We're launching a members-only Wordpress site that is only capable of hiding pages/posts; however, part of our content is served up by an API that can't easily be hidden.
My best solution thus far is to embed an html meta redirect to the appropriate URL on a page that I can restrict using our Memberships plugin.
<meta http-equiv="refresh" content="0; url=https://www.example.com/?taxonomy=inventory" />
The only caveat to this method is that the URL is then exposed, and anyone could distribute the source.
Is there any way to use the meta redirect without rewriting the URL? I've tried a few things in the .htaccess file, but nothing has really yielded a viable solution.
Instead of using a meta refresh (which can easily be blocked with the right browser plugin), you should instead focus on adding a page and post hook that checks if the viewer has the appropriate permissions (logged in, member, etc) to view that page and redirect them server-side back to the homepage (or a custom error page).
This may not prevent the hidden page links from being shared, but it will prevent the content from being read.
Related
I have a simple PHP page that has a tags (links) to different pages.
I want for the pages those links go to - not to be able to retrieve the http referrer.
in other words: I want to hide the referrer.
googling I found this to put in the tag:
<meta name="referrer" content="none">
but it seems to not work on all browsers, mostly for those that don't support HTML5 so I need something better, and one that will work on mobile as well.
any ideas?
I also tried
header('Location: http://www.example.com/');
in PHP but that seems to hide the referrer for HTTPS only, not HTTP.
Make your links of the form:
Text
This is part of the communication between the client (computer displaying the web page) and another web server, so PHP has nothing to do with it.
I am developing a website crawler using golang. When i tried to crawl some websites, I am getting weird results. Root Url of some website returns script tag as shown below.
<script>window.location="index.php";</script>
And it redirects to index.php page. Why people are using this approach to redirect user to index page. Any security vulnerability with this approach? And also, how can i handle this situation in crawler?
Well, if you really want to hide the page by redirecting the user to another page, then you obviously cannot use this method, because anyone can turn javascript off and see the page, thus this can be a security risk. However, if you just simply want to redirect for some reason, this is fine.
As for you crawler, what you can do is search the source code with regex for redirections like that, but it can be very challenging to cover all cases.
I have a rotator link and I dont want to allow people to open it in iframe.
How to stop php process in iframe?
header("X-FRAME-OPTIONS: DENY");
does not work in firefox and chrome. my link is (EDITED)
Check the Access-control-allow-origin header.
It allows you to control which domain can access or frame your scripts.
You can choose between 3 values :
Only from the same domain
Only from a domain listed on a list you made
From anyone (wildcard)
Since PHP is never in an iframe but executed on the server side there is no way to reliably know if the request originated from an iframe on your site of not.
If your intention (which is not quite clear) is to make sure people don't put an iframe of your site on another site, then you can check for the referrer of the request etc. But most of it can be spoofed.
Update due to comment:
Then there is unfortunately no good standardized way of getting this type of information reliably. If you yourself had an iframe on your site and for some reason didn't want that to be able to call your script you could probably do this by adding some GET parameters via javascript or something. But since you have pretty good control over your own iframes this shouldn't be a problem.
But when it comes to determining of the request from the browser to your server originated in an iframe or not there is no information in the HTTP header to disclose this. The only thing you could possibly be informed about is if that iframe is from a page hosted on another domain.
But if you have an iframe on your own site, don't add any extra parameters to the request and access your script in it and then normally from the browser's main window the two requests will look the same on the server.
I'm not completely sure if I understand your question, but here's a list of things:
If you want to stop your page being loaded in an iframe, there's not easy way of doing that, if the browser is ignoring X-Frame-Options: DENY.
If you have a link the user can click that opens in the iframe, not the parent frame, you can use the base html tag, to specify to the browser to open any links you click in the parent frame, with <base target="_parent" />
If you want to redirect automatically, and that causes an issue when loaded in an iframe because you use headers to do it or something, you could probably use the base tag and some javascript to automate clicking on the link as an alternative
I want to be able to log into a site (form POST) from my site and then display the logged in site on my site.
Will logging into the site with cURL (form POST) and on success display the site as if I was logged in on my site using the embed tag work? Is this the right way to do what I want?
Examples would be helpful.
That can work if you add <base> tag pointing to the website you are displaying to load all css and js files with relative paths.
Also, if you store cookies in file or database, you might not even need to login every time.
Using the following tutorial I want my website to use AJAX to load the content (but also want to be able to use the back button etc. etc):
http://www.queness.com/post/328/a-simple-ajax-driven-website-with-jqueryphp
Ofcourse if someone has javascript disabled the website should also work (without Ajax).
The problem however comes when a javascript enabled user sends a link to a non javascript enabled user. Because javascript is disabled it will not handle the #-tag correctly and will just go to the homepage (so linking directly to pages from a javascript user to non-javascript user is impossible). Is there a way to resolve this issue (preferably php or htacces).
HTML5 gives us methods to alter the URL without refreshing the page https://developer.mozilla.org/en/DOM/Manipulating_the_browser_history#Adding_and_modifying_history_entries
This means you can update something without a page refresh but still give the user a url they can bookmark or send to someone else. These urls will work without JavaScript, as long as you have pages at those locations or are catching them with mod_rewrite or similar.
https://github.com/browserstate/history.js is a great little pollyfill which will use the HTML5 history stuff if the browser supports it, otherwise (Internet Explorer) it changes the hash of the url.
Basically, three steps:
code your "a" tags just normal: <a href='about'>About us</a>
in your javascript code, intercept all click events on <a> tags and navigate to # + this.href. So when they click the above url, you navigate to site.com/#about instead of site.com/about
in your javascript code, have a timer function that reads the hash value form the current location and loads a corresponding url (with # removed) via ajax
Since you code your html just as usual, the site remains fully accessible for non-js users, and, more important, for search engines' bots.
In response to the comments I can suggest the following:
redirect your home page via javascript from just site.com to site.com/js/
when <a href='about'> is clicked, navigate to site.com/js/#about
on the "js" page, have something like <a id=about href="/about">click here</a> for non-js users
Why not just build your application normally and then add the AJAX on top, rather than going the other way round and causing more work for yourself?
Ask yourself, why do you need AJAX page transitions? Does your app actually need them, or is it just because you've seen it on another site, like Twitter?