Search Results

Search found 52474 results on 2099 pages for 'office web apps'.

Page 59/2099 | < Previous Page | 55 56 57 58 59 60 61 62 63 64 65 66  | Next Page >

  • Am I getting paid a reasonable wage for web engineering?

    - by sailtheworld
    I've been doing some research and it looks like most people in my line of work - WEB ENGINEERING/WEB APPLICATION DEVELOPMENT - that get paid hourly, make anywhere from $30-80 an hour for their work. With that said, I have SEVEN years of experience with web development including OOP-PHP, MySQL, jQuery, OOP-JS, interface design, ajax, database architecture, etc. I am also very strong with visual design and workflow - thus, I've made some really high quality interactive interfaces. I also have a lot of experience with Zend Framework, Symfony, Wordpress, Drupal, etc and a really strong portfolio to show for it. Here's the catch: I'm 20 years old, haven't graduated from college yet (I'm doing part time school and ~30 hours a week of web development.) But I've literally been doing web apps since I was 13 years old. So my question is: is $14 an hour a reasonable starting wage for working at a company part time?

    Read the article

  • Office 365 : première mise à jour majeure, la suite Cloud de Microsoft s'enrichit d'une trentaine de fonctionnalités

    Première mise à jour majeure pour Office 365 La suite d'outils de productivité hébergée de Microsoft s'enrichit d'une trentaine de fonctionnalités [IMG]http://ftp-developpez.com/gordon-fowler/Office%20365/Office%20365%20logo%202.jpg[/IMG] Alors que la compétition se fait de plus en plus forte avec Google et ses Google Apps, Microsoft vient d'annoncer la première mise à jour majeure d'Office 365. Pour mémoire, Office 365fonctionne par abonnement mensuel. Le service donne accès à Microsoft Office Professionnel Plus 2010 et à un ensemble complet d'outils en mode hébergé : Office Web Apps (version en ligne et simplifiée de Office 2010), Sharepoint Online 2010 (sites collaboratifs, sit...

    Read the article

  • How can I make Excel documents open in different windows?

    - by Eugene
    Office 2007, Windows Server 2008 x64. How can I make Excel so that when I double-click a document, it opens in a new Excel instance, so that I can easily view them side-by-side as separate windows and not using the View-Arrange All functionality? Now I have to go to the task bar, click on one document to see it and then click on the other document in the task bar to switch to that one. As the alternative, I close one document, open a new Excel window, then drag the document in there. Thank you.

    Read the article

  • What Do I Need To Know About Servers In a Web Development Role?

    - by john
    I know that may sound a little vague, so I'll try and explain a little further... After being self employed developer for many years I'm now in search of a commercial web developer role. My only experience with servers and hosting is uploading through FTP and playing around with CPanel/WHM a little. The role's I'm going for are web development PHP, MySQL, HTML, CSS type roles, but in recent interviews I've been asked questions about setting up things on the server, that I had no idea what was being said... which wasn't ideal! Without knowing more than I do, it's hard to explain what exactly I'm looking to learn, but it's basically just the server elements I should know as a web developer? If you're a web developer, do you have any dealing with the server apart from uploading files, and if so, what? Are things like Subversion(SVN) and version control systems often set up by the web development team, could that be what they were talking about?

    Read the article

  • Java - Problem in deploying Web Application

    - by Yatendra Goel
    I have built a Java Web Application and packed it in a .war file and tested it on my local tomcat server and it is running fine. But when I deployed it on my client's server, it is showing an error. According to the remote server (my client's server), it is not finding a tld file packed in a jar file which I had placed in WEB-INF/lib directory. But when I checked the WEB-INF/lib directory for the jar file, i found that it was there. The contents of META-INF/MANIFEST.MF is as follows: Manifest-Version: 1.0 Class-Path: I think that there is no need to explicitly mention the classpath of WEB-INF/lib directory as it is in the classpath of any web application by default. Then, why the server can't find the jar file in the lib directory when I deployed it on a remote server and why it is working when I deployed the same application on my local server. I posted a question for this at http://stackoverflow.com/questions/2441254/struts-1-struts-taglib-jar-is-not-being-found-by-my-web-application but found that the problem is unusual as nobody could answer it. So my questions are as follows: Q1. Is WEB-INF/lib still remains on the classpath if I leave the classpath entry blank as shown above in the MANIFEST.MF file or I should delete the classpath entry completely from the file or I should explicitly enter Class-Path: /WEB-INF/lib as the classpath entry? Q2. I have JSP pages, Servlets and some helper classes in the web application. Jsp pages are located at the root. Servlets and helper classes are located in WEB-INF/classes folder. So Is there any problem if my helper classes are located in the WEB-INF/classes folder? Note: Please note that this question is not same as my previous question. It is a follow-up question of my previous question. Both the servers (local and remote) are tomcat servers.

