Protect the addressbar in IE
Hello,
Does anyone know a way to protect the addressbar in Internet Explorer and Netscape.
The meaning is that the user cannot see the name of the current page (protected page).
The addressbar may be invisible or filled with another address.
Thanks
Frank
Does anyone know a way to protect the addressbar in Internet Explorer and Netscape.
The meaning is that the user cannot see the name of the current page (protected page).
The addressbar may be invisible or filled with another address.
Thanks
Frank
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
Masking the URL is just about impossible - it's easy to do for novice users, but anyone with a habbit for right-clicking may be able to sift through the HTML source to find the address you're hiding.
Here's a work-around...
http://www.your-url.com/default.asp
This page would actually accept input from the query string to determine what page to show. For example:
http://www.your-url.com/default.asp?page=services
In your default.asp code, you'd have something like this:
<% 'Decide which page to display
Select Case Request.QueryString("page"
Case "services"
Call CheckAuthenticated()
%>
<!--#include file="secured-dir/services
<%
Case "page-x"
Call CheckAuthenticated()
%>
<!--#include file="secured-dir/page-x.a
<%
Case Else
Response.Write "Invalid page ID. Try again."
Response.End
End Select
%>
The Sub CheckAuthenticated() could check to see if the request for the page originated from this server itself, i.e. it came from a link on your site.
That way, you could in essence prevent users from linking to pages directly on your site, or from being able to view things they shouldn't be able to get to.
Just an idea!
Masking the URL is just about impossible - it's easy to do for novice users, but anyone with a habbit for right-clicking may be able to sift through the HTML source to find the address you're hiding.
Here's a work-around...
http://www.your-url.com/default.asp
This page would actually accept input from the query string to determine what page to show. For example:
http://www.your-url.com/default.asp?page=services
In your default.asp code, you'd have something like this:
<% 'Decide which page to display
Select Case Request.QueryString("page"
Case "services"
Call CheckAuthenticated()
%>
<!--#include file="secured-dir/services
<%
Case "page-x"
Call CheckAuthenticated()
%>
<!--#include file="secured-dir/page-x.a
<%
Case Else
Response.Write "Invalid page ID. Try again."
Response.End
End Select
%>
The Sub CheckAuthenticated() could check to see if the request for the page originated from this server itself, i.e. it came from a link on your site.
That way, you could in essence prevent users from linking to pages directly on your site, or from being able to view things they shouldn't be able to get to.
Just an idea!
This question has been posed before in a somewhat different fashion. You can set the MenuBar visibility in a window.open() call in javascript. However, you can not access the visibility property of the menubar once a browser window has been opened (i.e., these properties are "protected" in the window object).
There is a good discussion of this on THIS site. See the following: https://www.experts-exchange.com/questions/20119973/Remove-toolbars-from-current-window.html
Ok, so I think Javascript is _not_ the way to get this type of functionality.
I think the best bet is to "fill" the location bar with a "dummy" address. This can be achieved on both Windows and Unix platforms using server side includes.
For example, let's say I have an apache server (on linux or windows). I would take the following steps:
1) First create a file, called "securefinance.html" in a secure area of my site (possibly a subfolder called "MySecureFolder"), and restrict access to it (the file or folder) by IP. I configure apache so that only IP 127.0.0.1 (local host) can open this file.
2) Then create a finance.html page with the following line of code: <!--#include virtual="/MySecureFolder/s
That's about it. Now when a user clicks a link to view "finance.html" the HTML for the page will actually come from "securefinance.html". Furthermore, if somehow they guessed the real page name, and tried to load it into their browser they would be rejected because of the apache config.
The syntax for doing this on IIS would be very similar and would work for IIS 4 or higher. Also, a similar analogy would apply for scripting languages, say, Cold Fusion, where my example would be tweaked by changing file extensions to .cfm and using a <cfinclude> instead of a server-side include (include virtual).
There is a good discussion of this on THIS site. See the following: https://www.experts-exchange.com/questions/20119973/Remove-toolbars-from-current-window.html
Ok, so I think Javascript is _not_ the way to get this type of functionality.
I think the best bet is to "fill" the location bar with a "dummy" address. This can be achieved on both Windows and Unix platforms using server side includes.
For example, let's say I have an apache server (on linux or windows). I would take the following steps:
1) First create a file, called "securefinance.html" in a secure area of my site (possibly a subfolder called "MySecureFolder"), and restrict access to it (the file or folder) by IP. I configure apache so that only IP 127.0.0.1 (local host) can open this file.
2) Then create a finance.html page with the following line of code: <!--#include virtual="/MySecureFolder/s
That's about it. Now when a user clicks a link to view "finance.html" the HTML for the page will actually come from "securefinance.html". Furthermore, if somehow they guessed the real page name, and tried to load it into their browser they would be rejected because of the apache config.
The syntax for doing this on IIS would be very similar and would work for IIS 4 or higher. Also, a similar analogy would apply for scripting languages, say, Cold Fusion, where my example would be tweaked by changing file extensions to .cfm and using a <cfinclude> instead of a server-side include (include virtual).
you can simply put your page in an iframe <iframe src="<your page>">></iframe> then encrypt your page so its unreadable, this will make it much harder to find out what the URL of the page you are protecting is alternativly, if you have PHP you can put the file you want to protect outside your root web directory and then use <?php include "../<your file>" ?> to call it this will stop the user and is practicaly imposible to get around.
I like the 'running in full screen' approach. To make it more secure you'd need javscript to prevent right clicking. And to prevent people from turning off js and cruising your site, you'd need to make all your navigation occur through js too. At which point you have more of an application than a web site.... what is it you're trying to hide so bad? Maybe you'd be better off with some sort of executable - you could run your whole site in Flash instead of html - Flash exposes no useful source code or urls.
You could also use the ?page=services approach, but encode your argument. You can find code to base64 or RC4 encrypt arguments and use that so that you see page=#%va#$aq3f - which is unintelligible to most people, but very attractive to hackers who may think you have something to hide.
Ooooh..... I used to work at a company that used Vignette's StoryServer (now just V6). The URLs are incomre-freaking-hensible.
You could also use the ?page=services approach, but encode your argument. You can find code to base64 or RC4 encrypt arguments and use that so that you see page=#%va#$aq3f - which is unintelligible to most people, but very attractive to hackers who may think you have something to hide.
Ooooh..... I used to work at a company that used Vignette's StoryServer (now just V6). The URLs are incomre-freaking-hensible.
ASKER
To : RajeshTN
I've tried your concept and it works fine.
I've also looked to the source code of the opened window and I see no page name in it.
Since the code is only used to create a dummy page that will open the real window I think there is only a little change to see the page-name.
The dummy page is displayed only for a second and is called by the program CoffeeCup Password Wizard.
Never the less I find the remark of making it all in Flash also a very usefull hint to think about it.
Thanks to all responders
Frank
I've tried your concept and it works fine.
I've also looked to the source code of the opened window and I see no page name in it.
Since the code is only used to create a dummy page that will open the real window I think there is only a little change to see the page-name.
The dummy page is displayed only for a second and is called by the program CoffeeCup Password Wizard.
Never the less I find the remark of making it all in Flash also a very usefull hint to think about it.
Thanks to all responders
Frank
How ever if they want to know that addy they will find it.
So to answer your question
IT IS IMOSSIBLE
jAy