What is best way to create a weblayout which is cross browser compatible?
- by ththat
A design is a very important part of a web site. But making a layout cross browser compatible is very tough task.
What is the easiest way for this?
Search Results
Search found 5542 results on 222 pages for 'cross compiling'.
Page 65/222 | < Previous Page | 61 62 63 64 65 66 67 68 69 70 71 72 | Next Page >
-
-
How can I find the user's home dir in a cross platform manner, using C++?
- by Macha
How can I find the user's home directory in a cross platform manner in C++? i.e. /home/user in Linux, C:\Users\user\ on Windows Vista, C:\Documents And Settings\user\ on Windows XP, and whatever it is that Macs use. (I think it's /User/user) Basically, what I'm looking for is a C++ way of doing this (example in python) os.path.expanduser("~")Read the article
-
Compiling ASP.Net 2.0 Application under .Net Framework 3.5 and Compiler reference Problems/errors .
- by Steve Johnson
Hi all I am converting an ASP.Net 2.0 Project to compile for .Net Framework 3.5 and facing the following compiler error for assembly reference... InternalXmlHelper.vb(9,0): error BC30560: 'ExtensionAttribute' is ambiguous in the namespace 'System.Runtime.CompilerServices'. It appears that there are duplicate assembly references one from 2.0 and the other from 3.5 but i have double checked it and its not the issue.. I have also googled around...with no success.. I have sure that i am doing some tiny mistake in additiona or removal of references,,,Is there any special thing that needs to be checked or done when compiling asp.net 2.0 project under .Net Framework 3.5 ? Kindly help. Thanks RegardsRead the article
-
How do I get source file information with dumpbin /symbols when compiling with VS 2005?
- by Thomas Dartsch
I have a tool which uses the output of dumpbin /symbols to do some dependency analysis with our C/C++ libraries. When we compiled the libs with VS 6.0, the dumpbin COFF SYMBOL TABLE contained entries like 000 00000008 DEBUG notype Filename | .file x:\mydir\mysource.c allowing me to get the relationship between sources and defined/used symbols, which is essential for my tool. When we compile with VS 2005, these entries are missing. When I look at the libs with a hex editor, it seems that there is no filename information at all included in the binary files, so it seems not to be a dumbin problem but is compilation related. So I'm looking for a way to get the Filename entries back into my libraries when compiling with VS 2005.Read the article
-
Difference in DLL when compiling on Build Server instead of Dev Machine.
- by Achilles
I have an application that loads user controls into .NET web application. When I compile and test the application locally on my dev machine it works on my machine. The project builds successfully using MSBuild on our build server. However when I deploy the dll generated by MSBuild on the build server I get the following error when the application loads the control: BC30456: 'CreateResourceBasedLiteralControl' is not a member of 'ASP.usercontrols_somecontrol_ascx'. I took a look and compared the dll generated on my machine and compared it(looked at the file size) with the one created by the build server and noticed a difference in the file size. This is confusing considering the code being built locally and on the build server is IDENTICAL. I manually compared each file by hand. So my question is: What is causing this error? What would be different between MSBuild's compilation of the code and what is going on in Visual Studio when compiling the code?Read the article
-
VS compiling Error 1256 ( integer overflow in internal computation ... ) during inheritance
- by odbb
Hi there, my problem occurs during compiling Irrlicht3D Engine in VS 2008. 1Error 1256: integer overflow in internal computation due to size or complexity of "irr::IReferenceCounted" I'm currently merging a very old Softwaredriver I have written with the rest of the engine which is much newer. The main Problme is that I have tried to resolve abstract inherince problems. But now I get this error and it is the only one. "irr::IReferenceCounted" is one of the base classes used by other classes which have been inherinced from. What does that mean? I know that an integer overflow can be a normal overflow, but why is this shown during compilation? Any help appreciated! -dbRead the article
-
Compiling CSS to SWF server side Java, What is the best practice?
- by DataSurfer
My project allows users to create custom css for our flex app. In regards to compiling the CSS into SWFs on the server side: Should I use the flex2.compiler.css.Compiler class in mxmlc-3.5.0.12683.jar? Or Should I invoke mxmlc from Runtime.getRuntime().exec()? The css.Compiler class is not very well documented. Does anyone have any examples that use this? For the Runtime exec method, what is the best way to package mxmlc into the maven build so its available to the server at runtime?Read the article
-
Compiling C-dll for Python OR SWIG-module creation, how to continue ??
