I'm using the following code to use as a form of nulling referring script and it works perfectly but it just redirects them straight to the target URL.
How would I go about creating a 5 second delay so I can display some adverts for 5 seconds before redirecting them?
You can send php header with timeout refresh. http://php.net/manual/en/function.header.php
<?php
header( "refresh:5; url=wherever.php" );
?>
What about using sleep()?
function method1(...) {
sleep(5);
... rest of the code
Note however that it is more recommended to use Vahe Shadunts's answer, which uses header() instead.
The refresh header does the job but I'd like to highlight some potential issues:
It is not specified in the HTTP standard. Wikipedia says:
Proprietary and non-standard: a header extension introduced by Netscape and supported by most web browsers.
But it has been around for almost 20 years now and I don't know of any browser that does not support it (could not find a reference though)
Some browsers do not use the cache on a page redirected with refresh. It has been demonstrated for Internet Explorer here: http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/meta-refresh-causes-additional-http-requests.aspx and I coud reproduce it on Firefox. Chrome does not have this issue.
Alternative: JavaScript
You can add a JavaScript on the intermediate page, that opens a new page after X seconds. Add this at the bottom of the page to redirect to http://www.example.com/target after 5 seconds:
<script type="text/javascript">
window.setTimeout(function() {
window.location.href='http://www.example.com/target';
}, 5000);
</script>
Combination
As a bonus, you can fall back to the refresh header if JS is disabled, using the meta directive http-equiv that tells the browser to act as if a certain HTTP header has been sent. Because it is part of the HTML source, you can wrap it in a <noscript> element. Add this to your <head> additionally to the JavaScript above:
<noscript>
<meta http-equiv="refresh" content="5;url=http://www.example.com/target" />
</noscript>
Now, the page redirects with JavaScript if available for the best performance, and uses refresh otherwise.
Related
I have an HTML5 page that displays not much more than just a list with names a simple form in which the user can fill out their name. The submit button calls as action a PHP file that adds/removes the name to/from the list, and then redirects (by use of header()) back to the HTML file that called the PHP file.
In Google Chrome, after the user hits the submit button he immediately sees that is name was properly added/removed to/from the list with names.
In IE, Firefox (and according to someone who tested for me also on Android and in Safari), after hitting the submit button, the previous version of the html file are shown, without the changes that have just been made to it by the code in the PHP file. Even after reloading and even after clearing the cache, which I tried in IE and Firefox, still the old version is shown. While at the same time, loading the file in Chrome does show the altered (=current) version. Only after maybe 20 minutes or so, it is finally possible to load the updated html file in IE and FF.
Even reloading with JS window.location.reload(true);, just to see if that at least forces the updated version, does not update the page (it does reload, but still shows the unaltered version).
I searched the internet for about 6 hours, but found no solution, or even anyone else reporting this problem. Adding META HTTP-EQUIV ... is not valid with html5, and indeed (eventually tried it anyway) does not solve anything. I am not using a cache manifest (never used it). So the page should not be cached, but as I mentioned, even clearing the cache and reloading does not give the new version of the page (not even after restarting IE/FF).
I am still learning, only started designing web pages last year. So, I (clearly) don't exactly know all that is going on between the server and the browser. So this problem seems really odd to me, and I am very eager to find out what is going on here. Also, it is vital for this page to download and display the current version from the server, because users need to see that their name is added/removed to/from the list.
Here is the outline (sorry, probably not the right English word) of the html page:
<!DOCTYPE html>
<html>
<head>
<title>Title text</title>
<link rel='stylesheet' type='text/css' href='corStylesheet.css' />
<meta name='robots' content='noindex,nofollow' />
</head>
<body>
[content here]
<script src='corJavaScript.js'> // (some of the js did not work when place in head)
</script>
</body>
</html>
So, I basically have two questions here:
1. What is going on here? i.e. how is it this impossible to load the current version of the html file?
2. What can I do to force the current version to be downloaded from the server and shown?
If you wish to force the browser to reload the page every time you can set the header so that no caching of the file is allowed.
Either you can do it via PHP (read more about it here);
header("Cache-Control: no-cache, must-revalidate");
Or you can set it directly in HTML:
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
EDIT: Just found an extremely good post about how to set this in different languages; How to control web page caching, across all browsers?
In your redirect in the PHP side you can add some number unix time or micro unix time
to make the browser think it is new page:
header('location: yourhtmlfile.html?'.microtime());
My (Javascript) approach is, appending a random string to the requested URL.
The resource is then considered a new resource, bypassing the browsers cache.
