-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue #35
Comments
Here is what I do with my private data -- I add a secret part to the URL. For example, my URL would become something like: https://myserver.net/d3b07384d113/data.ged This is not as good as password-protecting a site but good enough for my purposes. See here for a discussion for a discussion about private URLs vs passwords. To support password-protected files, It should be possible to ask for the user-password before loading the URL. I don't know if it is possible to detect that the URL is password-protected. If not, we could add an additional URL param to Topola Viewer, i.e. |
I'm already using the "secret url method" that you decribe, because that
is the only one that works.
The issue is a bit more strange that you think. This url
https://myserver.net/topola/#/view?indi=I0019&url=https://myserver.net/data.ged
is called at a time when password has already been entered. The local
javascript code is read w/o issues, but the data
https://myserver.net/data.ged
<https://myserver.net/topola/#/view?indi=I0019&url=https://myserver.net/data.ged>
cannot be accessed and triggers an error. I just entered
"https://myserver.net/data.ged
<https://myserver.net/topola/#/view?indi=I0019&url=https://myserver.net/data.ged>"
into the browser firefox and it could download data.ged w/o any further
interaction. To me it looks a bit that someone from the outside tries to
access the data (or some strange javascript security behaviour).
The same happens when I use http://local.net/data.ged
<https://myserver.net/topola/#/view?indi=I0019&url=http://local.net/data.ged>
as target. This can be accessed within my privat network w/o any
passwords. But it cannot be accessed from the internet due to a
firewall. Do you know a reason for this behavior?
…On 01.01.2021 19:00, Przemek Więch wrote:
Here is what I do with my private data -- I add a /secret/ part to the
URL. For example, my URL would become something like:
https://myserver.net/d3b07384d113/data.ged
This is not as good as password-protecting a site but good enough for
my purposes. See here for a discussion for a discussion about private
URLs vs passwords
<https://softwareengineering.stackexchange.com/questions/325806/are-private-unguessable-urls-equivalent-to-password-based-authentication>.
To support password-protected files, It should be possible to ask for
the user-password before loading the URL. I don't know if it is
possible to detect that the URL is password-protected. If not, we
could add an additional URL param to Topola Viewer, i.e.
|...&url=https://myserver.net/data.ged&askForPassword=true|.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#35 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASKHOTIUXABYAJZGR7M6LPTSXYETDANCNFSM4VQJTHFA>.
|
Short answer: add Long answer: Typically, servers don't allow requests from web sites in other domains. This is why services like https://cors-anywhere.herokuapp.com/ exist that provide a hack around the browser's cross-origin security feature. Topola Viewer by default uses cors-anywhere to fetch data when given a URL. So instead of requesting |
Many thanks for this answer. I tried it out and this allows me now to
read the data from my secure https server. It fixes both problems that I
described.
…On 03.01.2021 13:47, Przemek Więch wrote:
Short answer: add |&handleCors=false| to the URL.
Long answer:
Typically, servers don't allow requests from web sites in other
domains. This is why services like
https://cors-anywhere.herokuapp.com/ exist that provide a hack around
the browser's cross-origin security feature. Topola Viewer by default
uses cors-anywhere to fetch data when given a URL. So instead of
requesting |http://local.net/data.ged|, Topola Viewer will actually
request
|https://cors-anywhere.herokuapp.com/http://local.net/data.ged| which
will fail if it is not accessible from the Internet. To suppress this
behavior and make Topola Viewer make direct requests to the given URL,
add |&handleCors=false| to the Topola Viewer URL.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#35 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASKHOTNCDFOGRSKS4HNF7DLSYBRPRANCNFSM4VQJTHFA>.
|
topola-viewer is forcing me to put my gedcom files on a public accessible web space. For example this works for me ("https://myserver.net/" is password protected):
https://myserver.net/topola/#/view?indi=I0019&url=http://myserver.net/data.ged
These one will fail with "Failed to load file" or "NetworkError when attempting to fetch resource.":
https://myserver.net/topola/#/view?indi=I0019&url=https://myserver.net/data.ged
https://myserver.net/topola/#/view?indi=I0019&url=http://local.net/data.ged
"http://local.net/" is free accessible to local hosts, but not from the internet due to a firewall.
The motivation for my request is that I'd like to send links to my relatives, but I do not want to make the gedcom data publicly available.
The text was updated successfully, but these errors were encountered: