|
Hi jschell, thanks. But how to include in Blazor i found nothing too
|
|
|
|
|
Again the point is that you are looking for a complete solution for something that contains multiple pieces.
You must look for each piece then put them together.
|
|
|
|
|
I'm at the end of the project finally, and I'm putting the wraps on it.
I started programming headers in PHP for cache, and then it expanded into security as well. I built a system of ECMAScript modules, and my entry point module is being blocked by my CORS header. I can't figure this out, and could use some guidance on the subject.
Here is what I have.
/assets/scripts/core
/assets/scripts/core/coreExternal.module.js
coreExternal.module.js content
window.coreExternal {
setCommissionStartDate,
setCommissionStopDate, and so forth
On the WebPage, I use a script tag to load coreExternal
<script type="module" src="/pcad/assets/scripts/core/coreExternal.module.js"></script>
This call to the module, makes the window.coreExternal functions look like dangerous inlined script.
This is my PHP header for CORS
$nonce = base64_encode(random_bytes(16));
header("Content-Security-Policy: default-src 'self' *.fontawesome.com; script-src 'self' 'unsafe-inline' /pcad/assets/scripts/core/ https://kit.fontawesome.com/ 'nonce-".$nonce."' 'sha256-...'; style-src 'self'; img-src 'self' data:;");
From reading the documentation from Content Security Policy, I added 'unsafe-inline' which should sledge hammer out my modules, but they are still blocked.
Error Message:
Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Source: coreExternal.setCommissionStartDate(this… assignCommission.phtml
My Questions
I don't do CORS stuff everyday, just once every few years, and this is the first time I've done it in code, and not used the web server to program this. Perhaps I have the concept going but failed in execution, well I'm sure that's it.
- Do I need the access-control headers?
- Did I paint myself into a corner using modules the way I did?
- Is one policy canceling another policy?
I still have issues with these error messages as well
Quote: Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).
Source: --bs-breadcrumb-divider: '>'; viewVendors.phtml
The manual style I added to the table element
Quote: Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).
Source: width: 100%; border: none; viewVendors.phtml
These are my headers in PHP. At this point, YES I am throwing darts at the wall on this, plus SMH and
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0");
header("Pragma: no-cache");
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: DENY");
header("X-XSS-Protection: 1; mode=block");
header('Referrer-Policy: same-origin');
header("Access-Control-Allow-Origin: self");
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type");
header("Access-Control-Expose-Headers: *");
header("Content-Security-Policy: default-src 'self' *.fontawesome.com; script-src 'self' 'unsafe-inline' /pcad/assets/scripts/core/ https://kit.fontawesome.com/ 'nonce-".$nonce."' 'sha256-...'; style-src 'self'; img-src 'self' data:;");
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
I replaced the script tags on the web pages to this ...
<?php $nonce = base64_encode(random_bytes(16)); ?>
<script type="module" src="/pcad/assets/scripts/core/core.module.js" nonce="<?php echo $nonce; ?>"></script>
So I don't have COR errors, I have Content-Security-Policy errors.
This error is from the input element onchange event, where I wasn't able to add an event listener, because of the data I needed to popular the function call. I'll have to rethink this.
Content-Security-Policy: The page’s settings observed the loading of a resource at inline (“script-src”). A CSP report is being sent.
Source: coreExternal.setCommissionFinishedDate(t… 72 assignCommission.phtml
OK, so this is not easy, and will require me to do way more research on the subject, and rethink some of the code in this project.
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
This is what is being outputed by the web server IIS server on server somnething version.
{
"name": "content-security-policy",
"value": "default-src 'self'; script-src 'self' swanpools-pcad-dev.occloud9.com; style-src 'self' 'unsafe-inline'"
},
Not even close to the header I wrote in PHP. I looked at IIS and didn't see any prepared headers. I'll dig down in PHP.ini and expand my search. And run the header in report only mode until I fix it. Chrome is telling me I'm in report only mode, but not Firefox.
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
I ended up with this, a compromise between using a hammer to nail it through with no more console errors, and fixing several security issues for the better. By hammering it, I can get the app running for the owner to evaluate and test, and then consider more security fixes and upgrades.
Font-Awesome or the FortAwesome free version
I removed all the Font-Awesome errors, but removing the all.min.js JavaScript file from the header elements. Turns out I don't need that JavaScript, and what it does is this.. Instead of using the fonts from Node_Modules, it fetches the latest version of the fonts and other stuff, to replace what Node_Modules has, and does things like monitor the use of the product, and causes licensing issues where it's no longer the free version. Well, the files it fetched were the free version files at least, so I got something right that I tossed in the trash.
Diagnostics
I used Mozilla FireFox at first, but it gave me generic information back, that never changed. I assume the headers I was inspecting was for public consumption. I ended up having to use Chrome in Developer mode, to see the real headers being returned from the response of the web page loading.
ECMA Script Modules
I used this to solve that issue in CSP. The use of a nonce. Declaring a master module that references child modules on a web page.
<?php $nonce = base64_encode(random_bytes(16)); ?>
script type="module" src="/assets/scripts/core/core.module.js" nonce="<?php echo $nonce; ?>"></script>
Inline scripts
I used this in the CSP rule below, to solve script within a element, calling onclick or onchange
script-src-elem 'self' 'unsafe-inline' 'unsafe-hashes';
onclick="core.setProjectType('<?php echo $apiUri; ?>', 'landscape')"
SVG like spinners and things you embed on the web page
img-src 'self' data: w3.org/svg/2000;
Warning
This is not my best work, and not completed yet, but gets the project back up and running so I can finish it and be done with it. This work does leave me with a little more work to beef up the security some more, but on my terms and not the web server or browsers terms.
If your clueless about this subject, then you can use this as a reference to model something for yourself. Remember I'm not an expert on this subject, but do understand the point. And I spent many hours doing research and reading, plus testing. It doesn't matter that this is PHP, because the principals are the same with most web technologies.
My Work
Cache Rules
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0");
header("Pragma: no-cache");
X- Stuff Rules
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: DENY");
header("X-XSS-Protection: 1; mode=block");
header('Referrer-Policy: same-origin');
COR Rules
header("Access-Control-Allow-Origin: <a href="https:
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type");
header("Access-Control-Max-Age: 86400");
header("Access-Control-Expose-Headers: *");
CSP Rules
$nonce = base64_encode(random_bytes(16));
header("Content-Security-Policy: default-src 'self'; script-src 'self'; script-src-elem 'self' 'unsafe-inline' 'unsafe-hashes'; script-src-attr 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: w3.org/svg/2000; object-src data: 'unsafe-eval';");
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
I'm following this tut on js: Arrow Functions JavaScript Tutorial - What NOT to do!!! , and in the part where he explains why not to use setTimeout inside arrow functions, the justification is that they look for scope on the window. and not on the enclosed scope of arrowFunc method. But the tests i made, had the opposite results: the named functions had window, arrow function had the correct one. So:
const dude = {
name: 'dude',
namedFunc() {
console.log('name 1: ', this.name);
setTimeout(function() {
console.log('this 1:', this);
console.log('name 2:', this.name);
}, 200);
},
arrowFunc() {
console.log('name 3:', this.name);
setTimeout(() => {
console.log('this 2:', this);
console.log('name 4:', this.name);
}, 300)
}
}
console.log('namedFunc:', dude.namedFunc());
console.log('arrowFunc:', dude.arrowFunc());
Expected:
this 1: {name: 'dude', namedFunc: ƒ, arrowFunc: ƒ}
name 2: dude
this 2: Window {window: Window, self: Window, document: document, name: '', location: Location, …}
name 4:
Actual result:
this 1: Window {window: Window, self: Window, document: document, name: '', location: Location, …}
name 2:
this 2: {name: 'dude', namedFunc: ƒ, arrowFunc: ƒ}
name 4: dude
modified 16-Jan-24 16:10pm.
|
|
|
|
|
Member 16183444 wrote: not to use setTimeout inside arrow function You say don't use setTimeout inside an arrow function, but your code example is using an arrow function inside setTimeout as a callback. That's the exact opposite. Do you have a timestamp in that video where he speaks of this?
Anyway, to your point, a lot of people get confused about this and lexical scope. I have no idea why there's so much disinformation in JavaScript's ecosystem. But alas, there is. When in doubt, trust what MDN says or, as in this case, your own testing.
From MDN: Arrow functions don't have their own bindings to this Which means, arrow functions don't bind their own scope. They inherit it from the parent one. A regular function will always define its this value. The value of this is determined by how a function is called. To put it simply, the this in the setTimeout function for the regular anonymous function is using the this of setTimeout 's scope because setTimeout is what calls the function.
Don't know what the dude said in the video because I didn't watch the whole 30 mins. But, that's the reason for the behavior you're seeing.
Jeremy Falcon
|
|
|
|
|
Is there a server-side web framework like WordPress but built on Microsoft technologies?
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Googling suggests alternatives but I didn't look to see how they were built.
wordpress alternative windows
|
|
|
|
|
You're right! I should have Googled it first.
But thanks for the recommendation.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
If you're looking for a server-side web framework similar to WordPress but built on Microsoft technologies, consider using ASP.NET with Umbraco or DotNetNuke (DNN). These frameworks offer robust content management features and are built on the .NET platform.
For expert guidance on setting up and optimizing these frameworks, you can reach out to Trisync Solutions. They specialize in web development using Microsoft technologies and can help you achieve your goals efficiently.
"The difficult we do right away... the impossible takes slightly longer."
|
|
|
|
|
Can someone help me understand whether PHP is compiled or interpreted?
I googled it and was left very confused.
It sounds like PHP is compiled to some type of bytecode. But, I have never seen another file created (an executable).
I can't imagine PHP would re-compile each script.php every time it is used, but I don't see any .exe files getting created.
Anyone know how PHP really works? It seems like almost no one knows.
Thanks.
|
|
|
|
|
|
There is not a clear, absolute distinction. Old style interpreters would interpret the statements of a loop from source code on every iteration of the loop, and similar with other constructs.
To speed up execution, interpreters began (at least 25 years ago, maybe earlier) when analyzing a statement, to leave the analysis in a memory cache. So for a loop, the analysis was done the first time through. Following iterations skipped the analysis step, and rather picked up the analysis from the cache.
As this became more common, the analysis results became more formalized into some variant of P-code, suitable for direct interpretation. When done as a separate step, for an entire program or program module (e.g. the classic Pascal compiler from ETH Zürich), it is always called a compiler. So when the php runtime system does the same thing for a loop, you might say that it is a compiler, compiling that loop.
Another change over time: The first interpreters to save analysis results for later use did it line by line, or statement by statement. More recent interpreters compile larger units, e.g. a complete method, in order to apply optimizations such as moving invariants out of loops, calculating common expressions once only etc.
If the generated code follows a well defined grammar, the runtime compiler may save it to a file or cache. Compare it to dotNet: The IL code(*) of an assembly is compiled to binary machine code by the "jitter" (Just In Time compiler) first time it is run. The jitter also saves the binary code in a (persistent) disk cache that is usually not seen by neither programmer nor user; it is in a file space managed by the jitter alone. Next time the same assembly is run, the jitter first looks in its cache: If an already compiled version is found there, it is loaded, and the JIT compiling is bypassed.
A similar (persistent) caching (of P-code) might be employed by an interpreter. It should not affect the source language - the same source may be interpreted on one machine, compiled to P-code on the fly on every execution on another machine, while a third machine may have an interpreter looking in its cache for an already compiled variant.
This may be applied to a lot of different languages: You could make an interpreter to P-code on the fly, for subsequent immediate interpretation by an interpreter. Usually, you think of Java as a compiled language, but if you integrate JVM with the compiler, they might appear externally just as 'interpreted' as, say, PHP.
(*) dotNet IL code and P-code are at comparable abstraction level. The difference is that P-code is designed to be directly interpreted by a virtual machine; it is complete and ready for running, like a binary machine code (although not the machine code of the real machine you are running). IL code has a lot more 'loose ends' that must be tied up; there are more final decisions to be taken, but then there is more freedom when generating final binary machine code for that specific real machine. You cannot move this binary code to another machine; it may have a CPU missing a few instruction set options (the jitter makes binary code to make use of anything that is available), or maybe a completely different binary instruction set. P-code (usually) can be moved to other machines of arbitrary architecture and instruction set.
Note that P-code (or bytecode) is not a single firmly defined format. There are different P-codes, Java bytecode is not identical to the classical Pascal P4-code (although it is said to be heavily inspired by P4).
Religious freedom is the freedom to say that two plus two make five.
|
|
|
|
|
Sorry, why atre you telling me this?
|
|
|
|
|
Because a public post is intended for the entire reading audience, not just for you alone.
I wrote my post to expand on your WDYJFGI style reply; that is why it came as a follow up to yours.
I had a coworker who was a real nuisance in informal conversations: All the time he interrupted "You have told that earlier!", and I had to reply: "Yes, to you, but this was John asking, and he hasn't heard it yet!" This guy never learned; it happened again and again.
For some reason, your reply/question made me think of this fellow.
Religious freedom is the freedom to say that two plus two make five.
|
|
|
|
|
Well maybe so, but it would have been better posted in reply to the question, as the OP is the one asking for the information. I suspect that very few people will actually read your response as it does not appear to be an answer to the question.
|
|
|
|
|
PHP is a scripting language, which basically means there is an "exe" somewhere reading the php script every time there is a request.
For php that will be Zend Engine.
|
|
|
|
|
I'm working on a web development project and I'm struggling with optimizing performance for my website. Are there any best practices or specific techniques that developers recommend to improve website speed and performance, especially when dealing with large amounts of data or complex interactions?
|
|
|
|
|
That is such a broad question, I can only assume this is a setup for a "search engine optimisation" spammer to respond with an advert for their services.
If that wasn't your intention, then you need to provide a lot more information about your specific problem, what you have tried, and where you are stuck.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
The question is indeed broad but one could start off with Lighthouse audit if being completely new to this. It provides a nice set of rules for web projects.
However, gaining some experience I would advise applying more of system thinking. I.e. identifying the exact bottleneck (i.e slow backend or excessive javascript bundle size) via developer tools and fixing it.
|
|
|
|
|
When dealing with large amounts of data, try to use caching instead of going to database for every request.
|
|
|
|
|
how to upload a pdf in mern project
|
|
|
|
|
Doing lots of web work in my current job...
We got a legacy solution (though still in use) which has ASP.NET/.NET4.8 Web projects in it.
Unfortunately, looking at it today (with VS 17.8.2, if it's of any relevance - i.e. latest one with the .net8 bits) and... I can't get any breakpoint to work!
I wonder... If anyone else here experiences the same misfortune? or has any idea?
|
|
|
|
|