4

I have a cms, where am using laravel as web api, angularjs for requests. I have an iframe where I call to services with a direct link and put it usig trusted src function.

The main problem is, I can not use a normal http post request and hide parameters, because using http request will return data, not file, and the report api returns in headers, an html file, pdf ... etc) so when i get result to the success of my http request, it won't download pdf file, it will show special chars

in the i frame am calling the api like this : "localhost/api/getreportService/"+$scope.brandid+"&"+$scope.customerid"

but that's cannot be secure, is there any way to hide the request here from users?

Alex K
  • 22,315
  • 19
  • 108
  • 236
Elio Chamy
  • 259
  • 6
  • 21
  • Answer is NO, use HTTPS. – Kyslik Nov 29 '16 at 13:51
  • @Kyslik ok, wait if i used https requests, what will be the result to my problem ? – Elio Chamy Nov 29 '16 at 13:54
  • It pretty much may be one of many solutions but I would not advise sending data over GET. http://stackoverflow.com/questions/323200/is-an-https-query-string-secure – Kyslik Nov 29 '16 at 13:57
  • Oh I did not read question well. Solution is **NEVER TRUST CLIENT (user)** check and triple-check user input, and use HTTPS. Define your word "secure". Secure as an attacker can read data (by sniffing), or secure that user of your application can get data that do not belong to him, or any other secure you have in mind. – Kyslik Nov 29 '16 at 14:04
  • @Kyslik sure, but am asking if I used https request can you tell me the advantage in my case ? – Elio Chamy Nov 29 '16 at 14:10
  • I don't know your case, hire an expert, I am just passer by. I don't even know what you mean by secure. Define secure. – Kyslik Nov 29 '16 at 14:11
  • I don't understand the point: "when i get result to the success of my http request, it won't download pdf file, it will show special chars". The response header "Content-Disposition" is controlling how browser should handle the response. If you want the browser to download file, set that header value to `Content-Disposition: attachment; filename="fname.pdf"`. – ntahoang Nov 29 '16 at 14:13
  • @Kyslik ok now, i am able to get the file, but iframe shows : Access forbidden, I stopped the get request and I called my web api with token and everything fine. Then I put the result in the iframe src (trustsrcasurl) but it shows access forbidden – Elio Chamy Nov 30 '16 at 07:55

1 Answers1

0

ok, I found a solution, I called the api via http post request then I used $sce tustAsHtml for the response, with a ng-bind-html in my template and the result is good now, the report is showing in the div,

Now all is safe, the user needs a token to access the report, and that's impossible without a login.

Elio Chamy
  • 259
  • 6
  • 21