    Read the article

  • System.InvalidOperationException compiling ASP.NET app on Mono

    - by Radu094
    This is the error I get when I start my ASP.NET application in Mono: System.InvalidOperationException: The process must exit before getting the requested information. at System.Diagnostics.Process.get_ExitCode () [0x00044] in /usr/src/mono-2.6.3/mcs/class/System/System.Diagnostics/Process.cs:149 at (wrapper remoting-invoke-with-check) System.Diagnostics.Process:get_ExitCode () at Mono.CSharp.CSharpCodeCompiler.CompileFromFileBatch (System.CodeDom.Compiler.CompilerParameters options, System.String[] fileNames) [0x001ee] in /usr/src/mono-2.6.3/mcs/class/System/Microsoft.CSharp/CSharpCodeCompiler.cs:267 at Mono.CSharp.CSharpCodeCompiler.CompileAssemblyFromFileBatch (System.CodeDom.Compiler.CompilerParameters options, System.String[] fileNames) [0x00011] in /usr/src/mono-2.6.3/mcs/class/System/Microsoft.CSharp/CSharpCodeCompiler.cs:156 at System.CodeDom.Compiler.CodeDomProvider.CompileAssemblyFromFile (System.CodeDom.Compiler.CompilerParameters options, System.String[] fileNames) [0x00014] in /usr/src/mono-2.6.3/mcs/class/System/System.CodeDom.Compiler/CodeDomProvider.cs:119 at System.Web.Compilation.AssemblyBuilder.BuildAssembly (System.Web.VirtualPath virtualPath, System.CodeDom.Compiler.CompilerParameters options) [0x0022f] in /usr/src/mono-2.6.3/mcs/class/System.Web/System.Web.Compilation/AssemblyBuilder.cs:804 at System.Web.Compilation.AssemblyBuilder.BuildAssembly (System.Web.VirtualPath virtualPath) [0x00000] in /usr/src/mono-2.6.3/mcs/class/System.Web/System.Web.Compilation/AssemblyBuilder.cs:730 at System.Web.Compilation.BuildManager.GenerateAssembly (System.Web.Compilation.AssemblyBuilder abuilder, System.Web.Compilation.BuildProviderGroup group, System.Web.VirtualPath vp, Boolean debug) [0x00254] in /usr/src/mono-2.6.3/mcs/class/System.Web/System.Web.Compilation/BuildManager.cs:624 at System.Web.Compilation.BuildManager.BuildInner (System.Web.VirtualPath vp, Boolean debug) [0x0011c] in /usr/src/mono-2.6.3/mcs/class/System.Web/System.Web.Compilation/BuildManager.cs:411 at System.Web.Compilation.BuildManager.Build (System.Web.VirtualPath vp) [0x00050] in /usr/src/mono-2.6.3/mcs/class/System.Web/System.Web.Compilation/BuildManager.cs:356 at System.Web.Compilation.BuildManager.GetCompiledType (System.Web.VirtualPath virtualPath) [0x0003a] in /usr/src/mono-2.6.3/mcs/class/System.Web/System.Web.Compilation/BuildManager.cs:803 at System.Web.Compilation.BuildManager.CreateInstanceFromVirtualPath (System.Web.VirtualPath virtualPath, System.Type requiredBaseType) [0x0000c] in /usr/src/mono-2.6.3/mcs/class/System.Web/System.Web.Compilation/BuildManager.cs:500 at System.Web.UI.PageParser.GetCompiledPageInstance (System.String virtualPath, System.String inputFile, System.Web.HttpContext context) [0x0001c] in /usr/src/mono-2.6.3/mcs/class/System.Web/System.Web.UI/PageParser.cs:161 at System.Web.UI.PageHandlerFactory.GetHandler (System.Web.HttpContext context, System.String requestType, System.String url, System.String path) [0x00000] in /usr/src/mono-2.6.3/mcs/class/System.Web/System.Web.UI/PageHandlerFactory.cs:45 at System.Web.HttpApplication.GetHandler (System.Web.HttpContext context, System.String url, Boolean ignoreContextHandler) [0x00055] in /usr/src/mono-2.6.3/mcs/class/System.Web/System.Web/HttpApplication.cs:1643 at System.Web.HttpApplication.GetHandler (System.Web.HttpContext context, System.String url) [0x00000] in /usr/src/mono-2.6.3/mcs/class/System.Web/System.Web/HttpApplication.cs:1624 at System.Web.HttpApplication+<Pipeline>c__Iterator2.MoveNext () [0x0075f] in /usr/src/mono-2.6.3/mcs/class/System.Web/System.Web/HttpApplication.cs:1259 I checked the source code indicated by the stacktrace, namely :CSharpCodeCompiler.cs:267 mcs.WaitForExit(); result.NativeCompilerReturnValue = mcs.ExitCode; //this throws the exception I have no ideea if this is a bug in Mono, or if my App is doing something it shoudn't. A simple "Hello World" application indicates that Mono is properly installed and working, It is just my app that is causing this exception to be thrown. Hoping some enlighted minds have more on the issue

