sound – no audio input from internal microphone in web browser

internal microphone of my laptop does not work correctly in web browsers, skype and some other apps. but it works well in other apps like audacity.
by “not working correctly” I mean there is sound but it is too quiet and very low quality.

however, when plugging in a headphone from audio jack, it works properly.

what is the difference between audio input of web browsers and audacity? do they use different libs? and can I fix it?

ubuntu – cookie is lost on refresh using nginx as proxy_reverse. I like the cookie and would like to keep it set in the browser

I’m new to Nginx and ubuntu – have been with windows server for over a decade and this is my first try to use ubuntu and Nginx so feel free to correct any wrong assumption I write here 🙂

my setup: I have an expressjs app (node app) running as an upstream server. I have front app – built in svelte- access the expressjs/node app through Nginx proxy_reverse. Both ends are using letsencrypt and cors are set as you will see shortly.

When I run front and back apps on localhost, I’m able to login, set two cookies to the browser and all endpoints perform as expected.

When I deployed the apps I ran into weird issue. The cookies are lost once I refresh the login page. Added few flags to my server block but no go.

I’m sure there is a way – I usually find a way – but this issue really beyond my limited knowledge about Nginx and proxy_reverse setup. I’m sure it is easy for some of you but not me. I hope one of you with enough knowledge point me in the right direction or have explanation to how to fix it.

Here is the issue:
my front is available at travelmoodonline.com. Click on login. Username : mongo@mongo.com and password is 123.
inspect dev tools network. Header and response are all set correctly. Check the cookies tab under network once you login and you will get two cookies, one accesstoken and one refreshtoken.

Refresh the page. Poof. Tokens are gone. I no longer know anything about the user. stateless.

In localhost, I refresh and the cookies still there once I set them. In Nginx as proxy, I’m not sure what happens.

So my question is : How to fix it so cookies are set and sent with every req? Why the cookies disappear? Is it still there in memory somewhere? Is the path wrong? Or the cockies are deleted once I leave the page so if I redirect the user after login to another page, the cookies are not showing in dev tools.

My code :
node/expressjs server route code to login user:

app.post('/login',  (req, res)=>{
   //get form data and create cookies
   res.cookie("accesstoken", accessToken, { sameSite: 'none', secure : true });  
   res.cookie("refreshtoken", refreshtoken, { sameSite: 'none', secure : true }).json({ 
   "loginStatus": true, "loginMessage": "vavoom : doc._id })      

 }

Frontend – svelte – fetch route with a form to collect username and password and submit it to server:

    function loginform(event){
  username = event.target.username.value;
  passwordvalue = event.target.password.value;

  console.log("event username: ", username);
  console.log("event password : ", passwordvalue);

  async function asyncit (){
   
  let response = await fetch('https://www.foodmoodonline.com/login',{
  method: 'POST',
  origin : 'https://www.travelmoodonline.com',
  credentials : 'include',
  headers: {
  'Accept': 'application/json',
  'Content-type' : 'application/json'
  },
  body: JSON.stringify({
  //username and password
  })

  }) //fetch

Now my Nginx server blocks :

# Default server configuration
#
server {
    
    listen 80 default_server;
    listen (::):80 default_server;  

    root /var/www/defaultdir;
    index index.html index.htm index.nginx-debian.html;

    server_name _; 
    location / {
        try_files $uri $uri/ /index.html;
    }

   }



#  port 80 with www

server {
    listen 80;
    listen (::):80;


    server_name www.travelmoodonline.com;

    root /var/www/travelmoodonline.com;

    index index.html;

    location / {
        try_files $uri $uri/ /index.html;
    }

    return 308 https://www.travelmoodonline.com$request_uri; 

