My company will allow customers to post suggestions to our website.
This feature is very similar to facebook share link.
Our customers will type a URL, we will scrape the site, retrieve the images, description and save the description and the image url in our database for other customers to review them later.
We don't have the resources to save/manipulate external image, unless it is absolutely necessary for now we will like to save the image url and render it onload.
The feature has been implemented but I have some concerns and would like to get some expert help to make sure I can prevent any issue from happening.
Scenario 1
Customer A, posts 5 suggestions from websites which contains large high quality images. Can I prevent the site to get a performance hit the first time I render and retrieve those images from the sites?, do you know if it would be illegal to save a local copy as long as I keep the reference to the original site? also I am against hotlinking but not sure if keeping a copy in my hard drive is a good idea.
I noticed facebook doesn't save them, they always render the image, I am sure they do it that way because that's the right way to do it.
b) Customer B misuses this feature and he actually try to do an XSS attack how can I take advantage of Anti-XSS 4.0 to make sure customer doesn't try an xss attack, encoding the output would be enough? is there any other security risk that I am not aware of?
Thanks for your help!
Google images and similar sites seem to get away with storing images locally. Not going to be practical to request permission from every website.
To prevent XSS attacks make sure the customer gives you a URL rather than some JavaScript. You can see some example XSS image attacks here: http://ha.ckers.org/xss.html
Related
How can I load the firebase data before Google sees the content?
For example, retrieve data and render it with h1, p and other html tags, but my problem is SEO. I've been watching Gatsby JS but I don't need something like that.
On Firebase, the SEO is called App Analytics and it's possible to disable it on your database. However, you can only disable it generally and not load the data before it starts, once it's activated, it's always working, unfortunately.
I would recommend you to raise a Feature Request for this to be implemented here, so Google can check for further development.
Besides that, in case you want more information about how this is possible, you can check the below documentation.
Disable Analytics data collection
In addition, this question from the Community - How to use Cloud Functions for Firebase to prerender pages for SEO? - there is a case that I believe might help you, since it's about pre-rendering content. This is for another type of use case, but I believe it might help.
Let me know if the information helped you!
For normal functions, I think it is okay to incorporate all pages in to one react app using routes.
But when it comes to admin page, I think it is wise to create a separate react app which will compile into a different .js bundle and serve this not though react route but a totally different html along with the separately created js bundle.
I think if we bundle admin and normal functions into one file and serve through react router, there is a risk where the client can look into the js file and decipher admin pages. Couldn't this be a security risk?
If I'm overthinking please let me know. Other feedbacks are also welcome
Assuming that whatever backend is serving your React application has properly-implemented authentication, it's not technically a security flaw; a malicious actor can't negatively affect your product purely based on the admin page source being bundled with everything else.
That said, it does make it easier to see how your admin tools work, and gives someone nefarious a good indication of where they need to look for exploits.
Personally I'd never serve up a consumer-facing application and admin-facing application in the same codebase. Even though it's not exploitable directly, it makes it easier to find a potential exploit. Security through obscurity is largely a fallacy, but it never hurts.
You can use lazy loading, not to send whole pages in one bundle. but if they are totally different with no functional overlap, it's better to separate them, better responsibility separation, cleaner git history, etc ... And unless you are not exposing valuable data like hard coding api key, reading js source isn't a problem. The security breach happens in the back- servers and the back end services should be using some sort of authentication to respond, check OAuth, OpenID workflow. Its a very common pattern and used by tech giants.
I am trying to develop a visualization that relies on user-specific external graphics which are necessarily loaded from a remote source, but blocked by GDS's content security policy headers.
I'm looking for a way to stay within the CSP but still get the functionality I need. Are any of these things possible...?
Could I fetch graphical resources via a data source? (In which case I could build a custom data source connector that fetches the images and then feed those as a value into the visualization.)
Is there a valid way to load external resources of any type without violating the CSP?
Google's documentation suggests that they will relax their content security policy "in some cases." Is there an avenue to provide that?
Anyone who's managed to work around this, I'd appreciate some help figuring it out.
You can't make requests, but you can potentially render an svg/canvas image based on the data, so if you had the svg string of an icon as part of the datasource, you could render that.
2&3. There is no current way to make external requests without violating the CSP.
Sometimes when starting up a new instance on AppEngine the process may take some time. It obviously depends on your choice of libraries etc. My question is, is it possible to serve some other page while users are waiting? Reddit does a nice job of this. Other sites like Twitter provide a similar notice to users when the load is too much (they probably also starting more instances in the bg).
Does anybody have any experience in doing this on GAE?
Another twisted way that is very simple to implement without code changes: use another appengine that statically serves a tiny html of just an iframe to your real appengine.
This might break TOS so check that before doing it. It sill cost you more too.
That wrapper appengine can serve js that does the "loading" page , inserts the iframe and lster removes its content when hidden iframe finishes loading, then shows the iframe
I've bumped into several users that have cookies disabled and therefore the site doesn't work like I'd want. I'm using webapp2 and django 1.2 templates with {% url %} template tags on appengine.
I'd like to find an easy way to address this that doesn't make me end up making LOTS of code changes. Going to all my urls and conditionally adding ?cookie= to all of them is going to be a real pain, so I'm hoping there is a simple solution to this problem.
It causes problems with the CSRF code on forms too, what do you do in that case, just give up CSRF?
I can do some stuff in the urlNode code since I should be able to resolve the logged_in_user object from the context, so that might deal with a good bit of the problem, except any place that adds params after the ? will now have to use &. All in all, NOT a pretty solution.
Anyone know of an easier way to deal with this?
I don't recommended building site with cookies as optional requirement, site design gets soon extremely complicated and you probably open more security holes that you can imagine. If you must support users without cookies, use HTTP basic authentication to authenticate and recognize users.