- by ljuju
I reference this file "kbdext.c" and its headerfile listed on http://www.docdroppers.org/wiki/index.php?title=Writing_Keyloggers (the listings are at the bottom). I've been trying to compile this into a dll for use in Python or Visual Basic, but have not succeeded. I'm not familiar with C or GCC to sort out the problems or do the dll compile correctly. (I also get an error about snprintf not being declared when doing a regular compile of all the files). What are the steps I should do to make all functions available for other languages and external apps? Or is it perhaps easier to use SWIG and make a python module, instead of compiling a DLL?Read the article
-
How can I pipe two Perl CORE::system commands in a cross-platform way?
- by Pedro Silva
I'm writing a System::Wrapper module to abstract away from CORE::system and the qx operator. I have a serial method that attempts to connect command1's output to command2's input. I've made some progress using named pipes, but POSIX::mkfifo is not cross-platform. Here's part of what I have so far (the run method at the bottom basically calls system): package main; my $obj1 = System::Wrapper->new( interpreter => 'perl', arguments => [-pe => q{''}], input => ['input.txt'], description => 'Concatenate input.txt to STDOUT', ); my $obj2 = System::Wrapper->new( interpreter => 'perl', arguments => [-pe => q{'$_ = reverse $_}'}], description => 'Reverse lines of input input', output => { '>' => 'output' }, ); $obj1->serial( $obj2 ); package System::Wrapper; #... sub serial { my ($self, @commands) = @_; eval { require POSIX; POSIX->import(); require threads; }; my $tmp_dir = File::Spec->tmpdir(); my $last = $self; my @threads; push @commands, $self; for my $command (@commands) { croak sprintf "%s::serial: type of args to serial must be '%s', not '%s'", ref $self, ref $self, ref $command || $command unless ref $command eq ref $self; my $named_pipe = File::Spec->catfile( $tmp_dir, int \$command ); POSIX::mkfifo( $named_pipe, 0777 ) or croak sprintf "%s::serial: couldn't create named pipe %s: %s", ref $self, $named_pipe, $!; $last->output( { '>' => $named_pipe } ); $command->input( $named_pipe ); push @threads, threads->new( sub{ $last->run } ); $last = $command; } $_->join for @threads; } #... My specific questions: Is there an alternative to POSIX::mkfifo that is cross-platform? Win32 named pipes don't work, as you can't open those as regular files, neither do sockets, for the same reasons. 2. The above doesn't quite work; the two threads get spawned correctly, but nothing flows across the pipe. I suppose that might have something to do with pipe deadlocking or output buffering. What throws me off is that when I run those two commands in the actual shell, everything works as expected. Point 2 is solved; a -p fifo file test was not testing the correct file.Read the article
-
Simple MPEG Video Stream player, cross-platform, in java, via NetBeans + Swing?
- by DanM
Hello all, Trying to build a very simple video player component in a JPanel (or something similar) to sit in a swing app, connect to an mpeg (or, really, anything VLC can output) video stream, and play it. Don't need any controls or anything -- just a live connection to the video stream. It has to be cross-platform -- at least Mac and Windows (linux would be a nice bonus, but not necessary). I'm developing in NetBeans, so any specifics regarding that would be extra-helpful. JMF? Xuggler? Help! Thanks.Read the article
-
Localization: How to allow the user to define custom resources without compiling?