}

#  port 80 without wwww
server {
    listen 80;
    listen (::):80;

    server_name travelmoodonline.com;

    root /var/www/travelmoodonline.com;
 
    index index.html;

    location / {
        try_files $uri $uri/ /index.html;
    }

    return 308 https://www.travelmoodonline.com$request_uri;
}



# HTTPS server (with www) port 443 with www

server {
    listen 443 ssl;
    listen (::):443 ssl;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    server_name www.travelmoodonline.com;    
    root /var/www/travelmoodonline.com;
    index index.html;    
    
    
    
    ssl_certificate /etc/letsencrypt/live/travelmoodonline.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/travelmoodonline.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        try_files $uri $uri/ /index.html;       
    }
    

}


# HTTPS server (without www) 
server {
    listen 443 ssl;
    listen (::):443 ssl;
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    server_name travelmoodonline.com;
    root /var/www/travelmoodonline.com;
    index index.html;
   

    location / {
        try_files $uri $uri/ /index.html;       
    }
    
    ssl_certificate /etc/letsencrypt/live/travelmoodonline.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/travelmoodonline.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    
   }






server {

    server_name foodmoodonline.com www.foodmoodonline.com;

#   localhost settings
    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;

    
    #    proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    #   proxy_pass_header  localhost;

    #    proxy_pass_header Set-Cookie;
    #    proxy_cookie_domain localhost $host;
    #   proxy_cookie_path /; 

    }

    listen (::):443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/foodmoodonline.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/foodmoodonline.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = www.foodmoodonline.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = foodmoodonline.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen (::):80;
    server_name foodmoodonline.com www.foodmoodonline.com;
    return 404; # managed by Certbot

}

I tried 301-302-307 and 308 after reading about some of them covers the GET and not POST but didn’t change the behavior I described above. Why the cookie doesn’t set/stay in the browser once it shows in the dev tools. Should I use rewrite instead of redirect???? I’m lost.

Not sure is it nginx proxy_reverse settings I’m not aware of or is it server block settings or the ssl redirect causing the browser to loose the cookies but once you set the cookie, the browser suppose to send it with each req. What is going on here?

Thank you for reading.

internal storage – My phone is not saving things (screenshots, download from browser, etc)

So one day my phone shutdown and when restarted I started to get some issues. Screenshot was not working saying that there was no space left. Gallery had no images/videos at all. File manager was not opening properly. I started to dig up and was able to get an stack trace:

## Issue explanation (write below this line)


## Exception
* _User Action:_ UI Error
* _Request:_ Application crash
* _Version:_ 3.5.9
* _OS:_ Linux Android 10 - 29
* _Device:_ OnePlus5
* _Model:_ ONEPLUS A5000
* _Product:_ OnePlus5

Crash log


java.lang.RuntimeException: An error occurred while executing doInBackground()
    at android.os.AsyncTask$4.done(AsyncTask.java:399)
    at java.util.concurrent.FutureTask.finishCompletion(FutureTask.java:383)
    at java.util.concurrent.FutureTask.setException(FutureTask.java:252)
    at java.util.concurrent.FutureTask.run(FutureTask.java:271)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
    at java.lang.Thread.run(Thread.java:919)
Caused by: android.database.sqlite.SQLiteException: unable to open database file (code 14 SQLITE_CANTOPEN)
    at android.database.DatabaseUtils.readExceptionFromParcel(DatabaseUtils.java:184)
    at android.database.DatabaseUtils.readExceptionFromParcel(DatabaseUtils.java:140)
    at android.content.ContentProviderProxy.query(ContentProviderNative.java:437)
    at android.content.ContentResolver.query(ContentResolver.java:962)
    at android.content.ContentResolver.query(ContentResolver.java:890)
    at android.content.ContentResolver.query(ContentResolver.java:846)
    at com.amaze.filemanager.asynchronous.asynctasks.LoadFilesListTask.listMediaCommon(LoadFilesListTask.java:336)
    at com.amaze.filemanager.asynchronous.asynctasks.LoadFilesListTask.listVideos(LoadFilesListTask.java:324)
    at com.amaze.filemanager.asynchronous.asynctasks.LoadFilesListTask.doInBackground(LoadFilesListTask.java:165)
    at com.amaze.filemanager.asynchronous.asynctasks.LoadFilesListTask.doInBackground(LoadFilesListTask.java:68)
    at android.os.AsyncTask$3.call(AsyncTask.java:378)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    ... 3 more

Could be corruption on file db? I have one app called “Files” which I can check, and I see all files there. I can take pictures/videos, record voice etc, so that doesn’t seem the problem.

I think the issue is related to indexation of those things, I’ve tried re-scan with several apps, but none worked (media re-scan, rescan sd, etc)

I don’t want to factory reset at the moment so I’m looking for an alternative solution (maybe a path to where is the db, so I can delete files, or an app that can help me to re-index things (if is the case), or system access to assess the issue)

web browser – How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?

Take an example of google maps. google maps provides a javascript client SDK, which means any web app running javascript can access the google maps sdk. You need to use an API_KEY so that google can rate limit your requests, and apply some quota on the requests coming from your api key. If you exceed the quota you would be charged more.

The API_KEY has to be specified in the client side javascript, so it would be visible to anyone who uses your application, and then anyone can abuse your quota. To get around this, google suggests to add referrer based security while setting up your sdk on the google app console. You can specify a list of origins that google would accept requests from, based on the referrer header. So if someone gets your api key and tries to use that from another web application running on another domain, either google would not respond to those requests, or, the request wouldn’t be added in your quota. This acts as a basic level of security, BUT, the referrer header can be easily spoofed.

Now google maps does not have any user specific data, so may be API_KEY abuse is not that big an issue.

Consider an application like sentry, which allows a javascript client to send events to a sentry server. Sentry can also impose similar restrictions based on the referrer or origin header, and only allow events to your sentry server from certain domains. But wouldn’t it be easy for someone to directly send events to your sentry and spam your sentry server?
Sentry suggests to not send any PII in the events anyway, so in case it was possible to get data somehow, at least the guidelines are clear.

But what about products like Intercom, where the primary functionality is collecting user data in some form or the other. If someone knows the unique id of another user in intercom, they can basically see all the data from the other user, their chats , their messages etc. Intercom is a completely frontend setup, where the request to the intercom script and the intercom server happen through the front end, so if the front end can get user’s data through intercom, then any other user can get another user’s data by initiating intercom with the other user’s id on their browser or directly using curl. There is no auth as such, there is an app key which is also completely frontend.

I am just trying to understand how do such applications secure themselves?

Some points about intercom:

  • it opens in an iframe, with intercom.com domain
  • possibly the api has CORS restrictions, so only requests from intercom.com domain are allowed, but these restrictions are not applicable for curl
  • it exposes some javascript methods to initialize with a app secret and you can pass a unique id for the user. The app key is frontend only so can easily be seen in any integration, and the user id can be leaked through other ways. Once leaked, I can just use this user id and the secret key from anywhere to get messages for the user.

XSS attack being blocked by the browser

I’m trying to validate / test and XSS attack; however when I navigate to the page, the browser (tried on Chrome and Edge) tells me:

A parser-blocking, cross site (i.e. different eTLD+1) script,
is invoked via document.write. The network
request for this script MAY be blocked by the browser in this or a
future page load due to poor network connectivity. If blocked in this
page load, it will be confirmed in a subsequent console message. See
https://www.chromestatus.com/feature/5718547946799104 for more
details.

I visited the reference page, but it’s not very clear on exactly what is happening. Is there a way to turn this off so that I can validate the XSS attack?

translation – Change ONLY Site Language based on Browser Language and NOT the Posts/Pages

I have a WordPress page with a custom theme translated into 3 languages using load_theme_textdomain.
I can change the site language by going to settings > site language and the theme strings change accordingly.

Now i want the site language to automatically adapt to a visitors browser-language but I am NOT interested in translating the site’s content (posts, pages) into other languages, ONLY site language (textdomain).

Been looking for hours for some way, plugin or not, but it seems to be rare case.

Does anyone know how to go about this?