I have an asp.net mvc website that returns a JSON result to certain pages on the website. I would like to be able to also return results to iframes being hosted on other websites. However, if the request is coming from an iframe on another website (I mean from an iframe being hosted on another domain), I would like to be able to detect this in the action of the controller and adjust the results accordingly. Is it possible to know in the action that the request is coming from another domain (or from an iframe, either way)?
Many thanks in advance! I don't have much experience working across domains...
Is it possible to know in the action that the request is coming from another domain
From another domain yes => simply inspect the Request.Url property. From an iframe, no, you can't. There's nothing defined in the HTTP protocol which enforces requests coming from an iframe to be anyhow different than normal requests.
Request.UrlReferrer has browser specific issue, It will probably not work for IE versions less than 9. So might want to consider that as well.
Related
My client redirects to a https://domain.com/Controller/GetInfo?Querystring method. Now my query string is getting dangerously close to the 2K limit, so I need to reproduce this behavior but pack my query string into the content of the messages. Since it would be heresy (etc.) to try a GET with content, I'll use a POST. However, I can't redirect to a POST since a Redirect has no content.
So, what I am looking for is the best MVC 5 pattern to resolve this: I need to provide lots of content, but I want the resulting page hosted on my remote server (i.e. as if I had redirected)
Also, since I use load balanced servers in azure, I'd prefer maintaining my clean stateless server if at all possible (else I'll have to introduce session caching).
#AntP is absolutely right in the comments above. If your query string is approaching 2K, then you're abusing it.
If there's a particular object you're referencing, then you can simply include the id or some other identifying piece of it and use that to look it up again from your data store.
If there's no persistent record of the object, then you can use something like Session or TempData to store it between one request and the next.
Regardless, it's not possible to redirect with a request body, with also means it's not possible to redirect using POST. The reason for this that the a redirect is not something the server does, but rather the client. The server merely suggests that the client go to a different URL. It's then up to the client (web browser) to issue a new request for that URL. Since the client is the one issuing the request, it makes the decision about what data is or isn't included in that request, not the server.
There was some coding error recently, and the site was down for a couple of hours during working hour.
Our site is basically a publishing site, user can upload some excels and we grab information and generate some pdfs.
The final pdf location is something like
https://SomeUrl.url.com/Documents/ClientName/DocumentName.pdf
Documents is the controller and we map it to some action and ClientName and document name are the parameters.
What the client want is that even if the site is down (means they can't upload or modify anything), they want the above url to be still up.
Other than rewriting the whole logic, is there something we can do in IIS level?
I thought about url rewriting or url redirect, but don't really think it is possible.
Anyone got any ideas?
Many Thanks
URL Rewrite IIS Extension won't be helpful as it's based on URL pattern. It doesn't care about whether the site is up or down.
You should consider setting up a load balancer instead. It's its job to decide which server to hit depending on server current load or if it's available or not.
I have awebsite, lets just call it search, in one of my browserpages open. search has a form, which when submitted runs queries on a database to which I don't have direct access. The problem with search is that the interface is rather horrible (one cannot save the aforementioned queries etc.)
I've analyzed the request (with a proxy) which is send to the server via search and I am able to replicate it. The server even sends back the correct result, but the browser is not able to open it. (Same origin policy). Do you have any ideas on how I could tackle this problem?
The answer to your question is: you can't. At least not without using a proxy as suggested in the answer by Walter, and that would mean your web site visitors would have to knowingly login to your web site using their other web site's credentials (hmm doesn't sound good...)
The reason you can't do this is related to security, if you could run a script on the tab next to the one with the site open (which is what I'm guessing you want to do), you would be able to do a CSRF attack and get any data you wish and send it to hack.com
This is, of course, assuming that there has to be a login somewhere in the process, otherwise there's no reason for you to not be able to create a simple form which posts the required query and gets the info.
If you did have access to the mentioned website, you would be able to support cross domain xml using JSONP.
It is not possible to bypass the same origin policy in javascript (assuming that you want to do it with that considering your question). You need to set up a proxy server side that is doing the request for you and returns the html.
A simple way of doing this in PHP would be like this:
<?php
echo file_get_contents("http://searchdomainname.com" . "?" . http_build_query($_GET, '', '&'));
?>
I want to create the controller to achieve the behavior shown in the graph bellow:
Can someone provide an example if that is possible?
EDIT: Just want to proxy all post requests using Facebook SDK from Site A to Facebook (Site C) through Site B.
Found this code if its helpful:
def default
result = Net::HTTP.get_response(
"realserver.internal.net",
#request.env["REQUEST_URI"]
)
#render error if result. ...
render_text result.body
end
end
Looks like you don't need rails here at all. What you want is a reverse proxy (plenty of choice here). I would recommend nginx
It looks like you're trying to either hide where a request is going to, or get around the browser's csrf protection. If the former, you would want to limit the URLs that can be requested from site C because you could potentially expose all of site C's intranet pages over the internet. If the latter, have you considered JSONP or CORS? This would be faster for the users, and have less traffic going through site B.
Be aware that with the approach you have drawn in the diagram that you are presenting site C's content as belonging to site B, with all the security and legal concerns this entails.
If you still want to do it the way you have described, if you can keep the same path, query string and fragment id between site B and site C, your above example would be workable.
Also, don't refer to #request, use request. request.fullpath can be used in place of #request.env["REQUEST_URI"]
EDIT: Also, aVenger is right, a reverse proxy would also work. Advantages: faster, less code. Disadvantages: Cannot programatically determine whether to accept the request, add dynamic variables to the request, etc. For your Facebook thing it would probably work.
I have two sites, my main site and a help site with documentation. The main site is rails but the other is simple a wordpress like blog. Currently I have it being pulled into the main site with an iframe, but is there a good way to pull in the html from the other site as some sort of cross-domain (sub-domain actually) partial? Or should I just stick with what works?
If the data sources were all on the same domain, you would be able to utilize straight AJAX to fetch your supplemental content and graft it onto your page. But, since the data is from different domains, the same origin security policy built into web browsers will prevent that from working.
A popular work around is called JSONP, which will let you fetch the data from any cooperating server. Your implementation might look something like this (using jQuery):
$.getJSON(
"http://my.website.com/pageX?callback=?",
function(data) {
$("#help").append(data)
}
)
The only hitch is that the data returned by your server must be wrapped as a javascript function call. For example, if your data was:
<h1>Topic Foo</h1>
Then your server must respond to the JSONP request like this:
callbackFunction("<h1>Topic Foo</h1>")