- by gehho
In our application, we have a collection of data items, each with a DisplayedName property. This property should be localized, i.e. it should be displayed in the language selected by the user. Therefore, another property, DisplayedNameResourceKey, specifies which resource should be returned by the DisplayedName property. In simplified code this means something like this: public string DisplayedName { get { return MyResources.ResourceManager.GetObject(this.DisplayedNameResourceKey); } } public string DisplayedNameResourceKey { get; set; } Now, the problem is: The user should be able to edit these items including the DisplayedName, or more precisely the DisplayedNameResourceKey. And not only this, but the user should also be able to somehow define new resources which he can then reference. That is, he can either choose from a predefined set of resources (some commonly used names), or define a custom resource which then needs to be localized by the user as well. However, the user cannot add custom resources to MyResources at runtime and without compiling. Therefore, another approach is needed. It does not have to be an extremely user-friendly way (e.g. UI is not required) because this will typically be done by our service engineers. I was thinking about using a txt or csv file containing pairs of resource keys and the corresponding translations. A separate file would exist for every language at a predefined location. But I am not really satisfied with that idea because it involves a lot of work to resolve the resources. Does anyone know a good approach for such a situation?Read the article
-
Requesting a website by client side script = Cross Side Scripting Hack. But requesting a website by
- by 1s2a3n4j5e6e7v
Generally, when we want to show the contents of some web page in the same page, we go for ajax requests. If say, I request to a web page in different domain with AJAX, it is not allowed because of the Cross side scripting error. But why is it allowed to access via a server side page. For e.g. we can use CURL in php to access any site.? Why is this feature OK for server side scripting and NOT OK for Client Side Scripting?Read the article
-
Easy way to parse a url in C++ cross platform?
- by Andrew Bucknell
I need to parse a url to get the protocol host path and query in an application I am writing in c++. The application is intended to be cross platform. Im surprised I cant find anything that does this in boost or poco libraries. Is it somewhere obvious Im not looking? Any suggestions on appropriate open source libs? Or is this something I just have to do my self? Its not super complicated but it seems such a common task I am surprised there isnt a common solution.Read the article
-
Can I using cross-site XmlHttpRequest in Itunes LP environment?
- by jameulrich
Itunes is based on Webkit platform and we can't use cross-site XmlHttpRequest in JavaScript because of security policy. But, as a exception, we can do that with a special header. Here is source code and I did it successfully in Safari: /////////////// var url = 'http://mysite.net/canvas.php'; var mybody = "Arun"; var http = new XMLHttpRequest(); http.open("POST", url, true); http.setRequestHeader("X-PINGOTHER", "pingpong"); http.setRequestHeader('Content-Type', 'application/xml'); http.setRequestHeader("Content-length", mybody.length); http.setRequestHeader("Connection", "close"); http.send(mybody); /////////////// I sent xml data to my server and get return response successfully in Safari browser but i can't do it in iTunes LP environment. So what is the problems?Read the article
-
How to make a cross browser, W3C valid, semantic, non-javascript ROUND corner?
- by jitendra
I want to make a cross-browser (FF3, IE6, Safari, Opera), W3C valid (HTML and CSS both), stretchable (horizontally vertically), without JavaScript and with Semantic and lesser HTML markup Round CORNER. Images can be used for IE6. I've tried and tested many techniques available on community. But everything has one of the problems mentioned above . If anyone knows what I want please share with me? Remember I want to make it without any type of JavaScript, jquery or any type of js.Read the article
-
what is the best and valid way for cross browser min-height?
- by metal-gear-solid
for #main-content I don't want to give any fix height because content can be long and short but if content is short then it should take minimum height 500px. i need compatibility in all browser. Is thery any w3c valid and cross browser way without using !important because i read !important should not be used In conclusion, don’t use the !important declaration unless you’ve tried everything else first, and keep in mind any drawbacks. If you do use it, it would probably make sense, if possible, to put a comment in your CSS next to any styles that are being overridden, to ensure better code maintainability. I tried to cover everything significant in relation to use of the !important declaration, so please offer comments if you think there’s anything I’ve missed, or if I’ve misstated anything, and I’ll be happy to make any needed corrections. http://www.impressivewebs.com/everything-you-need-to-know-about-the-important-css-declaration/Read the article
-
Compiling Wanderlust for Windows and use it for Gmail.
- by User1
I'm trying to get Wanderlust working in Windows to connect to Gmail. Compiling the code is much more painful than expected. Here are the barriers so far: Can't download dependent packages: SEMI, APEL, and FLIM. I eventually found newer versions, but I'm not sure they will work. Anyone have the older versions? Needs make and install. I used MSYS and it seems to have compiled okay. SSL support. I was getting a "Cannot open load file: ssl" error. I found an ssl.el that comes with w3. So installed w3. Bash command in ssl.el: ssl-get-command is running something from /bin/sh (not a directory I have in Windows). I really don't want to refactor this code. Is there a better way? Others speak very highly of Wanderlust, so I want to give it a try. I feel like I'm almost there, but am pretty much worn out with all the crazy configuration I have to do. Does anyone have this working on Windows? I'm pretty sure it will work with Gmail, because of this post. But will it work in Windows too? If you have a few pointers, please help.Read the article
-
Java FMJ is not cross platfrom ? How can it be fixed ?
