Download processing script: is it possible?

[S P Arif Sahari Wibowo]

Hi!

I am thinking to have a client-side script doing processing on file
downloading, basically the script will process a downloaded file from the
server before it received by the user. For example, the weboage will have
a link to download file A, but the one stored in the server is not exactly
file A, but some transformation of it. If the user click the link, it
activate the script which will actually load the file from the server,
detransform it into the file A, and return the file A to the user (with
correct content-type obviously). The transformation can be an encryption,
or the file broken into multiple segments.

Is this possible to do using client-side javascript?

The idea seems to be similar to soem image rollover script, which load the
image from server and then display it dynamically. Except that it seems
that Image objects don't have any properties that actually represent the
image data itself.

If it is possible, any hint where to begin?

Thanks!

 

[S P Arif Sahari Wibowo]

The server. This is easily done in any number of server side languages.

I know it is easy even trivial in server-side script. If it is that easy,
that's how I will do it. Unfortunately, the particular server have several
limitation that force me to seriously consider client-side solution.

So the question still stand: is it possible to do it as client side
script? Can a client side javascript actually access a file from a server?
Can a client side javascript hand a generated binary content to the user?

As an aside, even if you *could* do this in a client
side script, it would be inherently insecure,

Obviously understandable, in that case the protection should not come from
the algorithm itself, but from a decryption key-phrase. The algorithm
would be useless without the correct key.

If they are feeling lazy they may just watch their 'sniffer', which
monitors and reports all traffic between client and server.

Well, this will break a server-side encryption as well, right?

BTW. I guess you made your site when looking at
something that supports .PNG transaparency?

As PNG is an open standard, I consider browser that doesn't support it as
obsolote. I did try it in IE, and I saw that the information still came
up, so it is still acceptable. Not so bad for an obsolote browser.

The bigger problem is embedded document for counter. I actually want to
use the object tag, but IE doesn't support it. So I was forced to use
iframe (so don't say I cannot make compromise), it still look horrible in
IE, but at least is show up. The current server actually allow me to use
SSI, so I'll put it in as soon as I have time.

And that address you use, starting with 'www', is quite couterintuitive.
I had to look closely, before I realized it was followed by '@' rather
than '.'

Is it? Hmmm... I'll think about it, thanks. I have to avoid the comment
"webmaster" due to amount of spam sent to that address (eventhough I never
use not publicize that address).

You counter is broken as well.
Opera reports 'could not retrieve data from server..'
(words to that effect)

This is specific to Opera, right? Interesting. Do Opera support iframe?

Thanks!

 

[Thomas 'PointedEars' Lahn]

So the question still stand: is it possible to do it as client side
script?

Yes, but not reliably.

Can a client side javascript actually access a file from a server?

Of itself: Not directly. It can request a resource from a server via HTTP.
The difference is that the resource may not reflect the contents of a file
on the server's filesystem but something generated, possibly including
data from a file, usually a database, and the request may result in
certain server-side actions if it triggers a server-side application.

Using an appropriate host object: Yes.

Can a client side javascript hand a generated binary content to the user?

Unless there is an appropriate host object, it cannot. Such an object
would be probably provided by ActiveX and/or Java which would decrease
the reliability of the script (and AFAIK restrict usage to IE 4+ on 32
bit Windows). I have seen a Java downloader object accessed with ActiveX
in IE 5.5+ on Windows 98/2000.

Obviously understandable, in that case the protection should not come from
the algorithm itself, but from a decryption key-phrase. The algorithm
would be useless without the correct key.

I am not sure if you have understood that any algorithm used in client-side
scripts must be served along with the data it is operating on.

Well, this will break a server-side encryption as well, right?

Not quite as fast. HTTPS uses SSL/TLS which uses strong encryption
algorithms that can be considered quite secure these days, taking the
quite high effort/revenue ratio for cracking them into account.

As PNG is an open standard, I consider browser that doesn't support it as
obsolote. I did try it in IE, and I saw that the information still came
up, so it is still acceptable. Not so bad for an obsolote browser.

The bigger problem is embedded document for counter. I actually want to
use the object tag,

You mean the "object" (X)HTML _element_.

but IE doesn't support it.

IE does support it, but not in a standards compliant way.

[...]

And that address you use, starting with 'www', is quite couterintuitive.
I had to look closely, before I realized it was followed by '@' rather
than '.'

Is it? Hmmm... I'll think about it, thanks. I have to avoid the comment
"webmaster" due to amount of spam sent to that address (eventhough I never
use not publicize that address).

You should use a formmailer (server-side SMTP script). It not only prevents
you from getting spam from usual spambots, it also is reliable while the
"mailto:" URI is not.

This is specific to Opera, right? Interesting. Do Opera support iframe?

<http://www.opera.com/docs/specs/opera6/>
<http://www.opera.com/docs/specs/>


HTH

PointedEars, with appropriate random sig

 

[S P Arif Sahari Wibowo]

Yes, but not reliably.

Can it be done using javascript (without depending to other client-side
scripting)?

Of itself: Not directly. It can request a resource from a server via
HTTP.

That's Ok. I didn't expect more. How to do that?

Unless there is an appropriate host object, it cannot.

Is there any host object for binary files available from the browser
itself? If I have to use Java to create the host object, it is probably
better just use java for the whole thing, right?

I am not sure if you have understood that any algorithm used in
client-side scripts must be served along with the data it is operating
on.

Well, yes, I understand completely. What I mean is although the script is
open, it cannot be use to decrypt the data without correct key (provided
by user).

Not quite as fast. HTTPS uses SSL/TLS which uses strong encryption
algorithms that can be considered quite secure these days, taking the
quite high effort/revenue ratio for cracking them into account.

If the server have SSL... as I said, this server have many limitation.

<http://libpng.org/pub/png/pngapbr.html>

Ok, other than obsolote browsers, some broken ones, too.

You mean the "object" (X)HTML _element_.
Yes.

IE does support it, but not in a standards compliant way.

So IE doesn't support the standards compliant ones.

You should use a formmailer (server-side SMTP script). It not only
prevents you from getting spam from usual spambots, it also is reliable
while the "mailto:" URI is not.

Yes I should, when I get around to it. For now, I just use the image.

<http://www.opera.com/docs/specs/opera6/>

Well, it do support it. Don't understand the problem, then. Will get back
to it later when I have Opera to work with.

Thanks!

 

[Thomas 'PointedEars' Lahn]

Can it be done using javascript (without depending to other client-side
scripting)?

Depends. What do you mean with "other client-side scripting"?

That's Ok. I didn't expect more. How to do that?

Read on the `location' property and XMLHttpRequest (Google is your friend.
[psf 6.1]) Note, though, that the latter interface requires one of the
more recent user agents; in IE, it also requires ActiveX support to be
present and enabled (which AFAIK is only possible in 32 bit Windows).

Is there any host object for binary files available from the browser
itself?

That depends on the browser, its version, security settings and the
operating system and platform it is running on.

If I have to use Java to create the host object, it is probably
better just use java for the whole thing, right?

Well, yo/nes ;-) Client-side Java is running in a sandbox even more
restricted than client-side J(ava)Script. If you assume that the
Java sandbox is not too much restricted due to low security settings,
it can be done.

Well, yes, I understand completely. What I mean is although the script is
open, it cannot be use to decrypt the data without correct key (provided
by user).

Ahhh, but somehow you must determine if the key was correct.


PointedEars