In my application I am using MSSQL reportviewer ASP.NET control inside ajax tab panel as an IFrame. My choice of putting that in Iframe is because this answer.
While loading of iframe my app sending query sting to an iframe window something like this inside URL
TabID=92&_dc=1362044299421&doc_id=456
doc_id param is my param and it is filled in main-window before loading of an Iframe.
_dc parameter I think that is an ajax automatic added parameter to query string.
What will be way to secure an Iframe from unwanted loading with some others beside my main
web Form.
I do not wont to allow users open web browser and enter url with some other "doc_id" param and to pass that to my asp.net sub-page and get unwanted data.
How I can secure my sub-page which is opening inside an Iframe that render only if is called by my WebForm.
Does this _dc parameter can be used as check-sum or key for securing query sting inside URL.
You should generate a random one per session variable in you main form server side code, pass it in the url query, and check if it is correct on your iframe page server side code.
Also you shouldn't forget to check if your user is authorized, using the same methods(like authorization cookie) as on the main page.
Related
I have got a bit of a strange issue with our website.
We use helicon isapi rewrite on IIS 6.0, the actual rewriting of web addresses works fine. but...
When I try to log in via a asp.net LoginStatus control it redirects to the login.aspx page with a 'returnURL' querystring parameter:
/account/login.aspx?ReturnUrl=%2fwindfarms%2fbarrow-united-kingdom-uk01.html
however for some strange reason it's adding the original none-rewritten querystring parameter to it's returnURL parameter like so:
/account/login.aspx?ReturnUrl=%2fwindfarms%2fbarrow-united-kingdom-uk01.html %3fwindfarmID%3duk01
To clarify, in '.htaccess' file, we have:
RewriteRule [\w\W\s\S-]*-(\w\w\d[\d\w]+)\.html windfarms.aspx?windfarmID=$1 [QSA]
our rewritten web address, would then look like:
barrow-united-kingdom-uk01.html
However when clicking on the asp.net LoginStatus control, it looks like:
/account/login.aspx?ReturnUrl=%2fwindfarms%2fbarrow-united-kingdom-uk01.html%3fwindfarmID%3duk01
Which after logging in successfully ends up looking like this:
/barrow-united-kingdom-uk01.html?windfarmID=uk01
Why is this happening and how can could I prevent this?
thanks all
Update
I have found out that the actual form action method has already changed before hitting the asp.net LoginStatus control, so the html looks like this before pressing the 'Login' button:
<form name="aspnetForm" method="post" action="barrow-united-kingdom-uk01.html?windfarmID=uk01" id="aspnetForm">
The "ReturnUrl" parameter is returned from your ASP code (even though it is done automatically) and when ASP.NET gets into play the URL is already rewritten to its query string form (that is the purpose of URL rewriting after all). So when server side ASP code sends a login redirect back to the client it uses a rewritten (query string) form of URL. Unfortunately, there is no easy solution to this problem except for the overloading login operation and embedding some logic on the server side to transform URLs back into their friendly form before they are sent to the client.
Or you can write rule before yours to redirect query string form back to rewritten one. This will make it look neat to user and SEO friendliness is not important here as google crawler will unlikely ever log into your site. Please add this before your rule:
RewriteCond %{QUERY_STRING} (.*)windfarmID=[^&]+(.*) [NC]
RewriteRule ([\w\s]*-\w\w\d[\d\w]+\.html) $1?%1%2 [NC,R]
I am developing an application in asp.net using c#. In my application there are two pages like abc.aspx and xyz.aspx. I am opening the xyz.aspx page in an iframe of abc.aspx.
In xyz.aspx page I have a asp hidden field named ht_test_access. Now my requirement is I have to access the value of that hidden field from abc.aspx directly without querystring, session, cookies etc. Please help.
You can use Button.PostBackUrl and use Page.PreviousPage to get the previous page form data. This MSDN article Cross-Page Posting in ASP.NET Web Pages explains it very well.
string text = ((HiddenField)PreviousPage.FindControl("hdnField")).Value;
Cross-page posting is similar to hyperlinks in that the transfer is
initiated by a user action. However, in cross-page posting, the target
page is invoked using an HTTP POST command, which sends the values of
controls on the source page to the target page. In addition, if the
source and target page are in the same Web application, the target
page can access public properties of the source page. As always, all
of the pages in the application can share information stored in
session state or application state.
Having a C# WebBrowser control inside my WinForms application, and being aware of the Navigating event, I never came up with a nice and elegant solution to the following:
If a user actively navigates to another URL, I want to allow it.