- by Stackfan
I was trying to use FMJ (for windows/linux/mac). Where JMF was not working for me (so decided to work with FMJ as it is cross platfaorm). But when ever i am trying FMJ it never works, where you can see the difference in the screen shot. ex: http://i.imgur.com/AjcJh.png Thanks & Regards Note: I have two camera connected in the same PC and Flash detects always both of them without any issue. But FMJ is never working ?????.Read the article
-
What rules govern cross-version compatibility for .NET applications and the C# language?
- by John Feminella
For some reason I've always had trouble remembering the backwards/forwards compatibility guarantees made by the framework, so I'd like to put that to bed forever. Suppose I have two assemblies, A and B. A is older and references .NET 2.0 assemblies; B references .NET 3.5 assemblies. I have the source for A and B, Ax and Bx, respectively; they are written in C# at the 2.0 and 3.0 language levels. (That is, Ax uses no features that were introduced later than C# 2.0; likewise Bx uses no features that were introduced later than 3.0.) I have two environments, C and D. C has the .NET 2.0 framework installed; D has the .NET 3.5 framework installed. Now, which of the following can/can't I do? Running: run A on C? run A on D? run B on C? run C on D? Compiling: compile Ax on C? compile Ax on D? compile Bx on C? compile Bx on D? Rewriting: rewrite Ax to use features from the C# 3 language level, and compile it on D, while having it still work on C? rewrite Bx to use features from the C# 4 language level on another environment E that has .NET 4, while having it still work on D?' Referencing from another assembly: reference B from A and have a client app on C use it? reference B from A and have a client app on D use it? reference A from B and have a client app on C use it? reference A from B and have a client app on D use it? More importantly, what rules govern the truth or falsity of these hypothetical scenarios?Read the article
-
super function doesn't work inside a maya python module
- by sfjedi
Somehow, this works fine in the Maya/Python script editor, but fails when it's inside of my module code. Anyone have any ideas? class ControlShape(object): def __init__(self, *args, **kwargs): print 'Inside ControlShape...' class Cross(ControlShape): def __init__(self, *args, **kwargs): print 'Entering Cross...' super(Cross, self).__init__(*args, **kwargs) print 'Leaving Cross...' x = Cross() This gives me a TypeError: super(type, obj): obj must be an instance or subtype of type.Read the article
-
Security Issues with Single Page Apps
- by Stephen.Walther
Last week, I was asked to do a code review of a Single Page App built using the ASP.NET Web API, Durandal, and Knockout (good stuff!). In particular, I was asked to investigate whether there any special security issues associated with building a Single Page App which are not present in the case of a traditional server-side ASP.NET application. In this blog entry, I discuss two areas in which you need to exercise extra caution when building a Single Page App. I discuss how Single Page Apps are extra vulnerable to both Cross-Site Scripting (XSS) attacks and Cross-Site Request Forgery (CSRF) attacks. This goal of this blog post is NOT to persuade you to avoid writing Single Page Apps. I’m a big fan of Single Page Apps. Instead, the goal is to ensure that you are fully aware of some of the security issues related to Single Page Apps and ensure that you know how to guard against them. Cross-Site Scripting (XSS) Attacks According to WhiteHat Security, over 65% of public websites are open to XSS attacks. That’s bad. By taking advantage of XSS holes in a website, a hacker can steal your credit cards, passwords, or bank account information. Any website that redisplays untrusted information is open to XSS attacks. Let me give you a simple example. Imagine that you want to display the name of the current user on a page. To do this, you create the following server-side ASP.NET page located at http://MajorBank.com/SomePage.aspx: <%@Page Language="C#" %> <html> <head> <title>Some Page</title> </head> <body> Welcome <%= Request["username"] %> </body> </html> Nothing fancy here. Notice that the page displays the current username by using Request[“username”]. Using Request[“username”] displays the username regardless of whether the username is present in a cookie, a form field, or a query string variable. Unfortunately, by using Request[“username”] to redisplay untrusted information, you have now opened your website to XSS attacks. Here’s how. Imagine that an evil hacker creates the following link on another website (hackers.com): <a href="/SomePage.aspx?username=<script src=Evil.js></script>">Visit MajorBank</a> Notice that the link includes a query string variable named username and the value of the username variable is an HTML <SCRIPT> tag which points to a JavaScript