I have reverse engineered a social login framework to use frames instead of popup windows. It is working but appears that the authentication content will not display.
I wondered if maybe this was deliberate from the social network provider as I cannot find a mistake in my code.
EDIT.,,
I have been told that this deliberate to prevent a cyber attack. Pop Up window are monstrously ugly though and terrible on mobile devices. Is there a replacement that can work. Since iFrames cannot is there another way of keeping it seemingly inline to the page.
If you want to make it seamless, then you'll need to look at an alternative approach altogether. Most of these social networks (twitter, facebook etc) have api's that allow you to connect and login "in code" rather than just OAuth from your page.
That's the only way you can reliably avoid the dreaded popup.
Related
I'm working in a platform that creating websites some thing like wix.
So each one of our users can own it's own internal webpage.
I need to allow them to add scripts to there internal webpages; Google analytics tracking code, facebook pixel code, or any custom widgets.
So I may accept these scripts via textarea and save it in the db, then add it in the user webpage header
But, what about security, some thing like XSS attack
Is there any ideas to accept custom scripts and prevent users from attacking the platform?
Note: I don't know much about how XSS and what it may do, I just need to secure the whole platform from attacks that may comes from the users (the internal webpages owners)
I am not sure this is correct SO to post on, but if not admin please feel free to move it to relevant SO or suggest me to move it.
I am using a contractor to help me create a website for some project. He has coded the entire custom website in PHP.
One feature that I requested was that links posted on the website should have the preview feature that we see in Facebook (FB) like in attached picture.
But he keeps saying that I can only use embedded code to create such preview feature. When I show him the FB preview he says FB is probably using technology of its own. Currently if I post the link from youtube to my test website it shows up as text like: https://www.youtube.com/watch?v=jtkUtNzaFPI&t=1909s
My question is:
What exactly is FB using? Is this easy to implement for any PHP developer or is it really time consuming implementation.
"he says FB is probably using technology of its own"
His answer to your question is utter nonsense, and indicates only that he doesn't want to do what you're asking. You hopefully aren't paying him very much.
What Facebook is doing is kind of sneaky, but structurally simple. The order of operations is:
User enters text on Facebook page.
AJAX request is sent to Facebook server with text.
Facebook server parses and sees that there's a link in there.
Facebook server makes a server-side HTTP request to link destination to find out more.
Facebook server parses response for anything it can add to the input template that the user is seeing.
Facebook responds back to user (maybe web sockets? maybe a response to that earlier AJAX request?)
Client-side code on the Facebook page updates what the user is seeing.
Steps 2-6 intuitively sound like they may take a lot of network time, but these tend to be very quick services (Facebook itself, YouTube, etc.) so that's usually not a problem.
The main concern here are Step 3 and Step 5. That's where Facebook is using some custom logic that it likely spent considerable effort defining. There may be libraries which help with that, likely made in response to the demand for this exact feature. I don't have any to recommend, sorry.
The technical implementation is the easy part. Determining from the user's text what data to fetch could be difficult. Determining what data to put in the page could be difficult. That depends on the scope of what you want to implement.
For example, it may be difficult to detect if the user has entered a variety of things you can respond to, but it may be easy (with a regular expression perhaps) to detect if the user has entered what might be a YouTube URL. So if you reduce the problem space to just YouTube previews, then you may be onto something. If you can successfully parse that YouTube link, you're in business. Now you can hit a YouTube API and get information to send back to the page.
Continue with that pattern for other small problem spaces (previewing a link to an image, previewing a link for another popular site, etc.), and you can over time add that same feature.
I am new in web developing and I am developing a website now. I want to use login systems with social networks like facebook and twitter. They are both working with HTTPS and I am wondering if it is okey to use these login systems on my HTTP website? Or it will be better not to use them? Any opinions from you will guide me to decide.
Update:Time is not the problem. I am asking that because of security.For example; are they using cookies to keep users logged in? According to my researh using cookies is dangerous with HTTP. Or am I totally wrong about the way I thinking?
It is not as easy as you might think to integrate Social Logins into your site. They use standards like OAuth. The best point to start to get hands on with one of the social login APIs like the facebook login.
So if i look at how you asked your question, i would say for you it would be better not to use them. You can try, but it will take quite some time to get them to work.
I have found that certain android applications show my site, I think they use with webview,
How do I block all applications that can show my site ?
How do I block all applications that can show my site ?
You have no means of conclusively determining what software is sending the HTTP request, and Web browsers are "applications". So, either take down your site, which will "block all applications that can show [your] site", or do not worry about what "applications" the user has chosen to view your site.
I don't think there is a 100% secure way of doing this. What you can do is to attach a header property to your app browser with a server-validated key. Without this key, in combination with a mobile browser detection library you'll know if the app is authorized or not.
But if a developer acquire this key there is no prevention for him to implement it. Also detecting a mobile browser is not an exact science.
I've read quite a bit of documentation, and it's all based around on setting up full blown Facebook integration on your site to the point where you're completely relying on Facebook.
All I want to know is 2 things:
1) How do I allow my users to find out which of their Facebook friends have already joined my site
2) And what's the easiest way to let them invite Facebook friends to the site?
The site that does it perfectly and exactly how I want to duplicate is Gowalla at http://gowalla.com/friends/find
Note: I've never used Facebook Connect, however I have an API key somewhere.
You need to become best buddies with the Facebook Developer Documentation, especially the web guide.
Where you can start is the Login With Faces plugin, although the Facepile could apply as well. But understand this: If you're not using Facebook to authenticate your users (i.e., using Facebook Connect*), these plugins will be worthless to you.
In terms of inviting people, there's not going to be a great way to do that. You can implement request forms through the XFBML ServerFbml tag, but that's really for inviting people to other Facebook entities, not your own site. There's the share button but that's not really the same thing as an invite.
**Note: It's actually no longer called Facebook Connect - they are slowly moving away from that moniker. They are moving to the terminology "single sign-on". However, the "Facebook Connect" name still pops up in many places.*