    Read the article

  • ASP.NET Web Service Throws 401 (unauthorized) Error

    - by user268611
    Hi Experts, I have this .NET application to be run in an intranet environment. It is configured so that it requires Windows Authentication before you can access the website (Anonymous access is disabled). This website calls a web service (enable anonymous access) and the web service calls the DB. We do have a token-based authentication between the web application and the web service to secure the communication between them. The issue I'm facing is that when I deploy this to production, I'm having an intermittent issue whereby the communication between the web application and the web service failed. The 401 issue was thrown. This is actually working fine in our QA environment. Is this an issue with Active Directory? Or could it be an isssue with FQDN as mentioned here: http://support.microsoft.com/default.aspx?scid=kb;en-us;896861? The weirdest thing is that this is happening intermittently when tested in both on the server itself and a remote workstation in my client's environment. But, this is working perfectly in my environment. OS: Windows Server SP1 IIS 6 .NET 3.5 Framework Any idea about the 401 (Unauthorized) issue?? Thx for the help... This is from the log... Event code: 3005 Event message: An unhandled exception has occurred. Event time: 4/5/2010 10:44:57 AM Event time (UTC): 4/5/2010 2:44:57 AM Event ID: 6c8ea2607b8d4e29a7f0b1c392b1cb21 Event sequence: 155112 Event occurrence: 2 Event detail code: 0 Application information: Application domain: xxx Trust level: Full Application Virtual Path: xxx Application Path: xxx Machine name: xxx Process information: Process ID: 4424 Process name: w3wp.exe Account name: NT AUTHORITY\NETWORK SERVICE Exception information: Exception type: WebException Exception message: The request failed with HTTP status 401: Unauthorized. Request information: Request URL: http://[ip]/[app_path] Request path: xxx User host address: [ip] User: xxx Is authenticated: True Authentication Type: Negotiate Thread account name: xxx Thread information: Thread ID: 6 Thread account name: xxx Is impersonating: False Stack trace: at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at wsVulnerabilityAdvisory.Service.test() at test.Page_Load(Object sender, EventArgs e) at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

    Read the article

  • Is there a way to identify which web framework is used in a site?

    - by ragu.pattabi
    Whenever I come across a cute website, I am always curious to know which web framework was used by its developers? Being a novice in web development, a look at the page source doesn't give any clue. Any way(s) to get this information? If possible, may be with a bit of Ruby magic, I can figure out things like: which is the most/least used framework for my favorite sites, audio/video heavy sites, etc.

    Read the article

  • Why would one use REST instead of Web services?

    - by AngryHacker
    Attended an interesting demo on REST today, however, I couldn't think of a single reason (nor was one presented) why REST is in anyway better or simpler to use and implement than a Web Services stack. What are some of the reasons Why anyone in the "real world" use REST instead of the Web Services?

    Read the article

  • Tomcat 6 is really UNSTABLE when redeploying web apps

    - by EugeneP
    Do you know how to make it more stable, maybe properties to set, memory to allocate? It always hangs up when redeploying web apps, thru manager (wars), web interface or maven plugin. every second time it gives PermGenSpace, no memory errors etc. on my local machine 3gb ram. It looks like it should be manually set up to work in a stable way. How to fix such a problem?

    Read the article

  • What's the significance of this Google Apps error code '0x8004010B' ?

    - by Freddy
    There seems to be a lack of good information around this particular Google Apps error code. Has anyone found common environmental information that causes this error? Any kind of solution? Uninstalling/re-installing Google Sync doesn't seem to do anything, I've run Outlook's executable that scans/fixes the PST file etc. Task 'Google Apps - ::user email address:: - Sending' reported error (0x8004010B) : 'Unknown Error 0x8004010B' I found a listing of error codes for the Gdata API but nothing for these types of 'unknown' error codes. Does Google have available a list of common 'unknown' error codes/messages? Thanks in advance.

    Read the article

  • bottle.py on EC2 micro instance causes 2 order of magnitude slowdown

    - by user61633
    Cross-posted from StackOverflow: I wrote a little toy script to solve this type of game, and put it on my new micro EC2 instance. It works perfectly, but while it takes around 0.5 seconds to run a local version, and takes under 0.5 seconds to run both the local and the bottle.py version on my home computer, running the bottle.py version on the EC2 instance takes over 2 minutes. Python has the cpu pegged at 99% the entire time. Only 7.4% memory usage, consistently, and no swapping. The only guess I have is initialization time for bottle.py on EC2, but if it were that, why would it be ~200x faster on my own computer with bottle.py?

    Read the article

  • Why does Postfix deliver mails locally instead of relaying them to Google Apps?

    - by user40388
    I get the following error trying to send an email to my Google Apps Email at [email protected] from my Postfix server. to=, relay=local, delay=0.09, delays=0.07/0/0/0.02, dsn=5.1.1, status=bounced (unknown user: "admin") Is there a way I can force it to not use the LOCAL relay and treat [email protected] as outside email and not look for a user in the current postfix configuration. I am trying to email the full email address "[email protected]" not only "admin". I have the Google Apps MX record on mydomain.com + SPF record which before was: v=spf1 include:_spf.google.com ~all (emailing to [email protected] used to work with that record) But I had to change it to v=spf1 a mx ip4:MY.IP.HERE include:_spf.google.com ~all

    Read the article

  • SharePoint Apps and Windows Azure

    - by ScottGu
    Last Monday I had an opportunity to present as part of the keynote of this year’s SharePoint Conference.  My segment of the keynote covered the new SharePoint Cloud App Model we are introducing as part of the upcoming SharePoint 2013 and Office 365 releases.  This new app model for SharePoint is additive to the full trust solutions developers write today, and is built around three core tenants: Simplifying the development model and making it consistent between the on-premises version of SharePoint and SharePoint Online provided with Office 365. Making the execution model loosely coupled – and enabling developers to build apps and write code that can run outside of the core SharePoint service. This makes it easy to deploy SharePoint apps using Windows Azure, and avoid having to worry about breaking SharePoint and the apps within it when something is upgraded.  This new loosely coupled model also enables developers to write SharePoint applications that can leverage the full capabilities of the .NET Framework – including ASP.NET Web Forms 4.5, ASP.NET MVC 4, ASP.NET Web API, EF 5, Async, and more. Implementing this loosely coupled model using standard web protocols – like OAuth, JSON, and REST APIs – that enable developers to re-use skills and tools, and easily integrate SharePoint with Web and Mobile application architectures. A video of my talk + demos is now available to watch online: In the talk I walked through building an app from scratch – it showed off how easy it is to build solutions using new SharePoint application, and highlighted a web + workflow + mobile scenario that integrates SharePoint with code hosted on Windows Azure (all built using Visual Studio 2012 and ASP.NET 4.5 – including MVC and Web API). The new SharePoint Cloud App Model is something that I think is pretty exciting, and it is going to make it a lot easier to build SharePoint apps using the full power of both Windows Azure and the .NET Framework.  Using Windows Azure to easily extend SaaS based solutions like Office 365 is also a really natural fit and one that is going to offer a bunch of great developer opportunities.  Hope this helps, Scott  P.S. In addition to blogging, I am also now using Twitter for quick updates and to share links. Follow me at: twitter.com/scottgu

    Read the article

  • How do I manage the technical debate over WCF vs. Web API?

    - by Saeed Neamati
    I'm managing a team of like 15 developers now, and we are stuck at a point on choosing the technology, where the team is broken into two completely opposite teams, debating over usage of WCF vs. Web API. Team A which supports usage of Web API, brings forward these reasons: Web API is just the modern way of writing services (Wikipedia) WCF is an overhead for HTTP. It's a solution for TCP, and Net Pipes, and other protocols WCF models are not POCO, because of [DataContract] & [DataMember] and those attributes SOAP is not as readable and handy as JSON SOAP is an overhead for network compared to JSON (transport over HTTP) No method overloading Team B which supports the usage of WCF, says: WCF supports multiple protocols (via configuration) WCF supports distributed transactions Many good examples and success stories exist for WCF (while Web API is still young) Duplex is excellent for two-way communication This debate is continuing, and I don't know what to do now. Personally, I think that we should use a tool only for its right place of usage. In other words, we'd better use Web API, if we want to expose a service over HTTP, but use WCF when it comes to TCP and Duplex. By searching the Internet, we can't get to a solid result. Many posts exist for supporting WCF, but on the contrary we also find people complaint about it. I know that the nature of this question might sound arguable, but we need some good hints to decide. We're stuck at a point where choosing a technology by chance might make us regret it later. We want to choose with open eyes. Our usage would be mostly for web, and we would expose our services over HTTP. In some cases (say 5 to 10 percent) we might need distributed transactions though. What should I do now? How do I manage this debate in a constructive way?

    Read the article

  • How do web servers enforce the same-origin policy?

    - by BBnyc
    I'm diving deeper into developing RESTful APIs and have so far worked with a few different frameworks to achieve this. Of course I've run into the same-origin policy, and now I'm wondering how web servers (rather than web browsers) enforce it. From what I understand, some enforcing seems to happen on the browser's end (e.g., honoring a Access-Control-Allow-Origin header received from a server). But what about the server? For example, let's say a web server is hosting a Javascript web app that accesses an API, also hosted on that server. I assume that server would enforce the same-origin policy --- so that only the javascript that is hosted on that server would be allowed to access the API. This would prevent someone else from writing a javascript client for that API and hosting it on another site, right? So how would a web server be able to stop a malicious client that would try to make AJAX requests to its api endpoints while claiming to be running javascript that originated from that same web server? What's the way most popular servers (Apache, nginx) protect against this kind of attack? Or is my understanding of this somehow off the mark? Or is the cross-origin policy only enforced on the client end?

    Read the article

  • Question about the evolution of interaction paradigm between web server program and content provider program?

    - by smwikipedia
    Hi experts, In my opinion, web server is responsible to deliver content to client. If it is static content like pictures and static html document, web server just deliver them as bitstream directly. If it is some dynamic content that is generated during processing client's request, the web server will not generate the conetnt itself but call some external proram to genearte the content. AFAIK, this kind of dynamice content generation technologies include the following: CGI ISAPI ... And from here, I noticed that: ...In IIS 7, modules replace ISAPI filters... Is there any others? Could anyone help me complete the above list and elabrate on or show some links to their evolution? I think it would be very helpful to understand application such as IIS, TomCat, and Apache. I once wrote a small CGI program, and though it serves as a content generator, it is still nothing but a normal standalone program. I call it normal because the CGI program has a main() entry point. But with the recenetly technology like ASP.NET, I am not writing complete program, but only some class library. Why does such radical change happens? Many thanks.

    Read the article

  • Chrome Office Hours: Movi Kanti Revo—Behind the Divs

    Chrome Office Hours: Movi Kanti Revo—Behind the Divs Join Pete LePage and the developers who built Movi Kanti Revo for a very special Chrome Office Hours. We'll take a look behind the divs to show you how the experiment was built, and how you can use some of these techniques in your own web design. From: GoogleDevelopers Views: 0 5 ratings Time: 00:00 More in Science & Technology

    Read the article

  • Google+ Platform Office Hours: Mobile

    Google+ Platform Office Hours: Mobile This week the Google+ Platform Office Hours went mobile. Julia and Chirag as they showed Jenny three ways to share to Google+ from Android. 1:21 - Session agenda 2:20 - Sharing text and an image with the share intent 5:25 - Share with the Google+ mobile application 7:25 - Take and share a photo with the built in camera 12:08 - A question about the various Google messaging services on Android - Send feedback - goo.gl 13:05 - When does Google Play Services come out? From: GoogleDevelopers Views: 1630 29 ratings Time: 14:57 More in Science & Technology