file named Evil.js. When anyone clicks on the link, the <SCRIPT> tag will be injected into SomePage.aspx and the Evil.js script will be loaded and executed. What can a hacker do in the Evil.js script? Anything the hacker wants. For example, the hacker could display a popup dialog on the MajorBank.com site which asks the user to enter their password. The script could then post the password back to hackers.com and now the evil hacker has your secret password. ASP.NET Web Forms and ASP.NET MVC have two automatic safeguards against this type of attack: Request Validation and Automatic HTML Encoding. Protecting Coming In (Request Validation) In a server-side ASP.NET app, you are protected against the XSS attack described above by a feature named Request Validation. If you attempt to submit “potentially dangerous” content — such as a JavaScript <SCRIPT> tag — in a form field or query string variable then you get an exception. Unfortunately, Request Validation only applies to server-side apps. Request Validation does not help in the case of a Single Page App. In particular, the ASP.NET Web API does not pay attention to Request Validation. You can post any content you want – including <SCRIPT> tags – to an ASP.NET Web API action. For example, the following HTML page contains a form. When you submit the form, the form data is submitted to an ASP.NET Web API controller on the server using an Ajax request: <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title></title> </head> <body> <form data-bind="submit:submit"> <div> <label> User Name: <input data-bind="value:user.userName" /> </label> </div> <div> <label> Email: <input data-bind="value:user.email" /> </label> </div> <div> <input type="submit" value="Submit" /> </div> </form> <script src="Scripts/jquery-1.7.1.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { user: { userName: ko.observable(), email: ko.observable() }, submit: function () { $.post("/api/users", ko.toJS(this.user)); } }; ko.applyBindings(viewModel); </script> </body> </html> The form above is using Knockout to bind the form fields to a view model. When you submit the form, the view model is submitted to an ASP.NET Web API action on the server. Here’s the server-side ASP.NET Web API controller and model class: public class UsersController : ApiController { public HttpResponseMessage Post(UserViewModel user) { var userName = user.UserName; return Request.CreateResponse(HttpStatusCode.OK); } } public class UserViewModel { public string UserName { get; set; } public string Email { get; set; } } If you submit the HTML form, you don’t get an error. The “potentially dangerous” content is passed to the server without any exception being thrown. In the screenshot below, you can see that I was able to post a username form field with the value “<script>alert(‘boo’)</script”. So what this means is that you do not get automatic Request Validation in the case of a Single Page App. You need to be extra careful in a Single Page App about ensuring that you do not display untrusted content because you don’t have the Request Validation safety net which you have in a traditional server-side ASP.NET app. Protecting Going Out (Automatic HTML Encoding) Server-side ASP.NET also protects you from XSS attacks when you render content. By default, all content rendered by the razor view engine is HTML encoded. For example, the following razor view displays the text “<b>Hello!</b>” instead of the text “Hello!” in bold: @{ var message = "<b>Hello!</b>"; } @message If you don’t want to render content as HTML encoded in razor then you need to take the extra step of using the @Html.Raw() helper. In a Web Form page, if you use <%: %> instead of <%= %> then you get automatic HTML Encoding: <%@ Page Language="C#" %> <% var message = "<b>Hello!</b>"; %> <%: message %> This automatic HTML Encoding will prevent many types of XSS attacks. It prevents <script> tags from being rendered and only allows <script> tags to be rendered which are useless for executing JavaScript. (This automatic HTML encoding does not protect you from all forms of XSS attacks. For example, you can assign the value “javascript:alert(‘evil’)” to the Hyperlink control’s NavigateUrl property and execute the JavaScript). The situation with Knockout is more complicated. If you use the Knockout TEXT binding then you get HTML encoded content. On the other hand, if you use the HTML binding then you do not: <!-- This JavaScript DOES NOT execute --> <div data-bind="text:someProp"></div> <!-- This Javacript DOES execute --> <div data-bind="html:someProp"></div> <script src="Scripts/jquery-1.7.1.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { someProp : "<script>alert('Evil!')