I am using windows 7 and python 2.7
I am using Custom url for launching an app.
First I am opening a web page of BOX asking for user credentials for authentication. In the url, made redirect_uri = customuri://box_auth.
So, BOX sends the success code to this redirect uri which launches app customuri.exe.
But I am getting a shield icon Insecure content appearing in the address bar of my Google page
Hovering over the shield gives "This page includes script from unauthenticated sources."
On Inspect Element it shows,
https://app.box.com/api/oauth2/authorize?response_type=code&client_id=opun9…yt6q707s=authenticated&redirect_uri=curlargu://box_auth' was loaded over HTTPS,
but ran insecure content from 'customuri://box_auth?state=authenticated&code=TZzZhJwlw4AbWcn5FgxvpBz5H':
this content should also be loaded over HTTPS.
As custom url app should be launch with customuri://box_auth in chrome browser over https.
So, how to handle this issue. Issue is with chrome only, firefox and IE working fine
customuri:// will launch an appplication as custom url. This application I had written in python language and then converted into an exe file. I had mapped customuri with the location of this exe file in registry
The issue is non-secure scripts being run inside secure pages and is documented by Google here:
https://support.google.com/chrome/answer/1342714?hl=en
As a user, you have the choice to click the shield icon in the browser bar and run the non-secure scripts or not. As a developer, you need to ensure your scripts inside secured pages are also from a secured source.
This occur when your page embed HTTP unsecured Content/Scripts into HTTPS secured environment and might be the SSL certificate is configured on Load-Balancer not application server therefore, the traffic is encrypted up to the Load-Balancer, then it’s in clear between the Load-Balancer and the application server that called SSL offloadingso i think you will require to enable mix contents in IE or load unsecure scripts in Chrome.
For more details check this
This is what I did, go into chrome settings, go to advanced setting and hit reset, close Chrome restart PC and its gone.
Related
I'm writing a Telegram bot in Python that sends back from a /start command a button that when pressed, it should open a web app. Nothing so complicated so far. The problem that I'm having is that the web app ( a simple HTML file ) opens fine on the desktop version of Telegram ( Telegram web ) but it won't open on a mobile device. I tried more than one device. I must add that a demo Telegram web app ( Durger King ) runs fine in every mobile device and the desktop version.
The web app is just an HTML file hosted in an HTTPS server. In my case, this server runs on the same computer together with the Telegram bot. That shouldn't be a problem but I mention it just in case.
If I send the url as a message to some user in Telegram, the page can be opened by Telegram on its embedded browser ( or any other for that matter ) perfectly well.
I tested different python bot libraries and different HTTPS servers. The only thing that can be a problem is de SSL certificate. I generate certificates using Letsencrypt - Certbot. I have used it for a long time with no troubles at all. The certificates are perfectly legal.
What can be the problem ? I'm open to suggestions. Thanks!!
As mentioned here connect your device to PC/Laptop and debug it from chrome://inspect/#devices. Then navigate to the console tab and see if any error has occurred.
My Flask web application requires a Microsoft login feature.
The Microsoft login requires a redirect url that redirects the user back to Flask after successfully login in Microsoft.
My HTTPS structure is: Nginx listening at 443, and proxy all request to http://127.0.0.1:5000, where my Flask app is running.
(The most popular method I found for running Flask as production mode using HTTPS )
Now comes the problem: The redirect url sent to Microsoft login, is http://127.0.0.1:5000
But all other redirects, e.g.: (ignore my function names, you know what I mean)
resp = resp.set(url_for('index'),200)
return resp
or
return redirect('/whatever_page')
are all redirected as https://example.com/{whatever_page}, which is completely fine.
But when it comes to the redirect url used in Microsoft login, it failed.
The Microsoft login code I am using is basically the flask demo I downloaded from Microsoft, all I did is simply changed the entire thing into another function of my Flask app, and call it when I need it. I did went through the codes step by step and did everything I could to make things right, yet nothing worked.
I have tried changing the IP in proxy_pass to the public IP and some other IPs, they didn't work but I can see the IP used in redirect url changes with the proxy_pass IP.
I have tried many configurations that might make things right, for examples:
proxy_redirect: http://127.0.0.1:5000/getAToken http://example.com/getAToken
or
proxy_redirect: http://127.0.0.1:5000/ https://example.com/
or
proxy_redirect: http://127.0.0.1:5000/ http://example.com/
or
proxy_redirect: http://127.0.0.1:5000/getAToken https://example.com/getAToken
Exedra
None of the proxy_redirect configurations can affect the redirect url used in Microsoft login, but all other redirects work.
I even tried to change the redirect url manually by modifying the login url Microsoft generated, it didn't work since the redirect_url is used to encrypt the token or whatever it is.
My current hacky options are:
Running back to developmental using HTTPS, but I need to restart the service every 1h or so to avoid the "not responding" problem in developmental server. Costs are: Lost of cache and potential crash when more users come. (which is what I am currently using to keep the website up)
Use a window server. Developmental mode on window server doesn't stop responding, it may at some point but I honestly don't know, I do have one running for months and never stop responding. The problem here is I don't know when it will stop responding.
Buy another server and use it as a login server, it can be restarted every hour since
cache or whatever is doesn't matter there.
But I really want to solve this problem without using any options above, and modify the redirect URL before the Microsoft login url is generated is the best option I can think of, I just don't know how to.
If there are other options other than these, please let me know, I will really appreciate it.
The login page is displaying in the team's tab on the browser. Now the issue is on the login prompt it tries to open iframe which is not allowed in the one another iframe in the team's tab. It works fine on a normal browser page but having an issue only in the team's tab on the browser.
The error which we are getting is like: Refused to display 'https://login.microsoftonline.com/' in a frame because it set 'X-Frame-Options' to 'deny'.
Details of Code:
Language: Python
Architecture: Flask Apis for rendering pages
Issue: iframe not working in team's browser tab.
Authentication: MSGraph.Authorization
Could you please help with this?
I presume you're using MSAL 2.0 (recommended). If so, there are two auth flows - redirect and popup. In Teams, it's a little different because Teams itself is actually launching the popup for the auth flow. As a result, even though it involves a popup, this popup will launch to your own auth page, and you end up doing redirect flow from inside there.
Here's a sample I put together for Tab SSO that should help (it's not python, but hopefully the node/Dotnet examples will be good enough guidance): https://github.com/pnp/teams-dev-samples/tree/master/samples/tab-sso
I want to write a python script for a website that requires a login to enable some features and I want to find out, what I need to put in the header of my script requests (e.g. authentication token and other parameters), so they are executed the same way as requests over the browser.
Does wireshark help with this if the website uses HTTPS?
Or is my only option executing a browser script with Selenium after a manual login?
For anyone else with the same issue: you don't need to traffic your traffic from outside the browser. Just...
use Google Chrome
open developer tools
click on the Network Tab
clear the data
and do a request in the tab where the dev-tools are
open
You should see the initial request at the top followed by
subsequent ones (advertising, external image-server etc).
You can
rightclick the initial request, save it as a .har-file and use
something like https://toolbox.googleapps.com/apps/har_analyzer/ to
extract the headers of both or the request and the response.
Now you know what parameters (key and value) you need in your header and can even use submitted values like tokens and cookies in your python script
I'm currently working on a web based educational tool where student can look at example of code in a browser and edit the code in the browser. I have been trying to implement a system where by they can interface with a client-side compiler and run/debug the code with in the browser. The more research I do the more I see that browsers are designed against letting this happen because of the security issues that this creates. I was wondering is there any way to run a compiler locally i.e via a extension or ajax or some other method.
The aim is to accommodate as many languages as possible although we are starting of with python.
I'm aware that I could run the script server side and display the output however This is limited in application(to my knowledge), Specifically regarding to GUIs.
I needed to do something like this (though not a compiler) for a project of mine. It had to download and process a resource given its URL into a format that could be read on a kindle. It's not exactly similar to yours since I had a browser plugin (rather than a web page) which triggered the operation and even that was not allowed to "leave" the browser.
In the end, I was forced to write a little app that ran on the client side which the plugin submitted the URL to and then processed.
The setup is something like this
browser plugin (via ajax) <------> web app on client ----> compiler/etc.
The browser sends the code snippet (in your case, a URL in mine) to a web app that runs on the local machine listening on some port (say 9999). It can access local resources and so can actually run the code and then return something to the browser which can then render it.
In my case, the browser sends a JSON string to the web app which just contains a URL. The web app fetches the resource, processes it and converts it into a .mobi file which the kindle can read and then drops it into a directory. The result of the conversion (success/failure) and the location of the converted file is sent back to the browser which informs you that it's done.
I don't think you can write a plugin that directly accesses the compiler. It'll have to communicate with a local app. The setup is complicated for non technical users (look at the README on my project) but it works.