    Read the article

  • Security Issues with Single Page Apps

    - by Stephen.Walther
    Last week, I was asked to do a code review of a Single Page App built using the ASP.NET Web API, Durandal, and Knockout (good stuff!). In particular, I was asked to investigate whether there any special security issues associated with building a Single Page App which are not present in the case of a traditional server-side ASP.NET application. In this blog entry, I discuss two areas in which you need to exercise extra caution when building a Single Page App. I discuss how Single Page Apps are extra vulnerable to both Cross-Site Scripting (XSS) attacks and Cross-Site Request Forgery (CSRF) attacks. This goal of this blog post is NOT to persuade you to avoid writing Single Page Apps. I’m a big fan of Single Page Apps. Instead, the goal is to ensure that you are fully aware of some of the security issues related to Single Page Apps and ensure that you know how to guard against them. Cross-Site Scripting (XSS) Attacks According to WhiteHat Security, over 65% of public websites are open to XSS attacks. That’s bad. By taking advantage of XSS holes in a website, a hacker can steal your credit cards, passwords, or bank account information. Any website that redisplays untrusted information is open to XSS attacks. Let me give you a simple example. Imagine that you want to display the name of the current user on a page. To do this, you create the following server-side ASP.NET page located at http://MajorBank.com/SomePage.aspx: <%@Page Language="C#" %> <html> <head> <title>Some Page</title> </head> <body> Welcome <%= Request["username"] %> </body> </html> Nothing fancy here. Notice that the page displays the current username by using Request[“username”]. Using Request[“username”] displays the username regardless of whether the username is present in a cookie, a form field, or a query string variable. Unfortunately, by using Request[“username”] to redisplay untrusted information, you have now opened your website to XSS attacks. Here’s how. Imagine that an evil hacker creates the following link on another website (hackers.com): <a href="/SomePage.aspx?username=<script src=Evil.js></script>">Visit MajorBank</a> Notice that the link includes a query string variable named username and the value of the username variable is an HTML <SCRIPT> tag which points to a JavaScript file named Evil.js. When anyone clicks on the link, the <SCRIPT> tag will be injected into SomePage.aspx and the Evil.js script will be loaded and executed. What can a hacker do in the Evil.js script? Anything the hacker wants. For example, the hacker could display a popup dialog on the MajorBank.com site which asks the user to enter their password. The script could then post the password back to hackers.com and now the evil hacker has your secret password. ASP.NET Web Forms and ASP.NET MVC have two automatic safeguards against this type of attack: Request Validation and Automatic HTML Encoding. Protecting Coming In (Request Validation) In a server-side ASP.NET app, you are protected against the XSS attack described above by a feature named Request Validation. If you attempt to submit “potentially dangerous” content — such as a JavaScript <SCRIPT> tag — in a form field or query string variable then you get an exception. Unfortunately, Request Validation only applies to server-side apps. Request Validation does not help in the case of a Single Page App. In particular, the ASP.NET Web API does not pay attention to Request Validation. You can post any content you want – including <SCRIPT> tags – to an ASP.NET Web API action. For example, the following HTML page contains a form. When you submit the form, the form data is submitted to an ASP.NET Web API controller on the server using an Ajax request: <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title></title> </head> <body> <form data-bind="submit:submit"> <div> <label> User Name: <input data-bind="value:user.userName" /> </label> </div> <div> <label> Email: <input data-bind="value:user.email" /> </label> </div> <div> <input type="submit" value="Submit" /> </div> </form> <script src="Scripts/jquery-1.7.1.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { user: { userName: ko.observable(), email: ko.observable() }, submit: function () { $.post("/api/users", ko.toJS(this.user)); } }; ko.applyBindings(viewModel); </script> </body> </html> The form above is using Knockout to bind the form fields to a view model. When you submit the form, the view model is submitted to an ASP.NET Web API action on the server. Here’s the server-side ASP.NET Web API controller and model class: public class UsersController : ApiController { public HttpResponseMessage Post(UserViewModel user) { var userName = user.UserName; return Request.CreateResponse(HttpStatusCode.OK); } } public class UserViewModel { public string UserName { get; set; } public string Email { get; set; } } If you submit the HTML form, you don’t get an error. The “potentially dangerous” content is passed to the server without any exception being thrown. In the screenshot below, you can see that I was able to post a username form field with the value “<script>alert(‘boo’)</script”. So what this means is that you do not get automatic Request Validation in the case of a Single Page App. You need to be extra careful in a Single Page App about ensuring that you do not display untrusted content because you don’t have the Request Validation safety net which you have in a traditional server-side ASP.NET app. Protecting Going Out (Automatic HTML Encoding) Server-side ASP.NET also protects you from XSS attacks when you render content. By default, all content rendered by the razor view engine is HTML encoded. For example, the following razor view displays the text “<b>Hello!</b>” instead of the text “Hello!” in bold: @{ var message = "<b>Hello!