Is there any way possible to detect if a user has disabled JavaScript after load of the page so that <noscript> tags are rendered? Server side or client side is fine.
You could try putting an image inside the <noscript> tag, which would point to a php file of yours, which in turn it should return an image. This could allow you to know in the server that the user has Javascript disabled.
How to identify the user: you could rely on the session, or set an ID to the url of the image.
You could use the answer on this question as an example on how to server image files from a php script where you could add your logic to detect if the user has js disabled:
Return a PHP page as an image
Here is an idea I got from a book long time ago
<script>
document.cookie= "js_enabled=true";
</script>
Use the above on some first page that you see. Then check for that cookie on the next request to see if javascript is enabled. Of course this has the same flaw if cookies are disabled.
no... any kind of such detection after the page is loaded would have to be detected with js, and if it's disabled, it can't even do anything if it is.
Why not just render the NOSCRIPT tags all the time? That's the point of that tag, to provide content when JS is disabled. If the user is seeing what's in the NOSCRIPT's then they clearly don't have JavaScript enabled.
You could also have a JavaScript AJAX call fire at page load. If your server recieves a request for the page, but then does not receive the AJAX call by the client within the standard loading time frame, then the server can assume the client doesn't accept JS. Not perfect mind you, but you are dealing with client-side JS here.
I don't think there is really a good way to do server-side JS detection. <noscript> is the semantic way to specify non-javascript content - so I suppose rather then detect if JS is disabled, you should detect if it is enabled. You can hide the detection by default, and put a <style> block inside the <noscript> to unhide.
Related
I have a webpage written in PHP, HTML and, first of all, JavaScript. I want to block (deny access page and show a message) access my webpage for person who doesn't have enabled JavaScript in browser settings or doesn't support it, because then my page isn't correcly displayed and there are a lot of bugs (also security bugs !). I know that there is possible to write <noscript> statement in HTML, but then something other than this text is dispalyed and it also is removable (e.g. by Inspector function is browsers), I said that without JS my page contains bugs. So, my question : is there any way to block access* for users which doesn't support JS to my page using PHP ? Any other suggestions are welcome :)
*Block access means - deny access main page and show a message
This is not possible to do in a truly secure way.
Yes, you could just serve a page that is blank, and then use JS to actually load the content (e.g. via AJAX), but the problem is that JS must load that code from somewhere, and an attacker could do that too. But here's the real problem:
Users have control over their browsers. JS is client side code. An attacker may choose to run, not run, or change and then run your JS. An attacker may even run their own JS to call or replace your functions. Any security that relies on your JS is broken by default.
So while you could (and people do) show a warning message over your page that is then hidden by JS code, or use JS to load your content, it won't ever be secure.
If you really really really need this. I said three really because I think most of the time you can choose alternative to this.
Set a cookie using JavaScript and pass it along with your request to server and validate the cookie on your server with the passed request. If you are able to verify the cookie Your client has JS else not.
Better way would be to redirect js and non js users from single point. say in your index.html file you have have javascript code that will redirect your clients or visitors to different url. That way you know those users have js enabled else they would not be redirected.
You can make a "sub" page that loads its entire content via AJAX. This will not stop people from hitting your URLS directly though. Don't trust the client.
Other answers and comments already include a lot of details on why you really can't technically block access using Javascript, however, a simple workaround to do something only when JS is enabled, is to call a JS function after DOM loads:
<script type="text/javascript">
window.onload = do_something();
</script>
</body>
</html>
do_something() then could include simple things like switching block element visibility, e.g., hide the non-JS message, plus launch AJAX loader or do something else from the stuff that has been already suggested above.
I have a rotator link and I dont want to allow people to open it in iframe.
How to stop php process in iframe?
header("X-FRAME-OPTIONS: DENY");
does not work in firefox and chrome. my link is (EDITED)
Check the Access-control-allow-origin header.
It allows you to control which domain can access or frame your scripts.
You can choose between 3 values :
Only from the same domain
Only from a domain listed on a list you made
From anyone (wildcard)
Since PHP is never in an iframe but executed on the server side there is no way to reliably know if the request originated from an iframe on your site of not.
If your intention (which is not quite clear) is to make sure people don't put an iframe of your site on another site, then you can check for the referrer of the request etc. But most of it can be spoofed.
Update due to comment:
Then there is unfortunately no good standardized way of getting this type of information reliably. If you yourself had an iframe on your site and for some reason didn't want that to be able to call your script you could probably do this by adding some GET parameters via javascript or something. But since you have pretty good control over your own iframes this shouldn't be a problem.
But when it comes to determining of the request from the browser to your server originated in an iframe or not there is no information in the HTTP header to disclose this. The only thing you could possibly be informed about is if that iframe is from a page hosted on another domain.