If the page redirects "on its own" to another URL, I want to cancel it.
For case 1 there are some cases I can think of:
User clicks an a tag and the href attribute is evaluated to load another URL.
User clicks on an element with an onclick javascript event handler which calls a function that uses window.location to load another URL.
For case 2 I can imagine of:
The loaded page contains an iframe tag that loads an URL inside the IFrame. This fires the Navigating event.
There is some JavaScript timer that is started on page load and when it fires, it uses window.location to load another URL.
The loaded page contains a meta refresh header tag to load another URL after some seconds.
So my question is:
How to detect inside the Navigating event (or any other mechanism) whether a redirect is triggered explicitly by the user or implicitly by the page?
Some more information
The WebBrowser is being used inside a windows based CMS backend application.
I therefore have full control over the content loaded inside the WebBrowser control.
Meaning that I can manipulate the complete HTML string before being sent to the browser, if required.
If it is more applicable, I also would love to get JavaScript-only solutions which I could inject into the HTML being loaded.
(Please note that I do believe this is not a duplicate of this SO posting)
My take on this is capture user clicks on the web browser control. Have it set a flag that indicates that the user clicked on the web browser. If the flag is true, then allow redirection, if it isn't true don't allow it. Make sure to reset the flag after n number of seconds if no (or after) redirection is made.
It seems you are trying to achieve anti-ads/popup/redirect pattern.
From web browser perspective.. clicking <a href="some.url"> is not different from javascript window.location = "some.url"; or 302 redirect response. there are no explicit signals, no such convenience methods.
The WebBrowser control is just a proxy to IE component. You can't intercept browser's engine or even disable/enable javascript as it's part of internet security option.
You have to create special logic to prevent every possible cases of redirection.
eg.
verify HTML string then restrict some javascript pattern, header or iframe with Regex.Replace before render.
var scriptEx = new Regex("<script (.*?)</script>");
var iframeEx = new Regex("<iframe (.*?)</iframe>");
or intercept Navigating URL and cancel unsafe url, etc.
How to check using C# if "redirect" to "default document" happened?
For example, in browser I type URL: mysite.com/. When on server I check HttpContext.Current.Request.Url.AbsoluteUri, i receive mysite.com/default.aspx...
How I can get the exact URL that user has in his browser?
Thanks
EDIT: After some questions about the needs, I will give more details.
I have page with default.aspx with iframe inside of it. The iframe src is not the same origin (default.aspx is http and iframe content is https). On server side, i need to set the query string param to the src of iframe to include the exact URL that user has in browser. I need it in order to be able to set parent.location = parentURL + '#myparam' on iframe client side.
Currently everithing works fine, except when the request made to domain name without providing file name.
Try HttpContext.Current.Request.RawUrl
You typed
mysite.com/.
and you get
mysite.com/default.aspx...
Because you have set default.aspx as the default / Start up page in your site. The browser always redirect to the default page. I think when we type mysite.com the asp.net automatically appends the default page in the URL, so when we use Request.Url we get the mysite.com/default.aspx
Reading your intention of the IFrame, perhaps you are looking for Framset Script to determine the redirection ?
if (parent.location.href==window.location.href)
{
// you re-direction codes...
}
EDIT :
Giving a different HTTP and HTTPS, it's likely the Same Origin Policy kicked in. There is a workaround you could use PostMessage interface for cross sites.
Other option would be managed by Server(IIS) so that both http/https url request setting to default document , so that you don't need to alter client-side scripting for such complication handling.
You should delete 'Default.aspx' page from your IIS Default document list. then you get exact URL that user entered.
I've application that uses another web sites data so how can i get it because it uses some JavaScript functions to get that data and it not show in page view-source.
Check the NET tab in firebug, XHR and check the resource that is requested, and request the same resource.
Basically you have to render the webpage and ensure the javascript functions are run (evaluated). You could do this by "borrowing" their javascript files (by linking to them from your own page), but this may not work as you don't know what's in those files - they could be accessing DOM elements that you don't have in your page, or calling to other domains which may prevent them from working correctly.
The easiest way to show the same data is to just host the page inside an iframe on your own page. If you are looking to do this from a normal client application (i.e. not a web app) then you will need a browser control that you navigate to the target page. If the browser control is invisible you could then scrape values from it and show them in your app, although this is a very clumsy way to do it, and it's debatable about how ethical it is.
If you want the another web site view source use the HTTPWebRequest to get the response stream in c#.