steve_ssh

HTTP Post:  Security with "Insert From URL", and interesting WebViewer alternative

Discussion created by steve_ssh on Apr 13, 2014
Latest reply on Feb 7, 2017 by sfpx

Hello,

 

I'd like to share a couple of items that have been of interest to me over the past few weeks.

 

 

Background:

 

I was working on a project that involved a standalone (i.e. not connected to FMS) copy of FMGo that needed to perform an HTTP post to send some data to a web service.

 

My initial thought was to use the Insert From URL script step.

 

 

 

Item #1 To Share:

 

Upon reading the fine print at http://www.filemaker.com/13help/en/html/scripts_ref1.36.50.html

 

I discovered that I could not guarantee that using Insert From URL would protect the security of my client's data.

 

While it is possible to supply an https URL to the IFU script step, the fine print on the help page implies that, although the data may be encrypted, this script step does not validate the server's SSL certificate:

 

fm caveat.png

 

To test this concern, I set out to see if I could get Insert From URL to perform a HTTPS connection to a URL which a browser such as Safari or Firefox would reject on the grounds of the server's certificate not being recognized.

 

Conveniently enough, the URLs generated by: http://requestb.in qualify as a test case, in that, when used with the https protocol, my browser gives me a warning about not being able to verify the site identity.

 

Unfortunately, Insert From URL raises no warning with a request to https://requestb.in, and procedes to perform the connection and return the server's response without any issue.

 

My conclusion is that this leaves Insert From URL transactions vulnerable to "Man In The Middle" attacks, and that, for the time being, it would be preferable to perform a secure post request via a plugin such as BaseElements.

 

Since I nearly overlooked this security aspect of IFU, I figured it wouldn't hurt to mention it to others.

 

 

 

 

 

Next Bit Of Background:

 

Given the above, I decided to revisit the old technique of using a HTML form and some JavaScript in a WebViewer to send the post request.

 

(As a reminder, the scenario that I was consdering was a standalone version of FMGo, without the benefit of being able to use plugins or call a script on FMS).

 

Fortunately, though a hack, this technique still seems to work, and moreover, it raises an error if the secure server identity can not be verified.

 

Having recently read a post concerning not being able to send XML payloads or custom HTTP headers with Insert From URL, my curiosity opened up, and I started invetigating the possibility of utilizing XMLHttpRequest to perform the post request (instead of a triggered HTML form), in order to be able to send custom headers and XML payloads.

 

Some time ago I had discarded this possibility as likely to fail due to restrictions on cross-domain Ajax requests. This time, I decided to dig a little deeper and see what was possible.

 

 

Item #2 to Share:

 

What I found was that, at least in some cases, it is indeed possible to use XMLHttpRequest in a WebViewer to send http/https post requests with optional custom http request headers and/or XML payload. I have not ruled out the possibility that this technique could still fail in some cases as a result cross-domain restrictions, but I have seen that in some cases the technique does work. Reading up on CORS, my understanding is that a server can be configured in such a way that cross-domain requests will be allowed. My hope is that this would be true for common public SOAP APIs.

 

 

Given the above, I have been playing around with writing a custom function that encapsulates all of the JavaScript code for leveraging XMLHttpRequest from within a WebViewer:

 

 

The gist of it is as follows:

 

1) From within a script, one calls the CF with the following:

 

- The target server URL

- A list of any HTTP request headers and values

- The request payload

- A timeout value in milliseconds

- The name of a FileMaker script (in the local file) that should be invoked when the reqeust completes or errors out

 

2) The CF returns a string which is set as the URL of a WebViewer which is visible on the layout.

 

3) When the WebViewer loads the calculated URL, JavaScript is run which sends the request.

 

4) When the request runs its course (either through error or success), the FileMaker callback script is invoked via the FMP URL protocol.

 

5) The callback script is invoked with several local script variables set to indicate the status of the request.

 

6) The response content returned by the server can be retrieved using a companion custom function which extracts the content from the WebViewer object.

 

 

At this point, the custom function is at a stage that I would describe as "experimental", i.e. not tested enough, but nonetheless promising.

 

I'd like to share it with anyone who might be interested.

 

I will attach a sample file which provides a simple illustration of its use.

 

 

Kind regards to all,

 

-steve

 

 

 

References:

 

Help Page For Insert From URL:

 

http://www.filemaker.com/13help/en/html/scripts_ref1.36.50.html

 

 

Information on CORS:

 

http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

 

http://www.html5rocks.com/en/tutorials/cors/

 

 

 

Message was edited by: steve_ssh

 

Updated archive to make a small correction to the file. Original version still works, but WebViewerPost_02.zip is preferred.

Attachments

Outcomes