But if you have an iframe on your own site, don't add any extra parameters to the request and access your script in it and then normally from the browser's main window the two requests will look the same on the server.
I'm not completely sure if I understand your question, but here's a list of things:
If you want to stop your page being loaded in an iframe, there's not easy way of doing that, if the browser is ignoring X-Frame-Options: DENY.
If you have a link the user can click that opens in the iframe, not the parent frame, you can use the base html tag, to specify to the browser to open any links you click in the parent frame, with <base target="_parent" />
If you want to redirect automatically, and that causes an issue when loaded in an iframe because you use headers to do it or something, you could probably use the base tag and some javascript to automate clicking on the link as an alternative
Am working on an PHP application that involves multiple plans a user can select. On my Manage Plan page, whenever user selects any plan from a menu a ajax call is sent that calculates plan fee based on database values and displays it to the user. That works fine. My only problem is when Javascript is disabled everything gets messed up. Not only the plan fee doesn't show up (which is obvious) but when user clicks Submit button, the plan gets changed (ideally user should be taken to a checkout page)
Anyways, I tried putting something like this at the top of the page.
<noscript>
Javascript is disabled. Please enable it to continue.
<?php exit(); ?>
</noscript>
So when Javascript is disabled it shows a message and stops right there. But when Javascript is enabled the PHP code in <noscript> tag too gets exceuted and stops the page from running.
I am wondering when Javascript is enabled why everything inside the tag isn't ignored?
PHP is rendered on the server, not on the client. the <noscript> is only regarded or disregarded by the browser. the server has no knowledge what the client will do with this tag.
even HTML comments containing PHP will be executed by the page.
Because the page is generated in the first place on server-side and then sent to the browser in the second place. :) In addition the server doesn't know about the <noscript>-tag.
PHP gets executed server-side, not on the client. Your server doesn't know anything about JavaScript, because JavaScript is executed client-side.
You can't string php and js like that. php runs on your server, js runs on the clients' browsers, therefore exit() is always called.
The noscript tag is only interpreted by the browser rendering engine and javascript, and not by PHP on the server-side - so what is happening here is that the server is processing the PHP file before sending it to the client (the server, at this stage, doesn't care about the meaning of HTML tags) It hits exit(); and halts execution.
What is then generated is sent to the browser and displayed accordingly. This will be a noscript tag, the text "Javascript is disabled. Please enable it to continue." and then it hits the end of what PHP produced.
I'm not sure what might be happening with your original situation though, sounds like there may be some similar confusion with the placement of PHP within noscript tags. Can you post an example of the original script?
The PHP code is (almost) always executed, no matter where it is in the page. Your problem is not that simple, since the <script> tag is client-side code, while PHP is server - side code.
Server - side code is executed in the, well, server. In contrast, the client - side code is executed in the client's machine. So PHP is not really aware of the <script> tag or whether the client can execute scripts at all. It just notices <?php ... ?> sections and works on those, before sending the result to the client.
Your <?php exit(); ?> executes on the server side before the page is served to the user. PHP does not care if it's in a <noscript> tag or not, therefore all further action will stop right before your </noscript> tag.
A possible solution is adding a disabled="disabled" attribute to your submit button, and use Javascript to remove the attribute on page load. That way all users will see the whole form, but non-Javascript users will not be able to actually click the button (remember to still notify them in the <noscript> element.
Because PHP is executed on the server, before the browser even sees the <noscript> tag. Javascript is client side, PHP is server side.
The why has been answered.
But a solution to call a php file, I found this post.
Will depend on the context of your need. worked for me.
<noscript><iframe src="your_php_file.php"></iframe></noscript>
Link: including php in <noscript> tag
I am building an AJAX deep-linked site.
I want PHP to load all the HTML code of the page if the user is trying to access the site with a Javascript non-supported browser or if it is a search crawler. Basically PHP will return the whole page.
On the contrary, when the user is trying to access the site with Javascript supported browser, I want PHP to return only the template code, and let Javascript (AJAX) take care of the rest. Basically PHP will only load design elements and let Javascript populate them with content.
I looked into PHP's get_browser() function, however it seems it is not such a reliable tool. What is the industry's practice see if the browser supports Javascript or it is a search crawler using PHP?
Background:
Why I want the site to have this behavior.
Since I want the home page to load just by loading the address: example.com, which does not send any query to PHP, PHP returns the HTML code of the home page. This however causes issues when the user tries to load the following page: example.com#foo. So, for this example, PHP will return the home page and once the home page is loaded, Javascript (AJAX) will change the content around so that it shows proper content for #foo. This will make the user to see the home page, therefore load time will be slower and user-experience will not be so nice. However if my PHP script can figure out that if the use with Javascript supported browser is trying to load the page, it will only return the template of the web site, which has no content) and the javascript will populate that template with content whatever is supposed to be displayed for #foo. On the other hand, if the Javascript non-separated browser or a crawler will try to access the page example.com#foo, home page will be returned.
