Comments (9)
The issue is that the AntiXssEncoder
is incompatible with asp:Image
when used with base64 image data. It's a general issue.
See https://stackoverflow.com/questions/67839146/data-uri-is-double-encoded-by-antixssencoder
I have added an answer to that SO question explaining one way to fix it.
from googleauthenticator.
@flytzen Well, my original post was certainly a bit off! But, once I ran into the issue, I backtracked. First, I created a new project in Visual Studio, and just roughed in some simplistic code. Then I downloaded the WebSample code from Github and tried that out.
Once I landed on the web.config AntiXssEncoder setting ... I tried that in my test project, my production project, and the WebSample project. Same results across the board. No QR image. Using DevTools in Chrome or Firefox is where I noticed the "bad http request" and that led me down that CORS path, but that was a mistake.
I am not entirely sure how the AntiXssEncoder setting gets involved with http requests. And does taking web.config setting out "elevate" any risks? It's been in our web.config for so long, I just don't know what it's doing (or what it would happen, in production, if we took it out).
It's now a curiosity though! It would be interesting if you are able to figure out anything related to the data: string generated for the URL code...
And, fwiw, your DLL made implementing TOTP so incredibly easy! So, I'd like to a) thank you for that and b) hope you are able to assist!
Thanks in advance.
from googleauthenticator.
FWIW, I pinpointed a web.config difference between the WebSample and my production .net website that was causing the QR code generation to be blocked
<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder" ... />
Taking out the encoderType attribute enabled the image tag to be set by the generated QR code. (Or vice versa, to confirm, adding that to the test Default page in the WebSample site, shows how the image tag is no longer correctly set.)
That's a pretty big step of course. I haven't yet been able to figure out how to step around that in some other way.
from googleauthenticator.
I doubt this has anything to do with either CORS or that AntiXss value. I'd recommend wrapping some try/catch code around the calling code to see what error you are getting.
If you are developing on Windows but hosting on Linux then be aware of libgdiplus
(see the readme). There are also some settings you can set that requires a lot of memory. Again, wrapping your calling code and examining the exception will help you.
from googleauthenticator.
@flytzen As mentioned... I can exactly pinpoint it to the AntiXssEncoder setting in web.config. Using the WebSample website, add that line, the QR image will not generate. Take that line out of web.config and it does generate the QR image. No other changes. Pretty simple/straightforward A/B test.
This is repeatable on Windows 10, on my localhost (using both Visual Studio 2017 and 2021) and also on a Windows 2012 R2 server with IIS; no Linux involved.
I noticed in the Github code, the GenerateSetupCode method calls a private UrlEncode() method. Perhaps there is something slipping through there that the AntiXssEncoder does not like.
from googleauthenticator.
@mnoreen Sorry, my misunderstanding - did not realise you were using the sample site. I will have a look.
from googleauthenticator.
I remember looking this up at one point and it seemed like there was something with data:uri
s that Chrome didn't like in certain situations with CORS policies, but it sounds like that's not the root issue anyway. I would suspect that a data URI is treated as script in this instance. Definitely worth a look to see if we can work around it.
I wonder if you would end up needing a secondary "endpoint" that actually loads the image... That seems the most likely resolution (having not played with it, of course).
I look forward to seeing how this plays out.
from googleauthenticator.
@flytzen Thank you for finding that stackoverflow post. It worked easily enough! And now I don't have to worry about taking that out of the web.config (for now)...
from googleauthenticator.
@mnoreen Pleasure. Feel free to upvote my answer on the SO post ;)
from googleauthenticator.
Related Issues (20)
- A strongly-named assembly is required HOT 4
- Readme suggestion for key
- Add 2.5 and 3.0 to releases HOT 1
- Not an issue but I have questions HOT 2
- Name of the repo HOT 1
- Passcodes are reusable HOT 1
- Manual Setup Code for OneLogin Authenticator HOT 1
- Nuget Key Update HOT 1
- Unsafe secret generation HOT 2
- Change the validation period HOT 1
- Release 3.1 HOT 3
- Change Organization Image/Title that gets imported into authenticator app? HOT 4
- Update to use .Net 6 HOT 5
- Code valid after 15seconds HOT 7
- Bug in ValidateTwoFactorPIN HOT 3
- Dependency QRCoder no longer supports .NET 6 on UNIX platforms HOT 1
- Release 3.1.1
- GenerateSetupCode is called with secretIsBase32=true, but the AccountSecretKey and ManualEntryKey are different HOT 4
- Reason to upgrade from 2.1.1 HOT 1
- Update HMAC SHA HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from googleauthenticator.