Organizations registering on my application can provide their external websites url for their profile page. The resulting html when displaying the link to their site is example.com (Confirmed by inspecting the page in chrome). When hovering over the link or actually clicking it. The url is apparently interpreted as relative and https://localhost:8443/MyWebApp/profile/ is prepended to it.
Do I have to check and possibly modify links that users input or is there likely something in my configuration that is causing this behavior?
EDIT: Is there a simple method of countering this? Such as a jsp tag or using a url rewriter? (Tuckey)
This is the expected behaviour. Since the provided URL does not begin with a protocol (http, https, ftp, whatever) it is considered relative, and since it does not start with a /, it is considered relative to the current URL.
Related
I have a URL shortener app (similar to tinyurl.com, bit.ly etc) which redirects to file:// URLs as well.
Internally, this is a Servlet based web-app, and all I do is, retrieve the targetURL and do a response.sendRedirect(targetURL) from the server side.
This works fine for file:// URLs too. However, recently, this has stopped working on Chrome. When I try to redirect to file://foo.txt (via a response.sendRedirect('file://foo.txt'), things simply fail (the Chrome debugger says "Cancelled").
Things work fine in FF and IE however. Any clues ?
I'd say this is a bad idea, and I'm glad at least chrome denies this (although I would suspect that other browsers would as well). It would be a pretty big security hole if you could instruct someone else's browser to open an arbitrary file.
Second, why would you want to do this? It would require that the user actually have this same file, at the same location on their computer. Seems like a pretty narrow use case. I tested your use case with bit.ly, and it you try to add a file:/// url there, it's regarded as an invalid URL and cannot be shortned.
Edit: There's a very good answer covering the same topic here. It references this useful resource about security restrictions with redirection.
You also specify that this is for an internal app. If you're attempting to do some sort of document sharing, I'd say you should look into dedicated systems for this. Another option is to extend your service with a "dropbox light", where your users can upload the file in question to a storage service, and you can generate a shortned url based on serving the file from your storage via regular http/https.
I'm just doing a java tomcat project, that does some query in a database then return the file path of some web pages.
Now I have mapped my only class in web.xml and the webapp does return a list of urls which correspond to some html pages in my local disk. I set up a side frame in the webapp, my idea is that I output the results in the output page like "file:///file_path_of_html_page" and when this link is clicked, the side frame will show the html page.
But actually I got the right links but when I click on them, nothing happens, chrome tells me "Not allowed to load local resource". Even I set the target="_blank", the link doesn't work. But the "file:///filepath" are all ok when I type them in the address bar. I've moved all the html pages in the eclipse project folder but that didn't help.
Any suggestions to do this simple task?
The average browser disallows due to security reasons opening file:// resources when the parent resource is by itself served over http://. If you make them fullworthy http:// links, then it will work properly.
Even if the browser allowed it, this approach would not going to work when you publish the webapp on a different server. A file:// resource refers to the local disk file system, which is the one the client (the user with the webbrowser) is using. This is normally in a physically different machine. The client should have a copy of exactly those resources on its own local disk file system beforehand in order to get the file:// links to work.
Just put the HTML pages in public web root of your web project (there where you normally put your JSP files and so on) and use (relative) http:// links to refer the HTML pages. For example, the following link in a http://localhost:8080/contextname/some.jsp
link to some html file
would open the http://localhost:8080/contextname/some.html file.
I'm trying to redirect my response but I got stuck at the link path.
The following command takes me to the tomcat's localhost and searches for the page there but it can't find anything, as expected.
response.sendRedirect("/myPage.html");
In order to manage this problem I have to put my root folder name (the one from webaps) in the link path, but I don't think that's a really good idea.
response.sendRedirect("/mySite/myPage.html");
Why is this happening? Is there any other way to solve this problem, besides getRequestURL() or something like that?
A relative redirect URL is relative to the current request URL (the one as you see in the browser address bar). The leading / will take you to the domain root. The behaviour is perfectly predictable and normal. If the myPage.html is in the same folder as the current request URL, then you can just remove the leading /:
response.sendRedirect("myPage.html");
Or if that is never reliably predictable because the current request URL can come from anywhere in your webapp, then just dynamically include the context path:
response.sendRedirect(request.getContextPath() + "/myPage.html");
I have a webpage which refers other pages.
I want to be able to set the HTTP_REFERER on the URL's that are clicked.
What options do I have?
What options do I have?
None really. The browser sets this automatically.
The only thing you can do is redirect to a script (under your control) like
http://example.com/redirect.php?url=........
That file (in this case, PHP) would then do a header redirect to the target, and show up in the receiving site's HTTP_REFERER header.
Also, linking to a https:// page from a http:// one or vice versa will drop the referrer. See the Wikipedia article on referrer hiding.
Other than that, there is nothing you can do to alter it. There is definitely no way to set it to an arbitrary value from within a web site.
I have site say http://info.sys.com
I want the info in the url to be replaced to knowledge.sys.com when i select knowledge tab in my website.
info.sys.com should be replaced to knowledge.sys.com when i select knowledge tab.
I use jdk 1.5 update 9 and tomcat 6.0.16
Looking forward for your reply.
If you change the URL (location.href = 'http://knowledge.sys.com';), the page will be reloaded -- well, actually, the page at that address will be loaded (whether that's the same page or not will depend on your server).
There are games you can play with anchors, though (the "hash" part of the location). Check out Really Simple History for more on that.
Changing the URL field programmatically on the client-side will trigger the browser to refresh the page with the updated URL.
This is considered a security feature which guarantees that the URL field is always showing the address of the rendered resource.
You can use a URL Rewriting Engine on your server if you cannot host your knowledge base at knowledge.sys.com. This could be configured to handle requests to knowledge.sys.com without having to change your application file structure.