web technology supported on IE but not in Chrome - href

Not allowed to load local resource: file://inbom1-fil001/dept_data/MumbaiWebpage/ETS without changing any compability setting in browser is it possible to run ?

Related

Flutter Web on Firebase hosting refused to make API Calls

I have a Flutter Web application that I have deployed on Firebase Hosting.
I have a Django backend that I have deployed on an EC2 instance and is running on http.
I have CORS enabled in the backend, tried accessing endpoints via browsers and it works just fine.
But, when I try to make the same call using FlutterWeb, it fails.
And error type of blocked:mixed content appears. (See image below)
I want to call those HTTP endpoints and I don't want an SSL certificate mess because this is just a college project. How do I fix this?
I am using Dio on Flutter Web to make requests. What would be causing this problem?
EDIT:
I am using Firebase's spark plan, obviously since it's a college project. Do I need to upgrade to the blaze plan to enable Egress traffic? If so, how do I make sure that I won't be heavily charged? Any suggestions? UPDATE: I tried the blaze plan and got the same issue.
The console says
Mixed Content: The page at
'https://xxx.web.app/' was loaded over HTTPS, but
requested an insecure XMLHttpRequest endpoint
'http://xxxx.compute-1.amazonaws.com:8000/menu'. This
request has been blocked; the content must be served over HTTPS.
Any way to bypass this?

Websockets not working with Powerpoint Add-in

I'm using a Microsoft add-in for Powerpoint called 'Web Viewer' (it's just an iframe, you insert a URL, it displays it in the slide).
I inserted a webpage that uses Socket.IO, and I'm seeing it is not able to connect to the server (even the long polling it's falling back on is not working).
Clearly this is not an issue with the add-in: Any ideas what is going on here?
I tested on Mac 10.13.4 (latest) / Powerpoint (16.12, Office 365 Home) (latest).
The same webpage works in an iframe in the latest Chrome, Firefox, Safari, IE11, so I'm thinking something wonky is going on with the embedded (Webkit) browser that Powerpoint is using on Mac.
The general request flow is:
Browser -> AWS ALB (with stickiness enabled) -> Nginx -> Node
UPDATE
Looked into this further, and having tested other pages that use Socket.IO, I think the only difference in their setups and here is the ALB.
Even with stickiness enabled, the load balancer is clearly seen (in the logs) passing traffic between all EC2s. This leads me to believe the cookie they use is either not being set or not being passed with the requests.
First of all, based on this github issue it should be possible to open a websocket.
There might be a problem with using the unsecure ws://. I know that officejs rejects all requests to http:// and forces you to use https:// with a secure certificate. So they might do the same with WebSockets and force you to use wss:// with a valid certificate.
You can test this more easily in Power Point Online with Chrome. The addin is the same but you get much better error logging in the Devtools Console (hit F12). If it's asecurity issue there should be an error message indicating it.
I had the same issue and S.Freederle is correct. Now I'm able to use socket.io via ngrok to create a secure tunnel (HttpS) to connect to my server and emit the data to my client side in office add-in.

Deprecated getCurrentPosition() and watchPosition() are deprecated on HTTP calls. How can I fix it without switching to https?

I'm using google maps on my webpage and on localhost everything works fine. But when I uploaded my webpage to amazon aws, I'm getting the error:
getCurrentPosition() and watchPosition() are deprecated on insecure
origins, and support will be removed in the future. You should
consider switching your application to a secure origin, such as HTTPS.
See https://goo.gl/rStTGz for more details.
I've read that the solution for it is to use https instead of http, but my question is - how can I achieve a working version while using amazon aws? Can I just turn on there the https?
Just switch your site to https:
AWS provide free certificates https://aws.amazon.com/certificate-manager/

Whitelist http: content for Django application running SSL?

In my Djanog web application I have added SSL security. Now In the django application I have integrated an external API which is running over http://.
This is the error i get after calling the external API.
[blocked] The page at 'https://mywebsite.com' was loaded over HTTPS, but ran insecure content from 'http://api.external.com/moto.json?': this content should also be loaded over HTTPS.
Can anyone help me out here on how should i whitelist the required external domains. And I am running the application on Apache server. So will this have to be done in Apache settings or Django.
Unfortunately this is something that is being done at the browser as is not something you can control from your application or your web server.
Here is the help article from Chome that explains this behavior:
Websites that ask for sensitive information, such as usernames and
passwords, often use secure connections to transmit content to and
from the computer you're using. If you're visiting a site via a secure
connection, Google Chrome will verify that the content on the webpage
has been transmitted safely. If it detects certain types of content on
the page coming from insecure channels, it can automatically prevent
the content from loading and you'll see a shield icon Insecure content
shield icon appearing in the address bar. By blocking the content and
possible security gaps, Chrome protects your information on the page
from falling into the wrong hands.
The only way to stop this from happening is to access the API over HTTPS.

Windows Integrated Authentication fails ONLY if web svcs client is on same machine as IIS server

I have a web service running under IIS7 on a server with a host header set so that it receives requests made to http://myserver1.mydomain.com.
I've set Windows INtegrated Authentication to Enabled and everything else (basic, anonymous, etc) to Disabled.
I'm testing the web service using a powershell script, and it works fine when I run it from my workstation against http://myserver1.mydomain.com
However, when I run the same exact script on the IIS server itself, I get a 401-Unauthorized message.
In addition, I've tried installing the web service on a second server, myserver2.mydomain.com. Again I can call my test script fine from BOTH my workstation and from myserver1.
So it seems the only issue is when the client is on the same box as the web server itself - somehow the windows credentials are not being passed or recognized.
I tried playing with IE settings on myserver1 (checked and unchecked 'Enable Windows Integrated Authentication', and added the URL to Local Sites). That did not seem to have an effect.
When I look at the IIS logs, I see the 401 unauthorized line but very little other information.
I see basically the same behavior when testing with IE (v9) - works from my workstation but not when IE is running on the IIS server.
I found the answer after several hours:
By default, there is something called a LoopbackCheck which will reject windows authentication if the host header used for the site does not match the local host's name. This behavior will only be seen when the client is on the local host. The check is there to defeat possible reflection attacks.
More details here:
http://support.microsoft.com/kb/896861
The kb item discusses ways to disable the Loopback check, but I ended up just switching from using host headers to ports to distinguish the different sites on the IIS server.
Thanks to those who gave assistance.
Try checking the actual credential that is being passed when you are running on the server itself. Often times you will be running on some system account that doesn't have access to the resource in question.
For example, on your box your credentials are running as...
MYDOMAIN\MYNAME
and the server will be something like...
SYSTEM\SYSTEM_ACCOUNT
and so this will fail because 'SYSTEM\SYSTEM_ACCOUNT' doesn't have credentials.
If this is the case, you can fix the problem in one of two ways.
Give 'SYSTEM\SYSTEM_ACCOUNT' access to the resource in question. Most people would avoid this strategy due to security concerns (which is why the account has no access in the first place).
Impersonate, or change the credentials of the client manually to something that does have access to the resource, 'MYDOMAIN\MYNAME' for example. This is what most people would probably go with, including myself.