<" + "/script>" }; ko.applyBindings(viewModel); </script> So, in the page above, the DIV element which uses the TEXT binding is safe from XSS attacks. According to the Knockout documentation: “Since this binding sets your text value using a text node, it’s safe to set any string value without risking HTML or script injection.” Just like server-side HTML encoding, Knockout does not protect you from all types of XSS attacks. For example, there is nothing in Knockout which prevents you from binding JavaScript to a hyperlink like this: <a data-bind="attr:{href:homePageUrl}">Go</a> <script src="Scripts/jquery-1.7.1.min.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { homePageUrl: "javascript:alert('evil!')" }; ko.applyBindings(viewModel); </script> In the page above, the value “javascript:alert(‘evil’)” is bound to the HREF attribute using Knockout. When you click the link, the JavaScript executes. Cross-Site Request Forgery (CSRF) Attacks Cross-Site Request Forgery (CSRF) attacks rely on the fact that a session cookie does not expire until you close your browser. In particular, if you visit and login to MajorBank.com and then you navigate to Hackers.com then you will still be authenticated against MajorBank.com even after you navigate to Hackers.com. Because MajorBank.com cannot tell whether a request is coming from MajorBank.com or Hackers.com, Hackers.com can submit requests to MajorBank.com pretending to be you. For example, Hackers.com can post an HTML form from Hackers.com to MajorBank.com and change your email address at MajorBank.com. Hackers.com can post a form to MajorBank.com using your authentication cookie. After your email address has been changed, by using a password reset page at MajorBank.com, a hacker can access your bank account. To prevent CSRF attacks, you need some mechanism for detecting whether a request is coming from a page loaded from your website or whether the request is coming from some other website. The recommended way of preventing Cross-Site Request Forgery attacks is to use the “Synchronizer Token Pattern” as described here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet When using the Synchronizer Token Pattern, you include a hidden input field which contains a random token whenever you display an HTML form. When the user opens the form, you add a cookie to the user’s browser with the same random token. When the user posts the form, you verify that the hidden form token and the cookie token match. Preventing Cross-Site Request Forgery Attacks with ASP.NET MVC ASP.NET gives you a helper and an action filter which you can use to thwart Cross-Site Request Forgery attacks. For example, the following razor form for creating a product shows how you use the @Html.AntiForgeryToken() helper: @model MvcApplication2.Models.Product <h2>Create Product</h2> @using (Html.BeginForm()) { @Html.AntiForgeryToken(); <div> @Html.LabelFor( p => p.Name, "Product Name:") @Html.TextBoxFor( p => p.Name) </div> <div> @Html.LabelFor( p => p.Price, "Product Price:") @Html.TextBoxFor( p => p.Price) </div> <input type="submit" /> } The @Html.AntiForgeryToken() helper generates a random token and assigns a serialized version of the same random token to both a cookie and a hidden form field. (Actually, if you dive into the source code, the AntiForgeryToken() does something a little more complex because it takes advantage of a user’s identity when generating the token). Here’s what the hidden form field looks like: <input name=”__RequestVerificationToken” type=”hidden” value=”NqqZGAmlDHh6fPTNR_mti3nYGUDgpIkCiJHnEEL59S7FNToyyeSo7v4AfzF2i67Cv0qTB1TgmZcqiVtgdkW2NnXgEcBc-iBts0x6WAIShtM1″ /> And here’s what the cookie looks like using the Google Chrome developer toolbar: You use the [ValidateAntiForgeryToken] action filter on the controller action which is the recipient of the form post to validate that the token in the hidden form field matches the token in the cookie. If the tokens don’t match then validation fails and you can’t post the form: public ActionResult Create() { return View(); } [ValidateAntiForgeryToken] [HttpPost] public ActionResult Create(Product productToCreate) { if (ModelState.IsValid) { // save product to db return RedirectToAction("Index"); } return View(); } How does this all work? Let’s imagine that a hacker has copied the Create Product page from MajorBank.com to Hackers.com – the hacker grabs the HTML source and places it at Hackers.com. Now, imagine that the hacker trick you into submitting the Create Product form from Hackers.com to MajorBank.com. You’ll get the following exception: The Cross-Site Request Forgery attack is blocked because the anti-forgery token included in the Create Product form at Hackers.com won’t match the anti-forgery token stored in the cookie in your browser. The tokens were generated at different times for different users so the attack fails. Preventing Cross-Site Request Forgery Attacks with a Single Page App In a Single Page App, you can’t prevent Cross-Site Request Forgery attacks using the same method as a server-side ASP.NET MVC app. In a Single Page App, HTML forms are not generated on the