-headers, which if present SHOULD be associated with the
requested variant.
If the client is a user agent, it SHOULD NOT change its document view
from that which caused the request to be sent. This response is
primarily intended to allow input for actions to take place without
causing a change to the user agent's active document view, although
any new or updated metainformation SHOULD be applied to the document
currently in the user agent's active view.
The 204 response MUST NOT include a message-body, and thus is always
terminated by the first empty line after the header fields.
This is not happening in either webkit browsers for iOS, currently. Sadly. I cannot find a way around this, other for Apple to fix it!

Javascript to automatically login to third party site

I am trying to create a javascript that will automatically press a submit button on a third party website. Basically, if I wanted to automatically log in to a site with a cookie filling in my username and password, for example a google account, the javascript would automatically press the submit button without me having to do it.
I guess what you're looking for is the .click() method that all buttons have. A more detailed explanation is below...
You can use a frameset with your JavaScript code in one frame and the third party page in another. For example:
<!-- Main page -->
<HTML><frameset rows="0,*">
<!-- You see your script page. To see the actual login page, swap the * and the 0. -->
<frame src="http://third.party.website.com/login/page.htm" name="theirframe" />
<frame src="myscript.html" name="myframe" />
</frameset></HTML>
And if the page you want to login to is like this (cleaned up from Gmail's login page, they have a lot of oddly-placed newlines and spaces!):
<!-- Third-party page -->
<div class="email-div">
<label for="Email"><strong class="email-label">Username</strong></label>
<input type="email" spellcheck="false" name="Email" id="Email" value="">
</div>
<div class="passwd-div">
<label for="Passwd"><strong class="passwd-label">Password</strong></label>
<input type="password" name="Passwd" id="Passwd">
</div>
<input type="submit" class="g-button g-button-submit" name="signIn" id="signIn" value="Sign in">
Then your script would probably be something like this:
<!-- Your script page (myscript.html) -->
<HTML><body>
<!-- Insert custom message here... -->
Logging you in......
<script>
//parent.theirframe.document.getElementById("Email").value = getemail();
//parent.theirframe.document.getElementById("Passwd").value = getpass();
parent.theirframe.document.getElementById("signIn").click();
</script>
<body></HTML>
If your browser is telling you that "The element with ID "Email" doesn't exist" or something, the your browser probably loaded your script page before the login page. In that case, you'll have to put the login page in a named iframe within your custom page and place your script after the iframe in the body of the page. If you do end up doing that, this page will help you out with accessing the iframe's content.
Hope this helps out.

jQuery UI dialog form submit that is defined with method=POST some how turns into a GET

I can use some help to understand jQuery and jQuery UI dialog a bit better.
I'm using jQuery v1.8.18 UI Dialog and jQuery v1.7.1 to load an html page that contains a form. The form itself was generated by a Django template. After filling out the form and click on 'Submit', I looked at the HTTP request as seen on the Django server side. The server sees it as an ajax request of type GET with empty GET and POST dictionaries.
The expected result would be a POST with actual submission data in it. Can someone help me understand how UI Dialog changed a POST request into a GET? I'm using Firebug but need some debugging ideas. Thanks.
This is how I created the UI Dialog:
<script>
$(document).ready(function() {
var $dialog = $('<div></div>').load('/friend-request/').dialog({autoOpen:false, title:'Friend Request', modal:true});
$('#friend-request').click(function() {
$dialog.dialog('open');
// prevent the default action, e.g., following a link
return false;});
});
</script>
The element #friend-request is just an HTML anchor. My form loaded just fine into the dialog. Here is the HTML form code that was generated.
<form id="id-friendreq" method="post">
<div style="display:none"><input type="hidden" value="12a94012df543b050d69f46f0012345" name="csrfmiddlewaretoken"></div>
<div class="ctrlHolder" id="div_id_to_user">
<label for="id_to_user">
To user<span class="asteriskField">*</span>
</label>
<input type="text" maxlength="15" name="to_user" id="id_to_user">
</div>
<div class="ctrlHolder" id="div_id_message">
<label for="id_message">
Message<span class="asteriskField">*</span>
</label>
<textarea class="textarea" cols="40" id="id_message" name="message">Hi, please add me as your friend.</textarea>
</div>
<div class="buttonHolder">
<input type="submit" id="submit-id-submit" class="submit submitButton button white" value="Submit" name="submit">
</div>
</form>
If you aren't setting the ajax option type to "POST" or using a convenience method like $.post(), default is "GET"
http://api.jquery.com/jQuery.ajax/
The post method is used only if you submit some data.
$(el).load(url,data,success)
If you are not supplying any data, then it is equivalent to a blank get query. Even on server side, if you don't send any data, there is no way for the server to know if you made a post or get request. Honestly, its just about data, you can send post data with a get query as well
If you must use a POST request explicitly use:
$.post(url,{},function(data){$('<div></div>').html(data)});

Redirect user to directory based on form input

I know enough about the coding end of web design to be embarrassed by what I don't know. What I want to do is to have various print promotions in newspapers and what not along the lines of: for more information please visit www.mysite.com/2345.
If the visitor doesn't enter the entire url in the nav bar and ends up at the main index, I want to have a text field there so they can enter "2345", hit enter or submit, then be redirected to www.mysite.com/2345 wherein the folder's index page will load.
I usually search and find the coding info I'm looking for, but I can't figure out a concise way to search this particular problem. Can anyone help with this or point me in the right direction for help elsewhere?
Thanks.
Pretty simple with JavaScript, here's a working example:
<form onsubmit="location.href='http://www.mysite.com/' + document.getElementById('myInput').value; return false;">
<input type="text" id="myInput" />
<input type="submit" />
</form>
You can do it using javascript. Here's a terribly ugly example but should give you an idea.
<form>
<input type="text" id="number" name="number" />
<input type="submit" onclick="window.location = window.location + '/' + number.value; return false;"/>
</form>
Ideally you'd also handle it in whatever server side language you're using as well. Here's a PHP example:
<?
if(isset($_POST['number'])){
header('Location: http://www.yourdomain.tld/'.$_POST['number']);
exit;
}
?>
Very simple example with PHP, so that you can understand how it works. Very simple.
<?php
if (isset($_POST['bt']))
{
header("Location: http://localhost/" . $_POST['folder']);
}
?>
<html>
<form id="form1" name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<input type="text" name="folder" id="folder" />
<input type="submit" name="bt" id="bt" value="Go To" />
</form>
</html>
This is you index.php File, in your htdocs/www folder.
The PHP notices when you click the button and it will redirect you to
http://www.yourdomain.com/what-you-have-writen-in-the-textfield
You can also do it with JavaScript, but with PHP it will work even if your visitor browser has JavaScript disabled.

Resources