</b>"; } @message   If you don’t want to render content as HTML encoded in razor then you need to take the extra step of using the @Html.Raw() helper. In a Web Form page, if you use <%: %> instead of <%= %> then you get automatic HTML Encoding: <%@ Page Language="C#" %> <% var message = "<b>Hello!</b>"; %> <%: message %> This automatic HTML Encoding will prevent many types of XSS attacks. It prevents <script> tags from being rendered and only allows &lt;script&gt; tags to be rendered which are useless for executing JavaScript. (This automatic HTML encoding does not protect you from all forms of XSS attacks. For example, you can assign the value “javascript:alert(‘evil’)” to the Hyperlink control’s NavigateUrl property and execute the JavaScript). The situation with Knockout is more complicated. If you use the Knockout TEXT binding then you get HTML encoded content. On the other hand, if you use the HTML binding then you do not: <!-- This JavaScript DOES NOT execute --> <div data-bind="text:someProp"></div> <!-- This Javacript DOES execute --> <div data-bind="html:someProp"></div> <script src="Scripts/jquery-1.7.1.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { someProp : "<script>alert('Evil!')<" + "/script>" }; ko.applyBindings(viewModel); </script>   So, in the page above, the DIV element which uses the TEXT binding is safe from XSS attacks. According to the Knockout documentation: “Since this binding sets your text value using a text node, it’s safe to set any string value without risking HTML or script injection.” Just like server-side HTML encoding, Knockout does not protect you from all types of XSS attacks. For example, there is nothing in Knockout which prevents you from binding JavaScript to a hyperlink like this: <a data-bind="attr:{href:homePageUrl}">Go</a> <script src="Scripts/jquery-1.7.1.min.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { homePageUrl: "javascript:alert('evil!')" }; ko.applyBindings(viewModel); </script> In the page above, the value “javascript:alert(‘evil’)” is bound to the HREF attribute using Knockout. When you click the link, the JavaScript executes. Cross-Site Request Forgery (CSRF) Attacks Cross-Site Request Forgery (CSRF) attacks rely on the fact that a session cookie does not expire until you close your browser. In particular, if you visit and login to MajorBank.com and then you navigate to Hackers.com then you will still be authenticated against MajorBank.com even after you navigate to Hackers.com. Because MajorBank.com cannot tell whether a request is coming from MajorBank.com or Hackers.com, Hackers.com can submit requests to MajorBank.com pretending to be you. For example, Hackers.com can post an HTML form from Hackers.com to MajorBank.com and change your email address at MajorBank.com. Hackers.com can post a form to MajorBank.com using your authentication cookie. After your email address has been changed, by using a password reset page at MajorBank.com, a hacker can access your bank account. To prevent CSRF attacks, you need some mechanism for detecting whether a request is coming from a page loaded from your website or whether the request is coming from some other website. The recommended way of preventing Cross-Site Request Forgery attacks is to use the “Synchronizer Token Pattern” as described here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet When using the Synchronizer Token Pattern, you include a hidden input field which contains a random token whenever you display an HTML form. When the user opens the form, you add a cookie to the user’s browser with the same random token. When the user posts the form, you verify that the hidden form token and the cookie token match. Preventing Cross-Site Request Forgery Attacks with ASP.NET MVC ASP.NET gives you a helper and an action filter which you can use to thwart Cross-Site Request Forgery attacks. For example, the following razor form for creating a product shows how you use the @Html.AntiForgeryToken() helper: @model MvcApplication2.Models.Product <h2>Create Product</h2> @using (Html.BeginForm()) { @Html.AntiForgeryToken(); <div> @Html.LabelFor( p => p.Name, "Product Name:") @Html.TextBoxFor( p => p.Name) </div> <div> @Html.LabelFor( p => p.Price, "Product Price:") @Html.TextBoxFor( p => p.Price) </div> <input type="submit" /> } The @Html.AntiForgeryToken() helper generates a random token and assigns a serialized version of the same random token to both a cookie and a hidden form field. (Actually, if you dive into the source code, the AntiForgeryToken() does something a little more complex because it takes advantage of a user’s identity when generating the token). Here’s what the hidden form field looks like: <input name=”__RequestVerificationToken” type=”hidden” value=”NqqZGAmlDHh6fPTNR_mti3nYGUDgpIkCiJHnEEL59S7FNToyyeSo7v4AfzF2i67Cv0qTB1TgmZcqiVtgdkW2NnXgEcBc-iBts0x6WAIShtM1″ /> And here’s what the cookie looks like using the Google Chrome developer toolbar: You use the [ValidateAntiForgeryToken] action filter on the controller action which is the recipient of the form post to validate that the token in the hidden form field matches the token in the cookie. If the tokens don’t match then validation fails and you can’t post the form: public ActionResult Create() { return View(); } [ValidateAntiForgeryToken] [HttpPost] public ActionResult Create(Product productToCreate) { if (ModelState.IsValid) { // save product to db return RedirectToAction("Index"); } return View(); } How does this all work? Let’s imagine that a hacker has copied the Create Product page from MajorBank.com to Hackers.com – the hacker grabs the HTML source and places it at Hackers.com. Now, imagine that the hacker trick you into submitting the Create Product form from Hackers.com to MajorBank.com. You’ll get the following exception: The Cross-Site Request Forgery attack is blocked because the anti-forgery token