1 2 Previous Next 16 Replies Latest reply on Jun 24, 2015 5:32 PM by steve_ssh

    Please restore embed ability for WebDirect

    ibrahim_bittar

      This is a message for Vin Addala and the FileMaker Server team:

       

      Please remove the "security feature" that prevents the embedding of WebDirect solutions in other websites.

       

      One of the advantages of embedding a WebDirect solution is that you can focus only on functionality and don't have to spend time/resources mimicking the website that contains the solution. You could build from simple contact forms to requests for quotes, simple applications, the sky is the limit.

       

      This year I'll speak at Devcon about WebDirect and as result of the research I did, I could see the potential WebDirect has by dividing a big solution into smaller, embedded chunks. The user experience could be greatly improved and the development cycle would be drastically reduced.

       

      I'm more than willing to collaborate with FMI to make this work in a secure and reliable way.

       

      Best regards

       

      Ibrahim.

        • 1. Re: Please restore embed ability for WebDirect
          ariley

          That’s something I never thought of. Thank you!

           

          I’ve been using Wordpress forms and bringing the data in via ESS, which works fine but this is so much simpler…if it works.

          • 2. Re: Please restore embed ability for WebDirect
            steve_ssh

            Hello Ibrahim,

             

            I am wondering if you could say a little bit more about what this embedding would look and behave like.

             

            Would this be something as simple as embedding WebDirect within an iframe of another site?

             

            Is there some other concept that you have in mind?

             

            I'd love to know a few more details about what you have in mind.

             

            Very best regards,

             

            -steve

            • 3. Re: Please restore embed ability for WebDirect
              beverly

              Ibrahim, Are you referring to Same-origin policy - Wikipedia, the free encyclopedia  (see also references to "Cross-Site Request Forgery (CSRF)")?

               

              I'm wondering if that's the issue. Is the WD in the same domain, same server, and if that makes a difference.

              And I'm wondering if it's a WD issue at all or the website trying to embed the WD.

               

              There are HUGE security issues with trying to make a 'dashboard' of content from multiple domains. The API that may be available (such as FaceBook tie-ins) have extreme measures taken to allow (FB) content to be shown on your website, for example.

               

              When doing IWP (now WD), I attempt to make the interface match as closely as possible to any "home" website and avoid trying to embed (IWP/WD) within it. Or I use CWP (and/or ESS) to push the content from FMP to the site. No cross-site problems!

               

              beverly

              • 4. Re: Please restore embed ability for WebDirect
                ibrahim_bittar

                Hi Bev

                 

                I'm not sure as there are some web concepts I don't fully know/understand.

                 

                What I did was to create a website in the FileMaker Server website root. The website works but when I try to use an iFrame or <embed> to show a WebDirect solution inside the website, it shows the frame but completely blank.

                 

                I searched the forum for similar cases and found a thread with a similar situation, saying that after FMS13.v5 that ability was removed due to security reasons, though it should work if the parent website is in the FileMaker Server http root folder.

                 

                When doing IWP (now WD), I attempt to make the interface match as closely as possible to any "home" website and avoid trying to embed (IWP/WD) within it. Or I use CWP (and/or ESS) to push the content from FMP to the site. No cross-site problems!

                 

                Certainly it can be done but in my opinion is an unnecessary overhead if the website is in the same web server and therefore in the same domain. Again, I'm not a security expert but it seems logical to me.

                • 5. Re: Please restore embed ability for WebDirect
                  CarstenLevin

                  I am not sure, but the problem can be a part of the 13.0v9 update with change regarding SSL.

                  While we may see dialogs/warnings etc. when embedding from different sources, in my opinion FileMaker should make it possible to display WebDirect in an iFrame and let the rest be up to us.

                  Something I misunderstand here?

                  Best regards

                  Carsten

                  • 6. Re: Please restore embed ability for WebDirect
                    imarc

                    Is it possible this security feature applies to any content hosted by FMS' web server? I was seeing a bug related to using an iframe of a page on an FMS 14 server recently (the enclosing page was in the same directory, so no cross-site issues), but it was CWP, not WebDirect. Worked fine in FMS 12 with (non-FMS installed) Apache.

                    • 7. Re: Please restore embed ability for WebDirect
                      ibrahim_bittar

                      Shouldn't it be the opposite?.

                       

                      I mean, I bought a certificate for my Filemaker Server and it's working fine. If I host a website in the same server, which is protected by the same certificate, shouldn't we have any security issue related to cross-site?.

                      • 8. Re: Please restore embed ability for WebDirect
                        ibrahim_bittar

                        Hi Bev, please I need your guidance here:

                         

                        This is the website for our FileMaker Server:

                         

                        https://remote.eikonsys.com/index.html

                         

                        It has a security certificate which I installed using FileMaker Server Console:

                         

                        BasicTutorial 2015-06-15 at 4.30.59 PM.png

                         

                        The website shows normally but the iFrame containing the WebDirect Solution shows blank:

                         

                        BasicTutorial 2015-06-15 at 4.32.54 PM.png

                         

                        The WebDirect solution is a tiny, simple, FileMaker File with one global field and one table. You can access it through:

                         

                        https://remote.eikonsys.com/fmi/webd#webdirecttest

                         

                        The iFrame code I used was:

                         

                        <iframe src="https://remote.eikonsys.com/fmi/webd#webdirecttest">

                         

                        As far as I understand I'm not violating the same origin policy. Possibly I'm missing something very basic but I feel like blind flying here.

