Wednesday, 22 December 2010

Cross Domain communication using HTML5 postMessage

One of the cool new features in HTML 5 is Cross Document Messaging. What makes this feature really nice is that all the next-generation browsers support it: Internet Explorer 8, Firefox 3, Opera 9 etc. Facebook is already using this feature, for example, in order to support web-based instant messaging.

window.postMessage() is available to all windows (including the current window, popups, iframes, and frames) that allows you to send textual messages from your current window to any other - regardless of any cross-domain policies that might exist.

window.postMessage("string") method generates a message DOM event on the document of the receiving document. This event object contains the message as a property: event.data which the receiving document can use however they see fit.

The demo demonstrates how easy it is for two iframe of different origins to talk to each other.


window.document.onmousemove = function(e) {

var x = (window.Event) ? e.pageX : window.event.clientX;

var y = (window.Event) ? e.pageY : window.event.clientY;

// this send data to the second iframe of the current page

window.parent.frames[1].postMessage('x = ' + x + ' y = ' + y, '*');
};

var onmessage = function(e) {
var data = e.data;
var origin = e.origin;
document.getElementById('display').innerHTML = data;
};

if (typeof window.addEventListener != 'undefined') {
window.addEventListener('message', onmessage, false);
} else if (typeof window.attachEvent != 'undefined') {
window.attachEvent('onmessage', onmessage);
}


Security Issues

<div id="test">Send me a message!</div>
<script>
document.addEventListener("message", function(e){
document.getElementById("test").textContent =
e.domain + " said: " + e.data;}, false);
</script>

1. If you're expecting a message from a specific domain, set of domains, or even a specific url, please remember to verify the .domain or .uri properties as they come in, otherwise another page will be bound to spoof this event for malicious purposes.

2. Just because a string is coming in, as a message, doesn't mean that it's completely safe. Note that in the example, above, I inject the string using .textContent, this is intentional. If I were to inject it using .innerHTML, and the message contained a script tag, it would execute immediately upon injection. This is a critical point: You'll need to be sure to purify all your incoming messages before they are used and injected into the DOM.


Read more >>

Wednesday, 8 December 2010

Configure the HTTP Expires Response Header (IIS 7)

1. Open IIS Manager and navigate to the level you want to manage.

2. In Features View, double-click HTTP Response Headers.

3. On the HTTP Response Headers page, in the Actions pane, click Set Common Headers.

4. In the Set Common HTTP Response Headers dialog box, select the Expire Web content check box and select one of the following options:
* Select Immediately if you want content to expire immediately after it is sent in a response.

* Select After if you want the content to expire periodically. Then, in the corresponding boxes, type an integer and select a time interval at which content expires. For example, type 1 and select Days if you want the content to expire daily.

* Select On (in Coordinated Universal Time (UTC)) if you want the content to expire on a specific day and at a specific time. Then, in the corresponding boxes, select a date and time at which the content expires.

5. Click OK.

Click here to read more.

Thursday, 2 December 2010

How to find public key token for a .NET Framework DLL or assembly

For example if you are looking for public key token of System.Web.dll of .NET Framework 4 then go to the Config folder of the Framework (normally it is C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config), open machine.config in a text editor and look for soemthing similar to

sectionGroup name="system.web"

If you find this line then look for "PublicKeyToken" property at the end of the same line.

Reading Querystring value using JavaScript

The following function can be used to read the value of given key from querystring.

/* function to read value of the given key
, x, from querystring */
function GetQStringVal(x) {

var a = location.search.substring(1);
var b = a.split("&");

for (var i = 0; i < b.length; i++) {

var c = b[i].split("=");
if (c[0].toLowerCase() == x.toLowerCase())
{
return c[1];
}
}
return "";
}

Using jQuery to modify QueryString

I recenlty worked on a requirement where I have to modify the querystring of all the links in a page before the actual request is made from the browser, i.e. when a link is clicked. There may be better ways to do this but this is how I implemented it using jQuery.


$(document).ready(function() {
$('a').click(function(event) {

var $a = $(event.target);

if ($a.is('a')) { //if the event is triggered by an <a> tag

//append refid querystring to href
if it is not an external url and it refers to
an ASPX page and does not already contain
refid in querystring

var appendrefid =
$a.attr("href").toLowerCase().indexOf("http://") == -1
&&
$a.attr("href").toLowerCase().indexOf("https://") == -1
&&
$a.attr("href").toLowerCase().indexOf(".aspx") != -1
&&
$a.attr("href").toLowerCase().indexOf("refid=") == -1;

if (appendrefid) {

event.preventDefault();
location.href = $a.attr("href") + "?refid=" + GetQStringVal("refid");
}
}
});
});

/* function to read value of the given key, x, from querystring */
function GetQStringVal(x) {

var a = location.search.substring(1); var b = a.split("&");

for (var i = 0; i < b.length; i++) {
var c = b[i].split("=");
if (c[0].toLowerCase() == x.toLowerCase()) { return c[1]; }
}

return "";
}


Here the main page, where the content is coming from the database, is always requested with refid in the querystring and the above script reads the refid from the original request and appends it to the newly requested page when the link is clicked.

Using the ScriptManager of Master page in content page

This can be done using ScriptManager.GetCurrent() method.

Use this static method to determine whether a ScriptManager control is on a page, or to access the properties and methods of a ScriptManager control when you do not know its ID.


ScriptManager scriptManager;

if (ScriptManager.GetCurrent(Page) == null)
{
scriptManager = new ScriptManager();
scriptManager .ID = "ScriptManager1";
}
else
{
scriptManager = ScriptManager.GetCurrent(Page);
}