Friday, March 25, 2016

CORS, Content-Security-Policy and JSONP

CORS (Cross-origin resource sharing) is supported by most browsers to hand cross origin requests. Basically, when html content is loaded from bar.com, and it sends an xmlhttprequest to foo.com, then when foo.com returns the response to the browser, it needs to specify the header of
Access-Control-Allow-Origin: *
or
Access-Control-Allow-Origin: http://bar.com
otherwise, the browser will not load the response to the web content. So in this case browser enforces the check based on the server's response header.

Note CORS does not care how the script is loaded in original html page (bar.com), the browser only makes the decision after the response of cross domain request comes back. It would be better it browser can proactively disable the malicious js code if it is not from trusted source. That is how Content-Security-Policy does.

How Content-Security-Policy works is when the original html page returned from bar.com, the server can specify the trusted source for any javascript, css, so that even if malicious js code gets loaded in the page, it will not be executed. For example, if the policy indicates
script-src 'self'
then only the script from the same domain can be executed. Note this also disable JSONP function when it is used for cross domain request, as the script is loaded from a different domain, and it will not be trusted unless Content-Security-Policy allows it to do so.

By the way, for CORS request, by default, hte browser does not send credentials (cookies and http authentication scheme) with the request. In order to send them with a cross-origin request, the client must set XMLHttpRequest.withCredentials to true. In addition, the server must include Access-Control-Allow-Credentials header, this header tells the browser that the server allows the credential to be used for a cross origin request. If the browser sends the credentials with the request, but the server response does not include a valid Access-Control-Allow-Credential header, then browser will not expose the response to the application, and the ajax request will fail.

Saturday, March 19, 2016

Steps to uppload html&js file to MS Azure web app

Visual Studio can easily upload asp.net app to Azure by default setting. But for simple testing Azure web app with html&js files, ftp is the easier to do so with the following steps.

1. Create an Azure web app in Azure portal
2. optional update deploying credential from webapp settings->Deployment credential page
3. click top toolbar button of "Get Publish Profile"
4. open the downloaded file from xml notepad or any xml editor
5. Find FTP profile, and get the value for "publishUrl", "userName", and "userPWD" fields
6. download filezilla or any other ftp tools
7. set host, username, password to the previous values in webapp profile
8. select the local folder for mapping the remote www folder
9. connect to ftp url, and download or update the html&js file to azure web app

Friday, March 18, 2016

Use Vysor to share Android device to desktop

1. goto http://www.vysor.io/ and download vysor and install Vysor (Beta) to Chrome
2. Connect android device using USB cable to mac, it is not necessary to put device and mac in the same Wifi network
3. launch vysor app from chrome and select the android device to share the display.

Thursday, March 3, 2016

Recent windows security update break iis anonymous authentication

After a recent windows update (2016/02), few asp.net apps on iis get an Access is denied error.
The detailed error information is shown as

Description: An error occurred while accessing the resources required to serve this request. You might not have permission to view the requested resources. 

Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access to 'C:\SharedFolder\I826633@git\tools\Cache\Cache\'.


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.6.114.0

In order to fix the issue, open iis administration console, and select the virtual directory of the asp.net app, right click on the anonymous authentication item, and select edit. Then change anonymous user identity from specific usre of "IUSR" to "Application pool identity"