Is there any possible way to make direct browser access to
http://www.example.com/test.php
Not available when viewing url directly but still allowing
JQuery $.get('http://www.example.com/test.php') function
To read the file? I know this might not be possible because I believe going in my browser and typing http://www.example.com/test.php is basically the same thing on client side as using the $.get() function.. But I didn't know if there was any work arounds for this.
Kinda, have php check for the x-requested-with header. If it is not present, redirect somewhere else.
It doesn't stop someone from sending their own request with said header though.
You are right, using a browser or $.get are basically the same. The only difference is that an AJAX call sets the X-Requested-With header to XMLHttpRequest. This can be added with browser extensions, though, so it is not fool-proof.
Related
How to tell if a PHP script is being called by AJAX or from the browser?
The accepted answer to this question says
Modern browsers add the following request header when a request is
made using the XMLHttpRequest object:
X-Requested-With: XMLHttpRequest
In PHP, check the existence of this header using:
$_SERVER['HTTP_X_REQUESTED_WITH']
Bit that does not appear to work in PHP v 7.1.11, Chrome Version 63.0.3239.132 (Official Build) (64-bit)
Is there another way to distinguish?
[Update] I would prefer not to have to add an extra GET or POST parameter.
There is another way is send a GET parameter to tell the page if it is a ajax request such as youpage?ajax.
However, there is no sure-fire way of knowing that a request was made via Ajax. You can never trust data coming from the client. You could use a couple of different methods but they can be easily overcome by spoofing.
See here.
if (empty($_SERVER['HTTP_X_REQUESTED_WITH'])) // Ajax
is working for me
So yeah this came to mind randomly when I was teaching someone how to redirect their page. I wasn't really sure what the main difference was... Is there a reason you would use one over the other? I guess if you are not coding in PHP, you would have to use the Javascript window.location to redirect but would you ever use window.location over PHP header if you were developing in PHP? I feel they have very similar functions but perhaps I am missing something.
The browser will process the header redirect right away, whereas the Javascript redirect will not be executed until the page has loaded (or at least enough of it to run the Javascript). Also, it will be the Javascript engine executing the redirect instead of the browser itself.
Doing it via the header will perform better. (slightly anyway...)
PHP's server-side header can send other headers then only Location. Javascripts client-side window.location can be used to read, inspect, and alter (parts of the) current url, including hash. Really, they can do quite different stuff, and about their only overlap is both being able to redirect.
I have a JavaScript which can be called externally using <script type="text/javascript" src="http://mydomain.com/myscript.js"></script> the script is created dynamically using php but I need to know where the script is being called from (which domain) the only way i can think off is using $ SERVER["HTTP REFERER"] but not all browsers support this and it is insecure as it can be changed.
Dose anyone know a better way I could do it?
First of all anything the browser provides cannot be trusted, this includes the HTTP Referer header.
However I don't agree with this being insecure, what exactly are you doing with this information? All the server can do is trust what the browser supplies it, so if you are attempting to restrict this javascript you are going to have to authenticate the user first (so you can plant a cookie).
So what exactly are your intentions?
Here is my idea.
Use a PHP file to render the JS file contents and it will only serve the javascript when session id matches. Hide your real js file too
I am unable to get a lot of referral URLS using document.referrer. I'm not sure what is going on. I would appreciate it if anyone had any info on its limitations (like which browser does not support what) etc.
Is there something else i could use (in a different language perhaps) that covers more browsers etc?
I wouldn't put any faith in document.referrer in your Javascript code. The value is sent in client side request headers (Referer) and as such it can be spoofed and manipulated.
For more info see my answer to this question about the server side HTTP_REFERER server variable:
How reliable is HTTP_REFERER
Which browser are you looking in? If the referring website is sending the traffic via window.open('some link') instead of a regular <a> tag, then IE will not see a referrer. It thinks it's a new request at that point, similar to you simply going to a URL directly (in which case there is no referrer). Firefox and Chrome do not have the same issue.
This is NOT just a javascript limitation, HTTP_REFERRER will NOT work either in this specific scenario.
Just to make sure you're on the same page, you do know that if someone types a URL directly in their web browser, the document.referrer property is empty, right? That being said, you might be interested in a JavScript method to get all HTTP headers. If you prefer PHP (since you're using that tag), the standard $_SERVER variable will provide what information is available. Note that the information is only as reliable as the reporting web browser and server, as noted by Kev.
The document.referrer will be an empty string if:
You access the site directly, by entering the URL;
You access the site by clicking on a bookmark;
The source link contains rel="noreferrer";
The source is a local file;
Check out https://developer.mozilla.org/en-US/docs/Web/API/Document/referrer
I ran into this problem when scraping sites with heavy usage of javascript to obfuscate it's data.
For example,
"a href="javascript:void(0)" onClick="grabData(23)"> VIEW DETAILS
This href attribute, reveals no information about the actual URL. You'd have to manually look and examine the grabData() javascript function to get a clue.
OR
The old school way is manually opening up Live HTTP header add on for firefox, and monitoring the POST perimeters, which reveals the actual URL being POSTed.
So i'm wondering, is there a way to capture the POST parameters in a server side script or Javscript, as Live HTTP header does, for the outgoing and incoming POST parameters? This would make even the most javscript obfuscated web pages easily scrapable.
thanks.
I'm not sure I understand the question but...
In PHP, incoming POST parameters are stored in the $_POST array, you can display them with print_r($_POST);.