I need to redirect the top frame on a form post and it should work irrespective of javascript and across all major browsers.
I can redirect to a page with a link and its target attribute set & and asking the users to click the link.
But would like to know whether I can do it in a 302 Response itself.
No. A 302 (or 301, or 303) response only specifies that the browser has to look elsewhere for the requested document (as specified by the Location header). The concept of browser frames is completely outside the scope of HTTP.
However, browser frames are defined in HTML, and so is the target property on form elements:
<form action="/somescript?x=y" method="POST" target="_top">
This will make the form submit to the _top frame, which means "use the full browser window". This is supported across all modern (and most older, e.g. IE4) browsers and does not require JavaScript.
Related
So this is really weird: But When trying to connect with Asana I get:
Error: invalid_request: The `redirect_uri` parameter does not match a valid url for the application.
I have literally copied and pasted the example from here
I've literally done everything I can do (Ive been researching all day but nothing works - about 6 hours) What Am I doing wrong?
You can use the variant of the special redirect URI, urn:ietf:wg:oauth:2.0:oob:auto (same as the other, just :auto appended to the end) which is intended for apps that drive a browser themselves and can programmatically read out the token and close the window.
But for both of the redirect URIs you are using, the title of the window should read Success <query-string> where that string is the query parameters that would get passed to the redirect. So for the authorization flow it will include code=....
Your app, assuming it controls a browser window, should be able to navigate to the URL, wait for it to load, read out the title, then close the window, all without user intervention (except for the user actually doing the authorization in the browser window, of course).
I have an HTTPS post coming in via a secure form. Without going into lengthy explanation: I need to call an action within the same controller that accepts two tokens passed as parameters. When I run Fiddler, I see that that method is being called with the parameters in the URL. My question is: Does this pose a security risk? Is there a more secure way of redirecting within the same controller?
Yes, it poses a security risk, but it is easily mitigated by simply validating that the urls you are redirecting to are within the same domain as your source destination.
In fact, this is on the OWASP top 10.
A10 - Unvalidated Redirects and Forwards
EDIT:
I just realized that I missed the "ToAction" part of the question, so no.. It's not really possible to redirect outside of the site with RedirectToAction, so there isn't a worry for that. However, if you are using direct user input to feed into your RedirectToAction (and that includes accepting post data that you generate in a different page) then it's possible that an attacker could redirect to a method you did not anticipate. However, this is no different from a user simply trying random URL's and hitting one, or knowing a url and going to it manually. You need to have authorization in place to prevent access to URL's that the user does not have authorization to view.
If the original Action is accessed via HTTPS then RedirectToAction will redirect to a relative URL on the same domain using the same protocol.
So if your original page is
https://www.example.com/Foo/Bar
and this redirects to the FooBar action with some route parameters:
https://www.example.com/Foo/FooBar/1/2/3
an attacker cannot read the parameters 1/2/3 nor the rest of the URL.
However, the things you should bear in mind are:
The URL parameters will be logged by default by the browser (history), your server, by corporate proxy servers and possibly by other devices on your network by default.
If the user follows any links from your page to other https URLs, the referer HTTP header will contain your page address including parameters. Modern browsers will not send the referer header with http links though.
If there are any other https resources on your page this will cause the browser to send the referer header with the request.
For these reasons, if your parameters (1/2/3) are private, then you may wish to POST this data to the target page rather than use RedirectToAction (which results in a GET).
Note that you should be validating that the current user has access to the resources that 1/2/3 refers to (e.g. if the parameters were an order ID, you should check that the user identified by their auth cookies allow them to see the order referenced). Keeping 1/2/3 private are only beneficial if the parameters are themselves sensitive (e.g. a social security number).
Note that the OWASP Top 10 vulnerability, "A10 - Unvalidated Redirects and Forwards" does not apply here as RedirectToAction can only redirect to another action. If the other action redirects to a user set URL, then the vulnerability would lie there instead.
Does anyone know why Colorbox is not loading certain pages? I am wanting to load Google Maps on an address I have but it doesn't seem to work. I looked at the examples, and it loads Wikipedia, other known websites, and Bing.com including its maps. It does not load Google, Facebook, Twitter, or Pinterest. Although it does load Tumblr (but opens it up on the parent page and not in the iframe.
So I'm guessing Colorbox doesn't allow social media websites in the iframe? Has anyone had this problem?
Iframe does not load Google, Facebook, Twitter, or Pinterest, is because those sites have "X-Frame-Options: Deny" set on server.
http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#search
Clickjacking Defense: Some hackers try to trick users into clicking buttons that appear to perform safe or harmless functions, but instead perform unrelated tasks. Clickjackers embed malicious code or "redress" the user interface by using transparent frames that overlay specific UI elements with misleading text and images. To help prevent clickjacking, Web site owners can send an HTTP response header named X-Frame-Options with HTML pages to restrict how the page may be framed.
X-Frame-Options: Deny
If the X-Frame-Options value contains the token Deny, Internet Explorer 8 prevents the page from rendering if it is contained within a frame. If the value contains the token SameOrigin, Internet Explorer will not render the page if the top level-browsing-context differs from the origin of the page containing the directive. Blocked pages are replaced with a "This content cannot be displayed in a frame" error page.
Our project consists of an MVC area which handles authentication/authorization and rendering of pages, and an API area which also requires authentication/authorization and sends data to the page. We decided to go stateless for the server, so each request must include the authorization header with the user's credentials.
I accomplish this with the API calls with xhr.setRequestHeader('Authorization', 'Bearer ' + authCookie); in jquery's beforeSend, however I am unsure how to do this for the MVC side (each time you click a link or enter a URL, the request should include the Authorization header). Currently I'm doing this inside Application_BeginRequest and setting Request.Headers["Authorization"] = Request.Cookies["auth"];, but I want the Authorization header to be in the initial request, and not just tacked on after the request has been sent.
I believe you won't be able to set Headers; when the browser directs you to a link via an anchor click (unless you catch all anchor clicks using jquery, seems like overkill), nor will headers be sent on Form submits (Get/Post, unless you again catch all forms submissions), and the killer is the fact that server side redirects will also not resend any custom headers.
Instead of answering how to do something in jQuery, I would highly recommend reconsidering your design because based on the above facts, you will most likely run into technical limitations.
I want to differentiate between a new tab or new window request and simple request (i.e page opening in the same tab) on server or client side in MVC .net?
actually, we are nor using content placeholders in the layout page. we have div in it and child pages are loaded in it.so child aspx pages don't have Master page specified for them.
so when a new tab is opened for page, our master page is not attached to it, so all look and feel is lost.
now I want to identify a tab request #server side so as to send the required page with layout page.
I tried using Request.refferer to find the presence of master page, but the absolute URI is not always same for Firefox and IE
Current Scenario =>
1) Simple request : controller => Action => returns with Master page
2) Request generated when the user right clicks on the link and opens new tab:
controller=>ActionName => returns view without master page attached
The HTTP header fields have a fair amount of information in them, but whether or not the request originated from a new window is not included. Based on your question it sounds like you are using a lot of client side code for content retrieval and rendering - Ajax.
Assuming that is the case your best bet is looking at the nonstandard HTTP request field X-Requested-With:
mainly used to identify Ajax requests. Most JavaScript frameworks send this header with value of XMLHttpRequest
In ASP.NET MVC you can use the Request.IsAjaxRequest extension method to poke at this field. In this manner if a link is opened in a new window you can return the full page Site.Master and all. When the request is your expected behavior you'll know because it is an Ajax request.
That said, I'd recommend working on the way that you are rendering content and look up information on progressive enhancement.