Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 9 of 9 total
Thread Acces denied
Fri, Oct 4 2013 4:16 PMPermanent Link

Ronald

Hi,

I use a TServerRequest to read an RSS feed. In the EWB browser in the ide is
works fine, but if I try it in my local webserver (http://localhost/..), I
get an error: Error excuting request
"http://www.nu.nl/feeds/rss/tag/onderwijs.rss" (acces denied)

Why is that?

Thanks and greetings,
Ronald
Fri, Oct 4 2013 4:43 PMPermanent Link

Raul

Team Elevate Team Elevate


It's most likely due to cross domain scripting - you're EWB app loads
from one page and tries to access another web site. The "other" webste
has to allow this (they basically need to return
Access-Control-Allow-Origin header).

The other option is that IE sometimes ignores this - so it might work in
IE but any respectable browser (Chrome, Firefox , IE9/10) should reject
it unless the header is included.

In your browser just enable web debugging tools and see what actually
happens with the request (Chrome and Firefox have really great tools
built in).

Raul



On 10/4/2013 4:16 PM, Ronald wrote:
> Hi,
>
> I use a TServerRequest to read an RSS feed. In the EWB browser in the
> ide is works fine, but if I try it in my local webserver
> (http://localhost/..), I get an error: Error excuting request
> "http://www.nu.nl/feeds/rss/tag/onderwijs.rss" (acces denied)
>
> Why is that?
>
> Thanks and greetings,
> Ronald
Mon, Oct 7 2013 4:53 AMPermanent Link

Matthew Jones

It is worth saying that this scripting issue only applies in normal browser mode,
if you are in something like PhoneGap then there is no such restriction.

What I did with my server was add a "pass through" mode where I could ask my server
(the host of my script) to access a URL and return the result. This was mainly for
REST use, and when in PhoneGap build mode, I just did the call direct.

/Matthew Jones/
Mon, Oct 7 2013 5:58 AMPermanent Link

Ronald

Thanks Matthew en Raul, indeed it was the cross domain scripting problem. I
could get around it with IE. You can set the securitysettings to "Allow
acces between domains" (translated form Dutch). Firefox en Chrome do not
have this option.

I was thinking about the "pass through" too.
But I also tried the TPage component. This downloads the content of the feed
too. But infortunately if I acces the TPage.DocumentText property, I get
"Acces denied". Could Tim change this or is this behaviour due to the
browser?


"Matthew Jones"  schreef in bericht
news:memo.20131007095355.8244H@nothanks.nothanks.co.uk...

It is worth saying that this scripting issue only applies in normal browser
mode,
if you are in something like PhoneGap then there is no such restriction.

What I did with my server was add a "pass through" mode where I could ask my
server
(the host of my script) to access a URL and return the result. This was
mainly for
REST use, and when in PhoneGap build mode, I just did the call direct.

/Matthew Jones/
Tue, Oct 8 2013 3:25 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Ronald,

<< But infortunately if I acces the TPage.DocumentText property, I get
"Acces denied". Could Tim change this or is this behaviour due to the
browser? >>

Unfortunately, that's more of the same - browser security restriction.

Tim Young
Elevate Software
www.elevatesoft.com
Mon, Jun 15 2015 10:49 AMPermanent Link

Glenn McEowen

"Tim Young [Elevate Software]" wrote:

Ronald,

<< But infortunately if I acces the TPage.DocumentText property, I get
"Acces denied". Could Tim change this or is this behaviour due to the
browser? >>

Unfortunately, that's more of the same - browser security restriction.

Tim Young
Elevate Software
www.elevatesoft.com

OK, it's an old thread... but do we have a way yet to read text from an external web page in EWB? If all the browsers can "View Source," and I can copy-paste, surely there is a way to get at the text in our software.

What am I missing?
Mon, Jun 15 2015 11:35 AMPermanent Link

Raul

Team Elevate Team Elevate

On 6/15/2015 10:49 AM, Glenn McEowen wrote:
> OK, it's an old thread... but do we have a way yet to read text from an external web page in EWB? If all the browsers can "View Source," and I can copy-paste, surely there is a way to get at the text in our software.
> What am I missing?

Browser is what's controlling this so in browser you can access source
etc. However in javascript you need appropriate permissions.

If the site in question allows cross-domain (cross origin is the
official term) scripting then yes you can access its content - in fact
you can do a httpserverequest, pull down the content in one big string
or do a POST or whatever request they support

This setting is basically the "permission" for somebody else to read the
web page content so if it's not set then you cannot do it (think of this
as oeprating system "read" permission for a file - you can only access
file content if you have read permission to it).

The security implications of this are severe here.

What you're basically asking for is that any script loaded from any site
to access any other site - imagine you're on facebook or gmail and click
on a link to open a new page.  Since i know you're logged in to those
sites i could now issue all kinds of random requests there (pull down
your friends list, post on your timeline, like something or access your
gmail contacts etc).

In fact i don't even need to know you're logged in - i could just have a
script that tries requests to top 20 popular sites and proceed based on
whether it fails or not. imagine now if one could hack a popular site
and just include this script (one line of change on site with no visible
signs of hacking).

This is one reason for proper published web services - if the site
wishes to make part of it available it can publish a web services API
and require proper authentication and allow cross-origina access to the
API only.

Alternative is for you to write a server side web services that proxies
these requests an retrieves pages for you - you request page from your
service and then it issues a separate request to destination URL and
returns data to you. This obviously would not have access to any auth
info users browser has done so would be somewhat limited. You obviously
want to authenticate your proxy service or it would be misused quickly.

Raul

Tue, Jun 16 2015 8:20 PMPermanent Link

Glenn McEowen

Raul wrote:

On 6/15/2015 10:49 AM, Glenn McEowen wrote:
> OK, it's an old thread... but do we have a way yet to read text from an external web page in EWB? If all the browsers can "View Source," and I can copy-paste, surely there is a way to get at the text in our software.
> What am I missing?

Browser is what's controlling this so in browser you can access source
etc. However in javascript you need appropriate permissions.

If the site in question allows cross-domain (cross origin is the
official term) scripting then yes you can access its content - in fact
you can do a httpserverequest, pull down the content in one big string
or do a POST or whatever request they support
.....

Alternative is for you to write a server side web services that proxies
these requests an retrieves pages for you - you request page from your
service and then it issues a separate request to destination URL and
returns data to you. This obviously would not have access to any auth
info users browser has done so would be somewhat limited. You obviously
want to authenticate your proxy service or it would be misused quickly.

Raul

Thank you, Raul. I didn't realize it would be so involved. I will study your details and find a solution that is secure. I appreciate the heads-up before I messed something up big-time.


Glenn  
Wed, Jun 17 2015 10:09 AMPermanent Link

Raul

Team Elevate Team Elevate

On 6/16/2015 8:20 PM, Glenn McEowen wrote:
> Thank you, Raul. I didn't realize it would be so involved. I will study your details and find a solution that is secure. I appreciate the heads-up before I messed something up big-time.

Glenn,

I did not mean to be too scary here - i was describing the general
situation and security issues.

If you control the web server then it's very simple to allow
cross-origin resource sharing (EWB Web server has a checkbox you check
and in other servers there is either a setting or just add the header
direct).

Just needs to be aware that now server is open to internet thru any
javascript query (assuming you allow access with '*' though you can
limit to certain IPs etc). Minimally you should hence require
user/password for any data if it's something that's private.

The issues described are more applicable to cases where you don't
control the web server.

For example maybe you wish to do a google search in your EWB app and
internally parse the results. Search itself is easily doable with URL
similar to this "https://www.google.com/search?q=Elevate+Web+Builder" -
you can just email it for example or have user click a link in app to
open new window oir it's also easy to run in a delphi app.

However if you drop a TBrowser and set the URL you will likely end up
with "Content cannot be displayed in a frame" error (IE) or internal
"refused to display" in chrome or firefox.

Similarly if you try THTTPRequest you end up in Chrome with internal
error "No 'Access-Control-Allow-Origin' header is present on the
requested resource" so again no luck.

I guess what i'm saying is that you can use google search but you have
to use their search API (https://developers.google.com/web-search/docs/)
and cannot simply use the URLs you would input into browser normally in
javascript app.

Raul
Image