Add support for URL fragment parameters

Passing parameters as part of the fragment could be considered benifical from a security or privacy standpoint when compared to query string parameters. The URL fragment parameters are not sent to the server.
author: yatru <44513142+yatru@users.noreply.github.com> 2021-08-31 16:04:56 +0200
committer: Samuel Mannehed <samuel@cendio.se> 2021-09-01 14:49:37 +0200
commit: f796b05e42cfac7044cca9603e59f258605228f3 (patch)
tree: 62447642bfa95629ff9ee1a05c9136afe4dfcbbe
parent: 0a8ced2cfeadd4dc58cb573010f9993834694b38 (diff)
download: novnc-f796b05e42cfac7044cca9603e59f258605228f3.tar.gz
2 files changed, 19 insertions, 3 deletions
diff --git a/app/webutil.js b/app/webutil.js
index a9fee32..ef23fcb 100644
--- a/app/webutil.js
+++ b/app/webutil.js
@@ -20,10 +20,19 @@ export function initLogging(level) {
 }
 
 // Read a query string variable
+// A URL with a query parameter can look like this (But will most probably get logged on the http server):
+// https://www.example.com?myqueryparam=myvalue
+//
+// For privacy (Using a hastag #, the parameters will not be sent to the server)
+// the url can be requested in the following way:
+// https://www.example.com#myqueryparam=myvalue&password=secreatvalue
+//
+// Even Mixing public and non public parameters will work:
+// https://www.example.com?nonsecretparam=example.com#password=secreatvalue
 export function getQueryVar(name, defVal) {
     "use strict";
     const re = new RegExp('.*[?&]' + name + '=([^&#]*)'),
-        match = document.location.href.match(re);
+        match = ''.concat(document.location.href, " ", window.location.hash).match(re);
     if (typeof defVal === 'undefined') { defVal = null; }
 
     if (match) {
diff --git a/vnc_lite.html b/vnc_lite.html
index 36b062b..1f6e030 100644
--- a/vnc_lite.html
+++ b/vnc_lite.html
@@ -109,13 +109,20 @@
         // query string. If the variable isn't defined in the URL
         // it returns the default value instead.
         function readQueryVariable(name, defaultValue) {
-            // A URL with a query parameter can look like this:
+            // A URL with a query parameter can look like this (But will most probably get logged on the http server):
             // https://www.example.com?myqueryparam=myvalue
             //
+            // For privacy (Using a hastag #, the parameters will not be sent to the server)
+            // the url can be requested in the following way:
+            // https://www.example.com#myqueryparam=myvalue&password=secreatvalue
+            //
+            // Even Mixing public and non public parameters will work:
+            // https://www.example.com?nonsecretparam=example.com#password=secreatvalue
+            //
             // Note that we use location.href instead of location.search
             // because Firefox < 53 has a bug w.r.t location.search
             const re = new RegExp('.*[?&]' + name + '=([^&#]*)'),
-                  match = document.location.href.match(re);
+                  match = ''.concat(document.location.href, " ", window.location.hash).match(re);
 
             if (match) {
                 // We have to decode the URL since want the cleartext value
author	yatru <44513142+yatru@users.noreply.github.com>	2021-08-31 16:04:56 +0200
committer	Samuel Mannehed <samuel@cendio.se>	2021-09-01 14:49:37 +0200
commit	f796b05e42cfac7044cca9603e59f258605228f3 (patch)
tree	62447642bfa95629ff9ee1a05c9136afe4dfcbbe
parent	0a8ced2cfeadd4dc58cb573010f9993834694b38 (diff)
download	novnc-f796b05e42cfac7044cca9603e59f258605228f3.tar.gz