I am using SWFaddress (http://www.asual.com/swfaddress/) library for the deep-linking.
Edit
Thank you guys. I did not think of using <noscript></noscript> before.
Here is what I decided to do. PHP by default will load pages such as example.com or example.com#foo (which is essentially the same as example.com from PHP's point of view since fragments by definition are not sent to the server) blank (just visual template) with <noscript> tag inside for the content of the home page. This way users with javascript will not see the home page and AJAX will populate the content of the page according to the #foo fragment. On the other hand, search crawlers and users without javascript will see a home page.
Thank you again. I think this is pretty simple and elegant solution. If you have any further suggestions, please post a comment or another answer.
You can't do this using PHP. What you can do though is use a noscript tag to redirect to another php page if they don't have javascript:
<noscript>
<meta http-equiv="refresh" content="0; URL=nojavascript.php">
</noscript>
It's not possible to accomplish this in the way you're trying to do it.
It's rare that someone has JS turned off and doesn't know it.
PHP doesn't get passed anything after #, only javascript can do anything with that. So even if PHP could determine if the browser has javascript turned on then it still couldn't read # anyways.
You could include a link inside some <NOSCRIPT> tags that point the user to something like example.com#foo?javascript=disabled.
Unfortunately, browsers do not report whether JS is enabled or not, so there's no way to know from a simple HTTP GET whether or not you should send JS reliant pages.
You should just build an AJAX query that sets a session variable for javascript enabled.
Run this AJAX query before any other information on the site is loaded and then do a simple redirect to the actual site.
You could do something like this pseudo code:
Index.php:
ajax(check_js.php);
redirect(main_page.php);
check_js.php
$_SESSION['js_enable'] = true;
main_page.php
if($_SESSION['js_enable'] == true) {
//execute page
} else {
header("Location: no_js_error.php");
}
Instead of the server trying to sniff our the user's settings, how about using unobtrusive javascript in the first place? This way, the page will degrade gracefully (to the desired state) if JS is not available.
Can I Stop or interrupt PHP script for particular time?
I would like to implement logic like below:
on mydomain.com/index.php there will be flash appear showing some intro of a product for suppose 20 sec. Once it complete, on same index.php page the home page of site will appear.
I am not aware about flash (action script).
Is it possible in PHP or Javascript ?
Usually "splash pages", as the're called, are made up of a seperate page.
In flash you can use the following code (Actionscript 3). Put it int the last frame, or use an event listener to redirecrect when the file is finished. The actual redirect looks like this:
getURL("http://www.woursecondpagehere.com", "_self")
Where you place it is up to you.
EDIT: I think that this is a reliable solution because this guarantees (if implemented correctly) that the page won't move until Flash is done. CSS and Javascript will work fine too.
There isn't a need to interrupt PHP in the scenario given. Though I think what you want is to load the rest of the HTML after a certain event occurs.
If thats the case then you can use AJAX to load the additional HTML from the server. Or you can use CSS to hide that content and show it after a certain point.
The META Refresh tag is probably not what you want since it will redirect the user after 20 seconds, regardless of how long it took to load your Flash file, then play it. Since the speed of the user's connection cannot be reliably predicted, you will probably end up with a poor user experience.
What you want to do is definitely possible but it will involve some interaction between the Flash object and the rest of your page. If you could do as Moshe suggested and simply have the Flash object redirect the user's browser to your actual home page with content on it, that would be easier.
If you insist on keeping everything on the same page, one way to do it is to call a Javascript function from the Flash object once it's finished playing. The function you call should be written to hide the Flash object and/or it's container and display the container () with all of your content that you're ready to show.
See this Codefidelity blog post for a quick tutorial on how to call JS functions from Flash.
Also, to clarify, you won't be interrupting or changing when your PHP script runs. That runs on the server before the page is created and sent back to the user's browser. All you need to do is structure the HTML/CSS of your page to have two DIVs: one with the Flash object in it and the other with all your normal page content. However, set the CSS to only show the DIV with the Flash object, then finally use Javascript to hide that DIV and show the one with the content in it.
Try this,
write the your flash (splash screen) <embede> code in index.html and simply use javascript redirect function with javascript timer functions to redirect to index.php where you actual content is there.
something like...
window.location = "http://your.domain.name/index.php"
or
location.href = "http://your.domain.name/index.php"
use setTimeout() to call redirect after specified time.