|
|
|
Forum Newbie
Group: Forum Members
Last Login: 1/11/2008 8:18:20 PM
Posts: 4,
Visits: 16
|
|
Hey,
I need to use absolute URLs for the dataURL parameter.
Here is my situation:
I have multiple web server machines that service XML requests. A client does not know which server he is talking to when he makes a web service call. He just sends the request to http://www.mycompany.com/webService and our load balancer sends the request to one of the servers.
The XML responses is then sent back to the client. Part of the XML response has the object tag for the flash chart with the dataURL parameter in it. This has to be an absolute URL, since the xml data file is only sitting on one of the multiple servers we have. A subsequent call to a relative URL to get the data file may not get routed to the same server through the load balancer.
If you can think of a way to resolve this, please advise, otherwise I am forced to remain on the older version until there is an option to use absolute URLs.
I don't want to use the dataXML option because of the limitations described in the documentation.
Requiring sessions with our clients is not a solution. The web services must remain stateless.
Please add an option to allow for absolute URLs. By the way, what is the security risk?
Thanks,
Brian Barnett
|
|
|
|
|
FusionCharts Team
Group: Administrators
Last Login: 10/3/2008 2:42:18 AM
Posts: 2,117,
Visits: 498
|
|
Hi Brian,
We had to take this decision to disallow absolute URLs in FusionCharts, owing to an XSS attack vunlerability. In this, a malicious user could host a phishing website and then call FusionCharts SWFs from a valid website (over HTTP). Thereafter, as the dataURL of the same, he could pass some script or absolute URLs to other "evil" scripts which could get him access to cookies of the valid domain.
A way to overcome absolute URL problem would be to host a relative proxy file like Relayer.aspx, which in turn could fetch the data from remote page and pass it to the chart.
Thanks,
Pallav Nadhani
FusionCharts Team
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 1/11/2008 8:18:20 PM
Posts: 4,
Visits: 16
|
|
So each of our web servers would have a Relayer.aspx, or Relayer.jsp in our case. Can you provide some pseudo code for what this file would do?
Also, what would the dataURL look like in the object tag? It would point to Relayer.jsp??
Like this?
... value="&dataURL=/Relayer.jsp"
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 3/22/2008 9:37:53 PM
Posts: 2,
Visits: 5
|
|
I am also having this same problem and the new XSS protection is breaking our live production site.
Is there any way to disable this "feature" until we are able to create a workaround?
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 5/7/2008 1:18:33 PM
Posts: 8,
Visits: 13
|
|
| I'm in the same situation and would love to see an example of what the relay page does. Thanks.
|
|
|
|
|
Supreme Being
Group: Moderators
Last Login: Today @ 2:58:00 AM
Posts: 811,
Visits: 1,289
|
|
| Hi, Could you try this relay PHP code? <?php
$xmlDoc = new DOMDocument();
$xmlDoc->load("http://www.fusioncharts.com/Gallery/Data/Col3D1.xml");
header('Content-type: text/xml');
echo $xmlDoc->saveXML();
?> The code loads an XML from another domain with absolute path and prints the XML. Hence, it work as a relayer.
Regards,
Sudipto Choudhury
FusionCharts Team
|
|
|
|
|
Supreme Being
Group: Moderators
Last Login: Today @ 2:58:00 AM
Posts: 811,
Visits: 1,289
|
|
|
|
|
|
Supreme Being
Group: Moderators
Last Login: Today @ 2:58:00 AM
Posts: 811,
Visits: 1,289
|
|
| Hi, You can use this code to relay XML using ASP.NET : C#.NET CODE ASP.NET 2.0 <%@ Page Language="C#" %> < script runat="server"> protected void Page_Load(object sender, EventArgs e) { System.Xml. XmlDocument xmlDoc=new System.Xml.XmlDocument(); xmlDoc.Load( "http://www.fusioncharts.com/Gallery/Data/Col3D1.xml"); Response.ContentType = "text/xml"; Response.Write(xmlDoc.OuterXml); } </ script> VB.NET CODE ASP.NET 2.0 <% @ Page Language="VB" %>< script runat="server"> Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load Dim xmlDoc As New System.Xml.XmlDocument xmlDoc.Load( "http://www.fusioncharts.com/Gallery/Data/Col3D1.xml") Response.ContentType = "text/xml" Response.Write(xmlDoc.OuterXml) End Sub</ script>
Regards,
Sudipto Choudhury
FusionCharts Team
|
|
|
| | |