This also works when you want to reload an external resource from an address where you can't add/modify response headers (like on a 3rd party CDN).
var currentUrl = document.URL;
if (currentUrl.search('?') === -1) {
window.location.href = currentUrl + '?' + Math.floor(Math.random() * 11);
} else {
window.location.href = currentUrl + '&' + Math.floor(Math.random() * 11);
}
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to detect if JavaScript is disabled?
In my php application i need to check whether the javascript is turn on or not in browser. I have tried this <noscript><p>javascript is off<p></noscript> it's working fine.But i need to redirect to a page if javascript is OFF so developed like this
<noscript>
<?php header('Location: index.php');?>
</noscript>
But i/ts always redirecting to index.php, there is any way to do this.
your solution clearly cannot work, since php is executed before the page is served on client
you could instead do something like
<noscript>
<meta http-equiv="refresh" content="0;URL='http://example.com/'">
</noscript>
in the head of your document
<noscript><meta http-equiv="refresh" content="1;url=error.html"></noscript>
try this to redirect if JS is disabled
Php script runs independently of js
There are known issues with noscript
Instead do this:
<html>
<head>
<script>
window.location.href="javascriptEnabled.html";
/*Since javascript is enabled redirect to javascript based page*/
</script>
</head>
<body>
Showing Static Website since javascript is not enabled..
</body>
</html>
There is not a good way to do it, because without client side interactivity, you can not get information back from the client.
You could do something like this...
Set up a meta redirect to trigger after 5 seconds
use javascript to override the meta redirect
Therefore, if javasccript is enabled, you get to the javascript page, otherwise the non javascript page
It does redirect to index.php because the <?php header('Location: index.php');?> is processed by the server while the <noscript> is processed by the client ..
A correct way to do this is to set a cookie using javascript on the client, then check for the cookie's presence with php on the server, If the cookie does exist, then javascript is on, Else, it's off.
You could use a different approach here
Use the no javascript version as default version
Use a javascript redirect to the enhanced version
Remember it's better to not have separate versions of the site. You could progressive enhancement with libraries as http://modernizr.com/ or https://github.com/filamentgroup/enhance
My CMS links to other sites for convenience and I'd like to hide the referer so that other sites don't see the directory and the query string of my CMS. I now have the CMS linking to a PHP file elswhere on my server which in turn redirects to the link via header() but the referer is still from my CMS, not from the linking PHP. Furthermore...
header("Referer: nowhere");
header("Location: $_REQUEST[urltolinkto]");
... doesn't appear to change anything. No matter what I put as referer, it's always the one from my CMS where the user actually clicked on the link.
Can the referer be changed (to the linking PHP), or do I have to use javascript or meta refresh?
The Referer header is something the browser sends to the Server. You are changing the respose from the server to the browser, so that will not work this way (unlike the Cookie header). As far as I know you have no server-side control of the browser's behavior on sending the Referer.
The browser does get to choose what referrer to send, but there are ways around it.
HTML5 added meta referrer, most modern browsers will respect it. Just add
<meta name="referrer" content="no-referrer">
to your site's head.
There's also redirection services and other hacks to hide the ref (https redirects, iframe tricks and others).
A good solution is to simply use the classic <META HTTP-EQUIV="REFRESH" CONTENT="0; URL=http://www.example.com/">.
In fact, Google Analytics has a help page specifically for this question with users who ask about web-tracking not working on redirects, here: Support.Google.com -> Redirects: Place the tag on redirecting pages. They explain the problem quite well:
If your site uses redirects, the redirecting page becomes the landing page's referrer. For example, if you've changed your site so that index.html now redirects to home.html, then index.html becomes the referrer for home.html....
For this reason, you should place the Analytics tag on the redirecting page as well as on the landing page. This way, the redirecting page will capture the actual referrer information for your reports.
So, just swap out header("Location...") with a massive series of print statements. This feels so inelegant. But it works.
Note: I'm also throwing in a canonical attribute so browsers understand the point of the redirect more clearly.
<?php
$redirect_url = 'https://www.example.com';
$google_analytics_configgtag = '12345, this is your api key';
print('<!DOCTYPE HTML><HTML><HEAD>');
print('<META HTTP-EQUIV="REFRESH" CONTENT="0; URL=' . $redirect_url . '"/>');
print('<LINK REL="CANONICAL" HREF="' . $redirect_url . '"/>');
if($google_analytics_configgtag) {
?>
<!-- Global Site Tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=<?php print($google_analytics->configgtag); ?>"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments)};
gtag('js', new Date());
gtag('config', '<?php print($google_analytics_configgtag); ?>');
</script>
<?php
}
print('</HEAD>');
print('<BODY></BODY></HTML>');
?>
You cannot set Referer header manually but you can use location.href to set the referer header to the link used in href but it will cause reloading of the page.
You cannot really change the referer from server-side as it is provided by the browser to the server.
But you can use a service like href.li, just use
https://href.li/?http://<your-url>
Note: http:// after ? is important or it will not redirect.
How can I find out that my page is embedded as a frame to other site during page loading? I guess referrer request header can't help me here? Thanks.
You cannot check it from the server's side, but you can use javascript to detect it after the page has loaded. Compare top and self, if they're not identical, you are in a frame.
Additionally, some modern browsers respect the X-FRAME-OPTIONS header, that can have two values:
DENY – prevents the page from being rendered if it is contained in a frame
SAMEORIGIN – same as above, unless the page belongs to the same domain as the top-level frameset holder.
Users include Google's Picasa, that cannot be embedded in a frame.
Browsers that support the header, with the minimum version:
IE8 and IE9
Opera 10.50
Safari 4
Chrome 4.1.249.1042
Firefox 3.6.9 (older versions with NoScript)
Stackoverflow includes some JS to test it (master.js). This is the relevant part of it:
if(top!=self){
top.location.replace(document.location);
alert("For security reasons, framing is not allowed; click OK to remove the frames.")
}
But keep in mind that JS can be disabled.
For modern browsers, you can use CSP (Content Security Policy), which is a standard. The following header will prevent the document from loading in a frame anywhere:
Content-Security-Policy: frame-ancestors 'none'
(IE 11 needs the X- prefix, though). You can also change 'none' to the origin on which framing is allowed, such as your own site.
To cover the older browsers, this is best used together with #Maerlyn's answer.
you can prevent loading you page in an iframe with javascript
<script type="text/javascript">
if ( window.self !== window.top ) {
window.top.location.href=window.location.href;
}
</script>
this code change address of container of your page's iframe to your page address and force container to show your page.
Or you can block a specific domain if you don't mind your content in some locations but don't want it on a certain site. For example, if offendingdomain.com was embedding your content, you could do this:
<script type="text/javascript">
if(document.referrer.indexOf("offendingdomain.com") != -1) {
window.location = "http://www.youtube.com/watch_popup?v=oHg5SJYRHA0";
}
</script>
This would check the parent document's location and see if it's the offendingdomain.com that is embedding your content. This script will then send that iframe to a certain famous youtube video as punishment. In effect they just Rick-Rolled themselves.
Use javascript to check if it was loaded on iframe by placing the following script at the end of your php file and redirect to a page that displays warning or notice that your page should not be loaded using iframe.
<script type="text/javascript">
if(top.location != window.location) {
window.location = '/error_iframe.php';
}
</script>
<?php
header("Content-Security-Policy: frame-ancestors 'none'");
?>
Replace hosname to domain name
if (window.top.location.host != "hostname") {
document.body.innerHTML = "Access Denied";
}
I using this PHP code on top of the header
if($_SERVER['SERVER_NAME'] != 'yourwebsite.com'){
header('location: yourwebsite.com');
}
if someone did iframe your site it will redirect to your website
I want to redirect the user to a certain page if he/she has javascript disabled. I tried this code:
<noscript><?php url::redirect('controller/method'); ?></noscript>
// url::redirect is much like the location header
to no avail...
How do I do this?
Since the headers have already been sent, you'll need to use standard HTML markup:
<noscript>
<meta http-equiv="refresh" content="0;url=noscript.html">
</noscript>
Trying this on both Firefox and IE seems to work well... With JavaScript enabled, the <meta> tag is ignored. When it is disabled, the browser redirects to noscript.html.
There is no way to do a redirect based on if javascript is disabled. Why not do the opposite - redirect if javascript is enabled?
<script>
window.location = "...";
</script>
You can't use meta refresh tag then remove it using Javascript because the browser is set to redirect upon reading the meta refresh tag and it's too late for JS to manipulate it.
The only way is to either do what Daniel suggested, or to show up a link when there's no Javascript:
<noscript>
Click here to continue
</noscript>
Or you can try to fail gracefully: Do you plan for javascript being off?
Add this as the first element in your body, style it to suit, and perhaps offer a link inside of it to a noscript page:
<div onload="return false;">
<!-- PAGE CONTENTS -->
</div><noscript>JAVASCRIPT IS REQUIRED TO VIEW THIS PAGE</noscript>
I use a more verbose method of this (that basically makes it appear as a modal dialog and all pretty) on pages where a client does not allow me to use more compatable means. I've tested in IE6+ and all other major browsers with great success.