server. Instead, in a Single Page App, forms are loaded dynamically in the browser. Phil Haack has a blog post on this topic where he discusses passing the anti-forgery token in an Ajax header instead of a hidden form field. He also describes how you can create a custom anti-forgery token attribute to compare the token in the Ajax header and the token in the cookie. See: http://haacked.com/archive/2011/10/10/preventing-csrf-with-ajax.aspx Also, take a look at Johan’s update to Phil Haack’s original post: http://johan.driessen.se/posts/Updated-Anti-XSRF-Validation-for-ASP.NET-MVC-4-RC (Other server frameworks such as Rails and Django do something similar. For example, Rails uses an X-CSRF-Token to prevent CSRF attacks which you generate on the server – see http://excid3.com/blog/rails-tip-2-include-csrf-token-with-every-ajax-request/#.UTFtgDDkvL8 ). For example, if you are creating a Durandal app, then you can use the following razor view for your one and only server-side page: @{ Layout = null; } <!DOCTYPE html> <html> <head> <title>Index</title> </head> <body> @Html.AntiForgeryToken() <div id="applicationHost"> Loading app.... </div> @Scripts.Render("~/scripts/vendor") <script type="text/javascript" src="~/App/durandal/amd/require.js" data-main="/App/main"></script> </body> </html> Notice that this page includes a call to @Html.AntiForgeryToken() to generate the anti-forgery token. Then, whenever you make an Ajax request in the Durandal app, you can retrieve the anti-forgery token from the razor view and pass the token as a header: var csrfToken = $("input[name='__RequestVerificationToken']").val(); $.ajax({ headers: { __RequestVerificationToken: csrfToken }, type: "POST", dataType: "json", contentType: 'application/json; charset=utf-8', url: "/api/products", data: JSON.stringify({ name: "Milk", price: 2.33 }), statusCode: { 200: function () { alert("Success!"); } } }); Use the following code to create an action filter which you can use to match the header and cookie tokens: using System.Linq; using System.Net.Http; using System.Web.Helpers; using System.Web.Http.Controllers; namespace MvcApplication2.Infrastructure { public class ValidateAjaxAntiForgeryToken : System.Web.Http.AuthorizeAttribute { protected override bool IsAuthorized(HttpActionContext actionContext) { var headerToken = actionContext .Request .Headers .GetValues("__RequestVerificationToken") .FirstOrDefault(); ; var cookieToken = actionContext .Request .Headers .GetCookies() .Select(c => c[AntiForgeryConfig.CookieName]) .FirstOrDefault(); // check for missing cookie or header if (cookieToken == null || headerToken == null) { return false; } // ensure that the cookie matches the header try { AntiForgery.Validate(cookieToken.Value, headerToken); } catch { return false; } return base.IsAuthorized(actionContext); } } } Notice that the action filter derives from the base AuthorizeAttribute. The ValidateAjaxAntiForgeryToken only works when the user is authenticated and it will not work for anonymous requests. Add the action filter to your ASP.NET Web API controller actions like this: [ValidateAjaxAntiForgeryToken] public HttpResponseMessage PostProduct(Product productToCreate) { // add product to db return Request.CreateResponse(HttpStatusCode.OK); } After you complete these steps, it won’t be possible for a hacker to pretend to be you at Hackers.com and submit a form to MajorBank.com. The header token used in the Ajax request won’t travel to Hackers.com. This approach works, but I am not entirely happy with it. The one thing that I don’t like about this approach is that it creates a hard dependency on using razor. Your single page in your Single Page App must be generated from a server-side razor view. A better solution would be to generate the anti-forgery token in JavaScript. Unfortunately, until all browsers support a way to generate cryptographically strong random numbers – for example, by supporting the window.crypto.getRandomValues() method — there is no good way to generate anti-forgery tokens in JavaScript. So, at least right now, the best solution for generating the tokens is the server-side solution with the (regrettable) dependency on razor. Conclusion The goal of this blog entry was to explore some ways in which you need to handle security differently in the case of a Single Page App than in the case of a traditional server app. In particular, I focused on how to prevent Cross-Site Scripting and Cross-Site Request Forgery attacks in the case of a Single Page App. I want to emphasize that I am not suggesting that Single Page Apps are inherently less secure than server-side apps. Whatever type of web application you build – regardless of whether it is a Single Page App, an ASP.NET MVC app, an ASP.NET Web Forms app, or a Rails app – you must constantly guard against security vulnerabilities.Read the article
-
How does cross domain authentication work in a firewalled environment?
