Security issue #35
Comments
|
Here is what I do with my private data -- I add a secret part to the URL. For example, my URL would become something like: https://myserver.net/d3b07384d113/data.ged This is not as good as password-protecting a site but good enough for my purposes. See here for a discussion for a discussion about private URLs vs passwords. To support password-protected files, It should be possible to ask for the user-password before loading the URL. I don't know if it is possible to detect that the URL is password-protected. If not, we could add an additional URL param to Topola Viewer, i.e. |
|
I'm already using the "secret url method" that you decribe, because that
is the only one that works.
The issue is a bit more strange that you think. This url
https://myserver.net/topola/#/view?indi=I0019&url=https://myserver.net/data.ged
is called at a time when password has already been entered. The local
javascript code is read w/o issues, but the data
https://myserver.net/data.ged
<https://myserver.net/topola/#/view?indi=I0019&url=https://myserver.net/data.ged>
cannot be accessed and triggers an error. I just entered
"https://myserver.net/data.ged
<https://myserver.net/topola/#/view?indi=I0019&url=https://myserver.net/data.ged>"
into the browser firefox and it could download data.ged w/o any further
interaction. To me it looks a bit that someone from the outside tries to
access the data (or some strange javascript security behaviour).
The same happens when I use http://local.net/data.ged
<https://myserver.net/topola/#/view?indi=I0019&url=http://local.net/data.ged>
as target. This can be accessed within my privat network w/o any
passwords. But it cannot be accessed from the internet due to a
firewall. Do you know a reason for this behavior?
…On 01.01.2021 19:00, Przemek Więch wrote:
Here is what I do with my private data -- I add a /secret/ part to the
URL. For example, my URL would become something like:
https://myserver.net/d3b07384d113/data.ged
This is not as good as password-protecting a site but good enough for
my purposes. See here for a discussion for a discussion about private
URLs vs passwords
<https://softwareengineering.stackexchange.com/questions/325806/are-private-unguessable-urls-equivalent-to-password-based-authentication>.
To support password-protected files, It should be possible to ask for
the user-password before loading the URL. I don't know if it is
possible to detect that the URL is password-protected. If not, we
could add an additional URL param to Topola Viewer, i.e.
|...&url=https://myserver.net/data.ged&askForPassword=true|.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#35 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASKHOTIUXABYAJZGR7M6LPTSXYETDANCNFSM4VQJTHFA>.
|
|
Short answer: add Long answer: Typically, servers don't allow requests from web sites in other domains. This is why services like https://cors-anywhere.herokuapp.com/ exist that provide a hack around the browser's cross-origin security feature. Topola Viewer by default uses cors-anywhere to fetch data when given a URL. So instead of requesting |
|
Many thanks for this answer. I tried it out and this allows me now to
read the data from my secure https server. It fixes both problems that I
described.
…On 03.01.2021 13:47, Przemek Więch wrote:
Short answer: add |&handleCors=false| to the URL.
Long answer:
Typically, servers don't allow requests from web sites in other
domains. This is why services like
https://cors-anywhere.herokuapp.com/ exist that provide a hack around
the browser's cross-origin security feature. Topola Viewer by default
uses cors-anywhere to fetch data when given a URL. So instead of
requesting |http://local.net/data.ged|, Topola Viewer will actually
request
|https://cors-anywhere.herokuapp.com/http://local.net/data.ged| which
will fail if it is not accessible from the Internet. To suppress this
behavior and make Topola Viewer make direct requests to the given URL,
add |&handleCors=false| to the Topola Viewer URL.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#35 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASKHOTNCDFOGRSKS4HNF7DLSYBRPRANCNFSM4VQJTHFA>.
|
topola-viewer is forcing me to put my gedcom files on a public accessible web space. For example this works for me ("https://myserver.net/" is password protected):
https://myserver.net/topola/#/view?indi=I0019&url=http://myserver.net/data.ged
These one will fail with "Failed to load file" or "NetworkError when attempting to fetch resource.":
https://myserver.net/topola/#/view?indi=I0019&url=https://myserver.net/data.ged
https://myserver.net/topola/#/view?indi=I0019&url=http://local.net/data.ged
"http://local.net/" is free accessible to local hosts, but not from the internet due to a firewall.
The motivation for my request is that I'd like to send links to my relatives, but I do not want to make the gedcom data publicly available.
The text was updated successfully, but these errors were encountered: