PRIV P31h URL Masking

by
Nikolay Dimitrov
My articles
Follow on:

Page no: P31h

Table of contents

1 Business Requirements
2 Design
3 Our first decision
4 See also
5 References
6 Decision

Business Requirements

We would like use a sub-domain or similar for displaying the URL of our different central banks. The content should be content from snbchf.com
Switzerland has 23 cantons, for each of them there might be 4 languages for displaying an URL, this gives a total of 92 URLs.

Examples inside the domain “centralbanks.ch”:
schwyzcentralbank.centralbanks.ch
genevacentralbank.centralbanks.ch (English)
genfzentralbank.centralbanks.ch (German)

Requirements
1) Show URL for different Swiss central banks.

2) schwyzcentralbank.centralbanks.ch and the others shows content of snbchf.com and keep their base URL

3) Make certain content specific/independent from snbchf.com, central bank-specific

Methods:

iFrame, Apache rewrite, web page retrieval

Design

from Willmaster

see also Wikipedia

URL Masking

There are numerous ways to mask a URL — meaning the URL in the browser’s address bar is not the actual URL to the content.

(See Block Content Theft via URL Masking for ways to block unauthorized publishing of your content.)

Causing the browser’s address bar to show a URL different than the actual URL of the web page being viewed is one definition of URL masking. A second definition is to cause a link URL to show in the browser’s status bar different than the URL of the web page being linked to.

This article addresses the first definition of URL masking.

If you’re looking for functionality like the second definition, here are links to two software titles (comparison chart):

Go Short URL

Short URL V2

Three URL masking techniques are fairly easy to implement:

With an iframe tag —An iframe large enough to use up the entire browser window contains the content at a different URL.

With an Apache rewrite directive —The URL affected by the Apache rewrite is in the browser’s address bar while the content in the browser window is from a different URL.

With web page retrieval software —A web page is retrieved from a different URL and inserted at the web page of the current URL.

Three URL masking techniques are fairly easy to implement.

Note: Another way to frame pages is with the frameset tag. The frameset tag is deprecated, not supported in HTML5, so I won’t describe how to do URL masking with it. The iframe tag, however, I think will be around for a long time; there would be a hue and cry if the standards group tried to deprecate that one.

We blablabla

Will continues

URL Masking with an Iframe Tag

When a web page with an iframe is loaded into the browser and then content loaded into the iframe, the browser’s address bar doesn’t change even though the content in the iframe is from a different URL. The frame’s web page originally loaded into the browser and the web page retrieved from elsewhere may be on different domains.

The iframe dimensions can be large enough to use up the entire browser window. If the dimensions of the web page being flowed into the iframe are known, the iframe tag can be adjusted to accomodate the page. Otherwise:

If the content displayed in the iframe is smaller than the iframe dimensions, the iframe will have a blank area.

If the content displayed in the iframe is larger than the iframe dimensions, the iframe will either have scrollbars or part of the page will be hidden.

Here is an example iframe tag.
<iframe 
  src="http://example.com/page.html" 
  frameborder="0" 
  width="800" 
  height="2500" 
  scrolling="no">
</iframe>
Change the src attribute’s URL to the URL of the web page for inserting into the iframe tag. See the W3 Schools’ “HTML iframe tag” page for information about how to change the iframe dimensions, how to allow or prevent scroll bars, and how to change other attributes.

When the URL of web page in the iframe is at the same domain as the URL in the browser’s address bar, JavaScript can be used to automatically adjust the iframe tag size according to the size of the web page within it. You know it’s the same domain when the iframe tag’s src attribute’s URL is a relative URL.

A relative URL is an absolute URL minus the http and domain name parts. Examples:

Absolute URL Relative URL

http://www.example.com/index.php /index.php

http://www.example.com/ /

To set up the automatic iframe dimension adjustment, do these two steps:
Put this JavaScript somewhere on the page with the iframe tag.
<script type="text/javascript">
function AdjustIframeSize(dimension)
{
   document.getElementById("my-iframe-tag").style.width = parseInt(dimension[0]) + "px";
   document.getElementById("my-iframe-tag").style.height = parseInt(dimension[1]) + "px";
}
</script>
Put this JavaScript at the very bottom of the page that will be published within the iframe tag, below the closing </html> tag.
<script type="text/javascript">
var size = new Array();
size[0] = Math.max( (document.width?document.width:0), (document.body.scrollWidth?document.body.scrollWidth:0), (document.documentElement.scrollWidth?document.documentElement.scrollWidth:0), (document.body.offsetWidth?document.body.offsetWidth:0), (document.documentElement.offsetWidth?document.documentElement.offsetWidth:0), (document.body.clientWidth?document.body.clientWidth:0), (document.documentElement.clientWidth?document.documentElement.clientWidth:0) );
size[1] = Math.max( (document.height?document.height:0), (document.body.scrollHeight?document.body.scrollHeight:0), (document.documentElement.scrollHeight?document.documentElement.scrollHeight:0), (document.body.offsetHeight?document.body.offsetHeight:0), (document.documentElement.offsetHeight?document.documentElement.offsetHeight:0), (document.body.clientHeight?document.body.clientHeight:0), (document.documentElement.clientHeight?document.documentElement.clientHeight:0) );
parent.AdjustIframeSize(size);
</script>
When the JavaScript is in place, the web page loading into the iframe calls the parent page with its dimensions. The parent page (the page containing the iframe tag) then adjusts the iframe tag size to accomodate the web page loaded into it.

