Reputation: 21621
Is it possible to prevent that a popup be opened directly as opposed to being opened by Javascript?
The application I'm working on relies on many popups. Those popups rely themselves on query strings. If someone can just type the url in the browser address bar, the page will throw an error as the query strings values are dynamically constructed.
function myFunction(id)
{
window.open("mypopup.aspx?id=" + id);
}
Is there a why to prevent the page from displaying if the requester of the page is not a Javascript? If someone type something like:
https://mycompanyname.com/path/mypopup.aspx
It shouldn't let the user do so. Or, at least check whether the requester is not javascript so I can display a message or redirect the user to a different page? Otherwise, without all those pieces of data needed to construct a request, the page will throw an exception.
Thanks for helping.
Upvotes: 3
Views: 156
Answers (3)
Reputation: 14677
Popups are browser windows too. So it will be tricky to check if the window requesting the page is normal window or popup.
You should restrict the users to see on what url the popup is being opened you can hide the address bar. So user can not copy or know the what's in the url.
window.open('/pageaddress.html','winname','directories=no,titlebar=no,toolbar=no,location=no,status=no,menubar=no,scrollbars=no,resizable=no,width=400,height=350');Setup a token based validation. Make request to server(
Ajax request) to get a random token(with one time validation mechanism and expire it), You can send the token in the query string and validate it on server if it's same issued token. Identify if the requested page have valid token(popup) otherwise deny the request or show error message. Think of howcaptchaworks, you just need to do it programmatically.
Though it's also not the best solution as token information can be sniffed through network traffic tracker tools like fiddler but it's will work to prevent manual requests.
Upvotes: 1
Reputation: 3636
Validate the query string directly in myPopup.aspx, if something is missing just redirect or display a message.
Use the Request.QueryString collection to validate in myPopup.aspx.
There is no easy way to validate if the request came from javascript as far as I know. You could try creating a token to validate that the sender is the one you expect, but if you only need to validate the parameters, no need to worry about who is sending the request.
Upvotes: 1
Reputation: 62260
The page cannot differentiate how it was requested, if both requests come from a same browser.
However, you can include in query string to differentiate them.
For example,
window.open("mypopup.aspx?request=javascript&id=" + id);
If a user intentionally type in https://mycompanyname.com/path/mypopup.aspx?request=javascript, so be it. I won't worry about it.
Upvotes: 1
Related Questions
- How to determine if a JavaScript array contains an object with an attribute that equals a given value
- How to identify if a webpage is being loaded inside an iframe or directly into the browser window?
- Prevent BODY from scrolling when a modal is opened
- How do you check that a number is NaN in JavaScript?
- Why were Javascript `atob()` and `btoa()` named like that?
- How to prevent form from being submitted?
- How can I guarantee that my enums definition doesn't change in JavaScript?
- Is it possible to add dynamically named properties to JavaScript object?
- prevent using javascript in window.location