diff options
author | yatru <44513142+yatru@users.noreply.github.com> | 2021-08-31 16:04:56 +0200 |
---|---|---|
committer | Samuel Mannehed <samuel@cendio.se> | 2021-09-01 14:49:37 +0200 |
commit | f796b05e42cfac7044cca9603e59f258605228f3 (patch) | |
tree | 62447642bfa95629ff9ee1a05c9136afe4dfcbbe | |
parent | 0a8ced2cfeadd4dc58cb573010f9993834694b38 (diff) | |
download | novnc-f796b05e42cfac7044cca9603e59f258605228f3.tar.gz |
Add support for URL fragment parameters
Passing parameters as part of the fragment could be considered
benifical from a security or privacy standpoint when compared to query
string parameters. The URL fragment parameters are not sent to the
server.
-rw-r--r-- | app/webutil.js | 11 | ||||
-rw-r--r-- | vnc_lite.html | 11 |
2 files changed, 19 insertions, 3 deletions
diff --git a/app/webutil.js b/app/webutil.js index a9fee32..ef23fcb 100644 --- a/app/webutil.js +++ b/app/webutil.js @@ -20,10 +20,19 @@ export function initLogging(level) { } // Read a query string variable +// A URL with a query parameter can look like this (But will most probably get logged on the http server): +// https://www.example.com?myqueryparam=myvalue +// +// For privacy (Using a hastag #, the parameters will not be sent to the server) +// the url can be requested in the following way: +// https://www.example.com#myqueryparam=myvalue&password=secreatvalue +// +// Even Mixing public and non public parameters will work: +// https://www.example.com?nonsecretparam=example.com#password=secreatvalue export function getQueryVar(name, defVal) { "use strict"; const re = new RegExp('.*[?&]' + name + '=([^&#]*)'), - match = document.location.href.match(re); + match = ''.concat(document.location.href, " ", window.location.hash).match(re); if (typeof defVal === 'undefined') { defVal = null; } if (match) { diff --git a/vnc_lite.html b/vnc_lite.html index 36b062b..1f6e030 100644 --- a/vnc_lite.html +++ b/vnc_lite.html @@ -109,13 +109,20 @@ // query string. If the variable isn't defined in the URL // it returns the default value instead. function readQueryVariable(name, defaultValue) { - // A URL with a query parameter can look like this: + // A URL with a query parameter can look like this (But will most probably get logged on the http server): // https://www.example.com?myqueryparam=myvalue // + // For privacy (Using a hastag #, the parameters will not be sent to the server) + // the url can be requested in the following way: + // https://www.example.com#myqueryparam=myvalue&password=secreatvalue + // + // Even Mixing public and non public parameters will work: + // https://www.example.com?nonsecretparam=example.com#password=secreatvalue + // // Note that we use location.href instead of location.search // because Firefox < 53 has a bug w.r.t location.search const re = new RegExp('.*[?&]' + name + '=([^&#]*)'), - match = document.location.href.match(re); + match = ''.concat(document.location.href, " ", window.location.hash).match(re); if (match) { // We have to decode the URL since want the cleartext value |