included in the Create Product form at Hackers.com won’t match the anti-forgery token stored in the cookie in your browser. The tokens were generated at different times for different users so the attack fails. Preventing Cross-Site Request Forgery Attacks with a Single Page App In a Single Page App, you can’t prevent Cross-Site Request Forgery attacks using the same method as a server-side ASP.NET MVC app. In a Single Page App, HTML forms are not generated on the server. Instead, in a Single Page App, forms are loaded dynamically in the browser. Phil Haack has a blog post on this topic where he discusses passing the anti-forgery token in an Ajax header instead of a hidden form field. He also describes how you can create a custom anti-forgery token attribute to compare the token in the Ajax header and the token in the cookie. See: http://haacked.com/archive/2011/10/10/preventing-csrf-with-ajax.aspx Also, take a look at Johan’s update to Phil Haack’s original post: http://johan.driessen.se/posts/Updated-Anti-XSRF-Validation-for-ASP.NET-MVC-4-RC (Other server frameworks such as Rails and Django do something similar. For example, Rails uses an X-CSRF-Token to prevent CSRF attacks which you generate on the server – see http://excid3.com/blog/rails-tip-2-include-csrf-token-with-every-ajax-request/#.UTFtgDDkvL8 ). For example, if you are creating a Durandal app, then you can use the following razor view for your one and only server-side page: @{ Layout = null; } <!DOCTYPE html> <html> <head> <title>Index</title> </head> <body> @Html.AntiForgeryToken() <div id="applicationHost"> Loading app.... </div> @Scripts.Render("~/scripts/vendor") <script type="text/javascript" src="~/App/durandal/amd/require.js" data-main="/App/main"></script> </body> </html> Notice that this page includes a call to @Html.AntiForgeryToken() to generate the anti-forgery token. Then, whenever you make an Ajax request in the Durandal app, you can retrieve the anti-forgery token from the razor view and pass the token as a header: var csrfToken = $("input[name='__RequestVerificationToken']").val(); $.ajax({ headers: { __RequestVerificationToken: csrfToken }, type: "POST", dataType: "json", contentType: 'application/json; charset=utf-8', url: "/api/products", data: JSON.stringify({ name: "Milk", price: 2.33 }), statusCode: { 200: function () { alert("Success!"); } } }); Use the following code to create an action filter which you can use to match the header and cookie tokens: using System.Linq; using System.Net.Http; using System.Web.Helpers; using System.Web.Http.Controllers; namespace MvcApplication2.Infrastructure { public class ValidateAjaxAntiForgeryToken : System.Web.Http.AuthorizeAttribute { protected override bool IsAuthorized(HttpActionContext actionContext) { var headerToken = actionContext .Request .Headers .GetValues("__RequestVerificationToken") .FirstOrDefault(); ; var cookieToken = actionContext .Request .Headers .GetCookies() .Select(c => c[AntiForgeryConfig.CookieName]) .FirstOrDefault(); // check for missing cookie or header if (cookieToken == null || headerToken == null) { return false; } // ensure that the cookie matches the header try { AntiForgery.Validate(cookieToken.Value, headerToken); } catch { return false; } return base.IsAuthorized(actionContext); } } } Notice that the action filter derives from the base AuthorizeAttribute. The ValidateAjaxAntiForgeryToken only works when the user is authenticated and it will not work for anonymous requests. Add the action filter to your ASP.NET Web API controller actions like this: [ValidateAjaxAntiForgeryToken] public HttpResponseMessage PostProduct(Product productToCreate) { // add product to db return Request.CreateResponse(HttpStatusCode.OK); } After you complete these steps, it won’t be possible for a hacker to pretend to be you at Hackers.com and submit a form to MajorBank.com. The header token used in the Ajax request won’t travel to Hackers.com. This approach works, but I am not entirely happy with it. The one thing that I don’t like about this approach is that it creates a hard dependency on using razor. Your single page in your Single Page App must be generated from a server-side razor view. A better solution would be to generate the anti-forgery token in JavaScript. Unfortunately, until all browsers support a way to generate cryptographically strong random numbers – for example, by supporting the window.crypto.getRandomValues() method — there is no good way to generate anti-forgery tokens in JavaScript. So, at least right now, the best solution for generating the tokens is the server-side solution with the (regrettable) dependency on razor. Conclusion The goal of this blog entry was to explore some ways in which you need to handle security differently in the case of a Single Page App than in the case of a traditional server app. In particular, I focused on how to prevent Cross-Site Scripting and Cross-Site Request Forgery attacks in the case of a Single Page App. I want to emphasize that I am not suggesting that Single Page Apps are inherently less secure than server-side apps. Whatever type of web application you build – regardless of whether it is a Single Page App, an ASP.NET MVC app, an ASP.NET Web Forms app, or a Rails app – you must constantly guard against security vulnerabilities.

    Read the article

  • Google Compute Engine Office Hours: August 22, 2012

    Google Compute Engine Office Hours: August 22, 2012 Office hours with the Google Compute Engine Team on August 22, 2012. The slides can be viewed here: goo.gl The tech talk portion of this session was about OAuth and Service Accounts, an area which the Google Compute Engine team has done a great job simplifying. From: GoogleDevelopers Views: 80 7 ratings Time: 52:42 More in Science & Technology

    Read the article

< Previous Page | 55 56 57 58 59 60 61 62 63 64 65 66  | Next Page >