                         

                        What you think?

                        • 9. Re: Please restore embed ability for WebDirect
                          beverly

                          Ok Ibrahim! here is more information on the XSS (cross-site scripting). Generally it occurs when JavaScript is used (and WD uses JS!). But these links will show you other potential vulnerable spots:

                           

                          http://www.acunetix.com/websitesecurity/cross-site-scripting/

                          https://support.microsoft.com/en-us/kb/252985

                          http://www.google.com/about/appsecurity/learning/xss/

                           

                          and more when you search for 'cross-site scripting'.

                           

                          It's quite possible that WD has scripting going on that then triggers the "error flags" in the Web Server, the web application, and/or the web browser.

                           

                          It would certainly be a question for the engineers while you're at DevCon. If it's IN WD, then there's little that you can do. If it's in the Website, then perhaps (but I doubt it).

                           

                          This is a security hole that has been around 10+ years. Some of the links may have "fixes", but I'd opine that's possible only when you have control of all the content (none generated as WD is).

                           

                          And it's certainly a good conversation to get started with whomever may be working on a "next" version (or fixes for the current version). If there are ways to allow iframe to show WD in an existing web site, I agree, it would be indeed beneficial!!

                           

                          beverly

                          Web Maven since Netscape 1.1

                          • 10. Re: Please restore embed ability for WebDirect
                            ibrahim_bittar

                            Thank you Bev, so i'm not crazy, right?.

                             

                            I mean, what I did was supposed to work but it's not working for some unknown (to us) reason.

                            • 11. Re: Please restore embed ability for WebDirect
                              beverly

                              I'd never call you crazy, you're one of the good guys! LOL

                               

                              Perhaps the links will help. There is much underlying in the Web Server, Web server apps and web browser that may be a factor as much as the WD. At least you'll get an education on what may be happening. I probably learned way back when the first error message appeared and I googled it.

                               

                              In an effort to 'protect' us things change. This may be something that 'worked' once and does not for a variety of reasons.

                               

                              beverly

                               

                              On Jun 15, 2015, at 6:41 PM, ibrahim_bittar <noreply@filemaker.com> wrote

                               

                               

                              Please restore embed ability for WebDirect

                              reply from ibrahim_bittar in Discussions - View the full discussion

                              Thank you Bev, so i'm not crazy, right?.

                               

                              I mean, what I did was supposed to work but it's not working for some unknown (to us) reason.

                              Reply to this message by replying to this email, or go to the message on FileMaker Community

                              Start a new discussion in Discussions by email or at FileMaker Community

                              Following Discussions in these streams: Connections Stream

                              Following Please restore embed ability for WebDirect in these streams: Inbox

                              Manage your email preferences

                               

                              FileMaker Developer Conference 2015 • Las Vegas, Nevada • July 20-23 • www.filemaker.com/devcon

                               

                              • 12. Re: Please restore embed ability for WebDirect
                                beverly

                                one more thing....

                                Browsers (Safari and Firefox) have developer tools (and debuggers). Perhaps a check of the element(s) will reveal something. I see a link to CSS (remotely) within the document in the iFrame. That alone could be a problem and is being pushed thru WD.

                                 

                                beverly

                                • 13. Re: Please restore embed ability for WebDirect
                                  steve_ssh

                                  Hello Ibrahim,

                                   

                                  I hope this message finds you well.

                                   

                                  As always, beverly 's advice is great.  Using the developer tools in Chrome, I took a look at your site, and I think I see one problem which would prevent your WebDirect content from loading.

                                   

                                  What I see is that the iframe src attribute appears to have some extra (unwanted) quote characters which are preventing the iframe content from being displayed.  The extra quote characters are causing the browser to try to load a URL that doesn't exist.  If you take a close look, I think you'll see what I mean.  The key is to use something to watch the browser's error console so that you can see the related error message.

                                   

                                  I'll attach a couple of screen shots which I hope will help.

                                   

                                  Addendum:

                                   

                                  I just looked at the actual source of the page, and, to be more precise:

                                   

                                  It appears as though the quotes used to specify the src attribute of the iframe are some flavor of "smart-quotes".  Rather than being interpreted as the delimiters of the attribute value, they are being interpreted as part of the actual value.  Switching to regular "stupid-quotes" should remedy this.

                                   

                                  Very kind regards,

                                   

                                  -steve

                                   

                                  console.png

                                   

                                  document.png

                                  • 14. Re: Please restore embed ability for WebDirect
                                    ibrahim_bittar

                                    Thank you very much!

                                     

                                    I'll take a look at this later today. If this solves the problem I promise to deliver a great WebDirect session at Devcon. Otherwise I'll deliver a great one too .

                                     

                                    Thanks a lot.

                                    1 2 Previous Next