- by LVLAaron
This is a simplification and the names have been changed to protect the innocent. The assets: Active Directory Domains corp.lan saas.lan User accounts [email protected] [email protected] Servers dc.corp.lan (domain controller) dc.saas.lan (domain controller) server.saas.lan A one way trust exists between the domains so user accounts in corp.lan and log into servers in saas.lan No firewall between dc.corp.lan and dc.saas.lan server.saas.lan is in a firewalled zone and a set of rules exist so it can talk to dc.saas.lan I can log into server.saas.lan with [email protected] - But I don't understand how it works. If I watch firewall logs, I see a bunch of login chatter between server.saas.lan and dc.saas.lan I also see a bunch of DROPPED chatter between server.saas.lan and dc.corp.lan. Presumably, this is because server.saas.lan is trying to authenticate [email protected] But no firewall rule exists that allows communication between these hosts. However, [email protected] can log in successfully to server.saas.lan - Once logged in, I can "echo %logonserver%" and get \dc.corp.lan. So.... I am a little confused how the account actually gets authenticated. Does dc.saas.lan eventually talk to dc.corp.lan after server.saas.lan can't talk to dc.corp.lan? Just trying to figure out what needs to be changed/fixed/altered.Read the article
-
How do I do a cross-platform backup/restore of a DB2 database?
- by Pridkett
I need to dump a couple of databases from DB2 for Mac and DB2 for Linux and then import the databases to DB2 for Windows. Unfortunately, when I try the standard backup and restore I get the following error: SQL2570N An attempt to restore on target OS "NT-32" from a backup created on source OS "?" failed due to the incompatability of operating systems or an incorrect specification of the restore command. Reason-code: "1". I've seen references to DB2 needing an IXF dump and import, but I can't find any solid information about how to do this without dozens of other steps. Any hints on how to do this in the least painful manner?Read the article
-
How can I make the Windows 7 taskbar behave like a cross between the old Quick Launch and new Superbar?
- by frumious
I really like the taskbar in Windows 7, I think combining buttons to launch apps and the icons that show your running apps is groovy. However, because I like having as much space as possible, I've got small icons enabled and shrunk the bar down to one row. I've also told it not to group the running apps unless there's no space left (to save me having to work harder to find the particular window I want), which also means that they have captions, and are thus quite wide. The (admittedly small) problem this gives me is that I can pin all my favourite apps to the bar, which looks much like the old Quick Launch bar, but when I launch them the running apps because much wider, and the unlaunched apps get lost amongst them. I can manually change the order to fix this, but next time I'll launch a different app and I'll be back to square one. What I'd prefer is for small unlaunched icons to be kept on the left, and wider running apps to move over to the right, which for me would be the best of both worlds. Is there any way I can organise that? I'm aware that one can use the traditional quick launch bar in Windows 7, but that's not what I'm after; I generally prefer the Windows 7 way.Read the article
-
10Gbe sfp+ Cross Over Cable required? Is there such a thing?
- by dc-patos
To preface, this is my first experience with 10GBe networking and I have encountered an issue which research does not seem to document a solution for... I have two servers (older DL580G5 and DL380G5), each with a HP NC522SFP 10Gbe dual sfp+ port adapter. I have purchased copper "passive" direct connect adapter cables (which look like twinax), which seem to work well when I connect them to the sfp+ ports on my Dell 5524 switch. However, if I directly connect the two servers with the same cable, the link doesn't come up. I am running WS2012 standard on each server. My intention is to use one of these servers as a home brew SAN and I would like to enable mutiple 10Gbe paths for iSCSI traffic. My question(s): Can I connect the two adapters to each other, such as I would with other less speedy generations of ethernet? If I can, do I require a crossover cable, or some type of other sfp+ cable solution to do this? My 10Gbe sfp+ switch ports are premium, but server to server connections are doable in small numbers for me and I would really like the multiple paths this would give me. Is there a simple solution?Read the article