Browser security won’t allow this to work when the page with the iframe tag is on a different domain than the content within the iframe tag.

Absolute URL	Relative URL
http://www.example.com/index.php	/index.php
http://www.example.com/	/

We blablabla

URL Masking with Apache Rewrite

Rewriting URLs in a certain way with the .htaccess file can display web pages from a URL different than the URL in the browser’s address bar. However, both the URL in the address bar and the web page being viewed must be located on the same domain as the .htaccess file.

Test with an .htaccess file in an otherwise unused subdirectory before going live. An incorrect .htaccess file can cause the server to respond with an error message when browsers request a web page. Test in a separate subdirectory to keep any errors in that subdirectory. See the URL Rewriting Guide for more information about rewriting with the .htaccess file.

The .htaccess file requires the relative URL of the page it’s supposed to match and the URL of the page to display instead.

This .htaccess file will display /otherpage.html whenever the browser asks for /pagename.php
RewriteEngine on
RewriteCond %{REQUEST_URI} /pagename.php$
RewriteRule .* /otherpage.html [L]
When the relative URL /pagename.php is matched, then the content found at /otherpage.html is published.

Replace /pagename.php with the relative URL that the .htaccess directive is supposed to match. And replace /otherpage.html with the URL of the page to publish instead.

Note: If /otherpage.html is replaced with an http://… URL, then the URL in the browser’s address bar will change accordingly. To keep the URL in the browser’s address bar from changing, specify a relative URL.

URL Masking with Page Retrieval Software

Software can retrieve a web page and display it in a browser.

Here’s example PHP code to accomplish that.
<?php echo file_get_contents("http://example.com/"); ?>
Replace http://example.com/ in the above code with the page you want to pull in, then save it as a .php file. Upload the file to your server and enter the file’s URL into your browser.

A caveat: When the web page being pulled in contains relative links, the links may break. Similarly, external files to pull into the page that have relative URLs — such as JavaScript, images, and style sheets — may be unsuccessful.

To circumvent that, the web page being pulled in can be coded with absolute URLs for links and external file locations.

There are ways to programmatically change the page being pulled in to resolve relative URLs of links and external files. Modifying pages being pulled in is outside the scope of this article.

URL Masking

Those are the easiest ways to display the content of one web page with the URL of another in the browser’s address bar.

Coming in the near future is an article about how to protect your web pages from unauthorized URL masking.

Will Bontrager

we blablabla

Our first decision

we blablabla

We must consider the following risk with Website spoofing

Website spoofing

From Wikipedia, the free encyclopedia

Website spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organization. Normally, the spoof website will adopt the design of the target website and sometimes has a similar URL.¹ A more sophisticated attack results in an attacker creating a “shadow copy” of the World Wide Web by having all of the victim’s traffic go through the attacker’s machine, causing the attacker to obtain the victim’s sensitive information.²

Another technique is to use a ‘cloaked’ URL.³ By using domain forwarding, or inserting control characters, the URL can appear to be genuine while concealing the address of the actual website.

The objective may be fraudulent, often associated with phishing or e-mail spoofing, or to criticize or make fun of the person or body whose website the spoofed site purports to represent. Because the purpose is often malicious, “spoof” (an expression whose base meaning is innocent parody) is a poor term for this activity so that more accountable organisations such as government departments and banks tend to avoid it, preferring more explicit descriptors such as “fraudulent” or “phishing”.⁴

As an example of the use of this technique to parody an organisation, in November 2006 two spoof websites, www.msfirefox.com and www.msfirefox.net, were produced claiming that Microsoft had bought Firefox and released Microsoft Firefox 2007.⁵

See also

Email spoofing

Hoax

Computer Virus

Spoofing attack

Referer spoofing

References

“Spoof website will stay online”, BBC News, 29 July 2004

http://www.cs.princeton.edu/sip/pub/spoofing.pdf

Anti-Phishing Technology”, Aaron Emigh, Radix Labs, 19 January 2005

See e.g. 1 or 2

“Fake Sites Insist Microsoft Bought Firefox”, Gregg Keizer, InformationWeek, 9 November 2006

Decision

we decide blablabla

Tags: Apache Rewrite, Page Retrieval Software, URL Masking, Website spoofing

See more for P3x Plugins for URL

PRIV P31h URL Masking

Business Requirements

Design

URL Masking

URL Masking with an Iframe Tag

URL Masking with Apache Rewrite

URL Masking with Page Retrieval Software

URL Masking

Our first decision

Website spoofing

See also

References

Decision

Pages

Copyright