Easy Way To Prevent Browsers From Hacking Into Views (take #2)

After the previous post, Nathan pointed out how simple it is to turn off JavaScript in the browser.

So okay, I should’ve thought of that. But after doing some testing and I found that the technique still prevents views from being accessed because even if JavaScript is disabled the user will only see a blank page.

Which got me thinking… it may be better to do it without any JavaScript by putting an HTTP META refresh in the HTML Head Content of the $$ViewTemplateDefault FORM with the formula:

"<meta http-equiv=\"refresh\" content=\"0;URL='/" + @WebDbName + "'\" />"

To recap: If a browser tried to hack your URL by guessing the name of a real view (ex. http://www/acme.com/db.nsf/all), Domino will try to use the default view template to display the view, but the META refresh will redirect the user back to the base URL of the NSF, which will force it to use the application’s launch property to take the user where you want them to be.

If the view name they try is not a real view in your database, they’ll get a different error that the design element does not exist. So, it might be a good idea also create a $$ReturnGeneralError FORM from a copy of the $$ViewTemplateDefault.

Easy Way To Prevent Browsers From Hacking Into Views

The other day I saw a post from Steve Zavocki “Quick Tip: Don’t Forget to Hide Views from Web Browsers”  (http://notesspeak.blogspot.com/2015/09/quick-tip-dont-forget-to-hide-views.html) which reminded me of a technique I’ve used on XPages applications to restrict anyone from guessing a view name to peek at the data.

One line of JavaScript does it!

Simply create a $$ViewTemplateDefault FORM with a Computed Text element with the formula:

"<script>window.location=\"/" + @WebDbName +"\";</script"

Important: WordPress gave me a hard time about displaying script tags. You can copy this code directly, but will need to add a closing angle bracket (>) before the final quotation mark.

Then highlight the Computed Text and mark it as Pass-Thru HTML. Finally, save the form.

Any time a browser tries to open a view by guessing a name (ex. http://www.acme.com/db.nsf/all?OpenView), the browser will be redirected to the database name (in our example: http://www.acme.com/db.nsf), which then uses the Application Property on the Launch tab for “When opened in a browser” to direct it where you want users to go by default. It’s nice because this protects all your views in this database. Plus since the formula uses the @WebDbName function, you can copy this form and use it in any database.

( And if you are using some traditional web views in this same application, you can create specific a $$ViewTemplate for each of them.)

—————————-

Update 09/21/2015  –  Thanks Nathan, for the reminder about how simple it is to disable JavaScript.  The above technique still prevents views from being accessed because if JS is disabled, the blank form is displayed to the user.

Alternatively, we can do it without JavaScript by using the HTTP META refresh in the HTML Head Content with this formula:

"<meta http-equiv=\"refresh\" content=\"0;URL='/" + @WebDbName + "'\" />"

MWLUG – and now a word from our sponsors…

MWLUG was a great conference.  It is always very inspiring to see all the ways these hard-core individuals are stretching the boundaries what can be done with Notes and Domino, integrating it with lots of new technologies (or at least technologies that are new to me ‘-).

Unfortunately from what I understand, sponsors were a bit disappointed by the amount of traffic at their booths.  I can understand that if your job is in sales that you want to see direct results from your efforts.

However, I’d like to point out that although MWLUG may not have generated a lot of new leads for the sponsors, sponsorship is really important for keeping the Notes/Domino market alive. LUG attendees are really the most ardent champions of the product, and we are the ones that are doing the most to keep companies from leaving it for other technologies. Unfortunately, since most of us have been to lots of LUGs and IBM Connect/Lotuspheres we are pretty familiar with most of the sponsors and their products.

My point is that from a direct accounting perspective it may not look like LUG sponsorship brings a good return on investment, but from a larger perspective, sponsorship is the most cost-effective thing your companies can be doing to keep the market for your products alive.

When I tell my customers that I’m flying off to attend an event, it gives them the reassuring message that the products are being used by lots of others – which is a good message to counter all the FUD that they’re hearing from the competition.

Thank you for sponsoring LUG events.  We really appreciate it.