Facebook connect alike service design practices - php

There several threads on SO regarding this, but I just need to know how to READ a cookie from siteb.com on sitea.com that opens siteb.com on a iframe, IF this is really the recommended way to go.
Based on this post the author says:
Cookies can be read in an iframe if they were set outside of the
iframe
But I have no idea how to achieve this. Let me explain a bit more about what im trying to design so maybe you can point me in the right direction.
siteb.com is my website, where users login and signup, each time they do, a cookie is set like many normal authentication systems.
sitea.com is a generic site, where I can insert html and javascript code, from sitea I need -if exists- to read the login cookie of siteb. I think an iframe on sitea loading siteb will do the trick, but again, i have no idea how to access that cookies inside the iframe. Is there an easy way to do this?
Another approach i was thinking is to use cross domain iframe communication techniques, but they are not elegant, way complex and some of them fails in certain browsers, the most robust ones uses jquery but I don't want to insert jquery on sitea.

Here's what you need: http://easyxdm.net/ - load this library on both sitea.com and the siteb.com iframe. It makes cross-domain parent-iframe communication "just work" in every browser, using the fastest method avaliable in each browser. (Also, the author, https://stackoverflow.com/users/128035/sean-kinsey does a fantastic job of helping anyone who has trouble with the library - just check the mailing list archives)
Then add a tiny bit of JavaScript to your siteb.com iframe to read cookies and pass them to easyxdm and then add a bit of JavaScript to sitea.com to set up easyxdm (including creating the iframe, I think) and receive the cookie value from it. There's lots of examples on the website to help you get started.

Related

Extracting Data from Another Domain, possible?

I'm terrible at keeping track of my bills, so I wanted to create something automated. I also wanted the challenge of making it myself.
My questions:
Is it possible to have a webpage connect to another domain (any utility website i.e. timewarnercable.com) with the proper login credentials and retrieve the dollar amount I owe, then send me an email or even just display it on the webpage?
I've already got a webpage setup that has all my account info stored in it (don't worry it's only a local site!) and I can click a button and the info I have stored sends a POST request to the utility login site. This logs me in to my account page and then I can view the bill. But don't want it to open another page..I'd rather load the content of that page in the background, scan for the code where its says my $ owed, then capture that somehow, then return the dollar amount onto the webpage.
If so, is this possible to design this with Ruby (Rails) or php, with Javascript / AJAX.
Thanks!
What you're basically asking about is "page scraping", but your scenario is more complicated. You would have to fake the login post, capture and store any cookie/session info returned to you in the response and use that in subsequent requests to the site. You may also have to deal with redirects, depending on the site.
I have found nodejs actually quite useful for scraping pages since it has plugins that provide dom selectors (there is a jquery plugin) - you're using javascript for server-side programming.
Check if the site has API and if the site provides that, will make your life a ton easier.
Some banks like BankOfAmerica have applications that already do this - they aggregate your accounts and bills from other sites, see if your bank can do this.

Fill textbox of any url with data from my javascript / php code

I have a question but I just give an example to make it clear
I want to load any URL page, like the facebook login page, and fill the textboxes (user name and password) with data.
I want to do that from PHP or Javascript.
That mean - every time my php / javascript page will be loaded, the facebook login page will show and the textboxes automatically filled with data
can i do that? i know the browser (CHROME or EXPLORER) do that
but maybe it's possible only with browser and not with PHP / JS ?
Javascript is out of the question as you cannot load your Javascript when the Facebook page loads. And if you're thinking iframe the browser will prevent the Javascript in one frame from working in another frame, if it is not from the same domain.
If it is for Facebook, you should really look into their API. Many sites (like this one) now allow users to login using their Facebook login, so the API may be the easiest route. Also for major sites, like Facebook, there maybe some third party libraries that could help.
Now if Facebook is just an example and you need it for some other sites, it might be possible with PHP using cURL or maybe SOAP, but it could be very tricky. You need to realize that hackers will use similar techniques for brute force attacks, to find usernames and passwords. So sites like Facebook have done several things to limit the possibility of auto filling a login form (or any form). Also, for major sites like Facebook, using these techniques might be a violation of the terms of service, so you should check into that first.
If this is for yourself, you can write javascript:code in your bookmart and execute it everytime you open Facebook (or other page) for example

Apply own CSS to external page

I want to link, into a new tab, an external page and apply to it my own css which change the general layout of this external page. The css is in another server.
Can this be done?
I'm using php, jquery and an Apache server.
I thought in using a php proxy on my server requesting the external page and adding the css but probably, if theres a solution, it will be more efficent.
Thanks!
Downloading the page to your server, applying the CSS and then displaying the page to the user (proxy) is the only way to do this. If the site is insecure and has an exploit you could inject to, you could do it a blackhat way.. but I doubt its that insecure of if anyone here will give you a nasty way to do it + as soon as it was spotted no doubt it would be restored to its original css and the exploit patched.
Think of the security risk if this was possible. CSS is seriously powerful these days, imagine if you could change the CSS on google.com - Fun times :D
No, it can't be done in other way than proxy.
The ability to inject CSS into an embedded iframe (or, more generally, to do anything to a child iframe) would open a huge security vulnerability.
Imagine you display an iframe to a webmail service I use, and heavily restyle it so my "compose reply to" page looks like a "confirm password" page from the mail service. When I naively type in my password, it sends my password in an email to the respondent!
You could achieve your desired goal by using a browser plugin or extension. Visiting a web site should require zero trust, but installing an exntesion generally does imply some trust from the user, so extensions are given greater freedom than plain web pages.
Note that a server proxy fetch will not send the user's session/auth cookies, so if you are trying to fetch a site that requires a login (e.g., Facebook), you'll only be able to fetch public resources.
Depending on what you want to achieve there may be a better approach. If you are planning on distributing it to many users a broser plugin, or maybe easier to create, a UserScript for Plugins like Greasemonkey / Tampermonkey. Another way to do would be creating a bookmarklet for the users to click on in their browser bar. Have a look at this here: http://benalman.com/projects/run-jquery-code-bookmarklet/ it's very easy to create.

php how to know that a click came from google

My adsense ad have a dedicated land page.
I want to show the content only to those who came through that ad.
The page is coded with PHP so I'm using $_SERVER['HTTP_REFERER'].
Two questions here:
Is there a better alternative to $_SERVER['HTTP_REFERER'] ?
To what strings/domains should I compare the referrer's domain (I'll handle extracting it)? I mean, I'm guessing that google has more than one domain they're using for the ads, or not? There's doubleclick.com.... any other domain? How can I check it, besides try/fail?
$_SERVER['HTTP_REFERER'] is the canonical way to determine where a click came from generally. There are more reliable (and complicated) methods for clicks within a site you fully control, but that's not much help for clicks from Google. Yes, it can be spoofed, and yes, it can be null, but as long as you're not targeting nuclear weapons based on that data, and you can handle null values gracefully, it should be good enough.
As for domains, you have to consider the international google domains, as well as all the google*.com domains.
I suggest adding a parameter on the link you give to Google. i.e. instead of yoursite.com/landing, do yoursite.com/landing?campaign=12.
If you are concerned that curious users will play with this parameter, the fix is simple-- redirect via a server 301 redirect when they hit that URL.
That is, if I request yoursite.com/landing?campaign=12, your server--before serving a page-- should log my visit to campaign 12 and redirect me to the plain url yoursite.com/landing. This has the added advantage that reloads won't increment your campaign hit count.
Yes, users could still mess with the original link if they are clever or curious enough to look at it before they click on it, but I think this is going to be far more effective than sniffing the referer.
Rather than trying to work out on your own how to measure your page views, you can consider using an existing system for that, like Google Analytics

How can I workaround the Google Calendar's link redirect notice?

I have a Google calendar embedded on a webpage, with events related to activities the site is organizing. Some calendar events have links that redirect the user to a page, within the same website, which has more information and the option to enroll in the event.
The problem however, is that since the end of last month, Google imposed a redirect notice that doesn't even automatically redirect. The links I create on events are changed by Google and, once a user clicks on a link, a new tab opens leading to a page with a redirect warning that the user must click. Since I am providing the users with a link to within the same website this is very inconvenient and makes no sense at all.
I'd want the users to be able to click a link on the calendar and go through to the webpage with the relevant data.
Do you guys know how I can go around this warning?
My thought process:
Initially, I thought of using JS to rewrite the links but since the calendar's iframe is in a different domain, the browser won't allow it due to XSS exploits (AFAIK).
I could build my own AJAX calendar and sync it with Google's using the API, but that's a hell of a lot of work because of stupid "feature" that makes no sense. I like Google's calendar and I'd like to use it.
The third thing that I though of was that, instead of having an iframe with the calendar I could use AJAX to fetch the entire code on the frame's url. Then I'd just rewrite the links on the that code with JS. Could this work?
I would be REALLY thankful for any help. This is driving me insane!
Using Jon Cram's input I created a php script that parses the code and makes the adjustments. However I could only get that working for the html version. No AJAX for me. =(
The same origin policy will prevent JavaScript served from your domain from interacting with data served from a different domain.
You are therefore right in saying that option 1 won't work.
The same origin policy also applies to option 3 as you have stated it. JavaScript served from your domain won't be able to make a direct HTTP request to whichever domain serves the calendar code.
You will need to acquire and modify the calendar code, neither of which can be achieved with JavaScript using today's most commonly used browsers. When FireFox 3.1 and IE8 are in common use and Google serves the correct HTTP Access Control headers this could be achieved with JavaScript alone.
To modify code served from another domain, you will need to utilise some form of server-side process.
A server-side script will be able to request the calendar code. The same script can then modify the code as needed and output it in whatever form you require.
If it is a private internal site you could install greasemonkey on all clients (if they use firefox) and make a short script that fixes the urls. That only works if the original url is contained within google's redirecturl though.
If I had this problem I wound change the calendar provider, that's probably the easiest solution. I did a google search and found Kiko, looks like they might have what you need?
Simply remove the "http://" part of the URL. I am not sure why this works but it does!

Categories