Asp Forum - onclick and <a> tag question

Mel Smith

3/18/2015 11:44:00 PM

Hi:

On my download site I have approx 25 download links similar to the
following but simplified below:

<a id="i116" href="http://www.example.com/files/x116...
onclick="chkdld(this);">Download this file</a>

Note that I have 'clickable' link and also an onclick attribute/property !

I have determined that on IE8 (at least) that the onclick operation
occurs first and then the 'download' operation follows after the chkdld()
function returns either a true or false.

Question:

Is this sequence (i.e., 'onclick' followed by 'download operation')
generally true across most all current common browsers. ??

Reason:

I hope to use the 'onclick' sequence to start up an Ajax operation to
determine the IP address info of the user, and then send a text response to
modify the 'files' sub-directory to point to the *actual* download
sub-dir -- which I modify frequently. Recently, on request I've eliminated
use of passwords and, instead, am keeping a database of 'abusers' of my
free service who typically start up dozens of simultaneous downloads to try
to overwhelm my server. Because my actual download sub-dir changes
frequently, I thought I could use Ajax to send the *actual* 'files' sub-dir
as a response at thelast moment, then perhaps I could (somehow) revert it
later after the download is started -- but I don't know how to do this yet
(i.e., the 'reverting').

Thanks !

-Mel Smith

10 Answers

Thomas 'PointedEars' Lahn

3/19/2015 2:48:00 AM

Mel Smith wrote:

> On my download site I have approx 25 download links similar to the
> following but simplified below:
>
> <a id="i116" href="http://www.example.com/files/x116...
> onclick="chkdld(this);">Download this file</a>
>
> Note that I have 'clickable' link and also an onclick attribute/property
> !

_attribute_. And why the emphasis? Do you want a pat on the back for not
doing mindbogglingly stupid things?

> I have determined that on IE8 (at least) that the onclick operation
> occurs first and then the 'download' operation follows after the chkdld()
> function returns either a true or false.

You want to test with modern browsers first. And nothing is returned here.

> Question:
>
> Is this sequence (i.e., 'onclick' followed by 'download operation')
> generally true across most all current common browsers. ??

Yes, to all script-supporting browsers worth their salt. The download is
only a consequence of the default action for links when the browser has
determined that it cannot reasonably navigate to and display the resource,
or if response header or the user said that they always want to download
such resources. You can cancel the default action of the â??clickâ? event by
returning â??falseâ? to the event handler; in this case, as is recommended, by
returning the return value of a function or method:

<a href="â?¦" onclick="return chkdld(this)">â?¦</a>

> Reason:
>
> I hope to use the 'onclick' sequence to start up an Ajax operation to
> determine the IP address info of the user, and then send a text response
> to modify the 'files' sub-directory to point to the *actual* download
> sub-dir -- which I modify frequently.

You do not want to do that. Doing so could be considered forgery; it will
not help, and may hinder, your good standing with search engines. For
forgery aside, the search engine will probably not be able to detect whether
this part of your site was updated. As a rule of thumb, search engines
"like" sites whose content (not: URIs) is frequently updated.

> Recently, on request I've eliminated use of passwords and, instead, am
> keeping a database of 'abusers' of my free service who typically start up
> dozens of simultaneous downloads to try to overwhelm my server. Because
> my actual download sub-dir changes frequently,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Bad idea. <http://www.w3.org/QA/Tips/uri-...

> I thought I could use Ajax to send the *actual* 'files' sub-dir as a
> response at thelast moment, then perhaps I could (somehow) revert it
> later after the download is started -- but I don't know how to do this yet
> (i.e., the 'reverting').

It is pointless to try and hide content from abusers this way. It is like
trying to scare burglars away by locking the door of your house and hanging
up outside a sign with a large red down arrow that says â??The key for this
door is right below your feet, under the mat.â?

Get a bigger house (better hosting space) or a watchdog instead (detect
abusers by their connection data and request headers, and tell them 403).

--
PointedEars
FAQ: <http://PointedEars.... | SVN: <http://PointedEars.de...
Twitter: @PointedEars2 | ES Matrix: <http://PointedEars.de/es-...
Please do not cc me. / Bitte keine Kopien per E-Mail.

Mel Smith

3/19/2015 3:54:00 PM

Thomas Lahn said:

> _attribute_. And why the emphasis? Do you want a pat on the back for not
> doing mindbogglingly stupid things?

I normally like 'pats-on-the-back' if the patter is not holding a knife
in that hand :)

>
>> I have determined that on IE8 (at least) that the onclick operation
>> occurs first and then the 'download' operation follows after the chkdld()
>> function returns either a true or false.
>
> You want to test with modern browsers first. And nothing is returned
> here.
>
>> Question:
>>
>> Is this sequence (i.e., 'onclick' followed by 'download operation')
>> generally true across most all current common browsers. ??
>
> Yes, to all script-supporting browsers worth their salt. The download is
> only a consequence of the default action for links when the browser has
> determined that it cannot reasonably navigate to and display the resource,
> or if response header or the user said that they always want to download
> such resources. You can cancel the default action of the "click" event by
> returning "false" to the event handler; in this case, as is recommended,
> by
> returning the return value of a function or method:
>
> <a href="." onclick="return chkdld(this)">.</a>
>

Understood. I'll try this today

I would expect the abusers (who I believe play 'nice' from their home
machines, but use proxies when they put on their 'black hats') may have JS
disabled on their proxies, so I have to check for this too before anything
else.

>> Reason:
>>
>> I hope to use the 'onclick' sequence to start up an Ajax operation to
>> determine the IP address info of the user, and then send a text response
>> to modify the 'files' sub-directory to point to the *actual* download
>> sub-dir -- which I modify frequently.
>
> You do not want to do that. Doing so could be considered forgery; it will
> not help, and may hinder, your good standing with search engines. For
> forgery aside, the search engine will probably not be able to detect
> whether
> this part of your site was updated. As a rule of thumb, search engines
> "like" sites whose content (not: URIs) is frequently updated.
>

My site is frequently updated -- usually weekly. My users are
usually/mostly/only C programmers. who visit to pick upthe latest 'builds'.
I don't wish to encourage casual browsers from visiting and don't care
about search engines for my site, and wish to actively discourage 'abusers'
.

>> Recently, on request I've eliminated use of passwords and, instead, am
>> keeping a database of 'abusers' of my free service who typically start
>> up
>> dozens of simultaneous downloads to try to overwhelm my server. Because
>> my actual download sub-dir changes frequently,
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Bad idea. <http://www.w3.org/QA/Tips/uri-...
>
>> I thought I could use Ajax to send the *actual* 'files' sub-dir as a
>> response at thelast moment, then perhaps I could (somehow) revert it
>> later after the download is started -- but I don't know how to do this
>> yet
>> (i.e., the 'reverting').

My intent is to force users to actually 'click' on the download anchor
rather than using automated 'Gets' via Curl or other methods of automating
downloads. My downloads range in size from 14Meg thru 29Meg, and some
'abusers' start up 25-50 downloads simultaneously, then '206' then and let
some continue. But if I force the downloader to actually 'click' on the
file, this may discourage them from 'practicing on me and my small home
office site. Maybe !

>
> It is pointless to try and hide content from abusers this way. It is like
> trying to scare burglars away by locking the door of your house and
> hanging
> up outside a sign with a large red down arrow that says "The key for this
> door is right below your feet, under the mat."
>
> Get a bigger house (better hosting space) or a watchdog instead (detect
> abusers by their connection data and request headers, and tell them 403).

Thanks for the response and for the advice

-Mel Smith

Christoph M. Becker

3/19/2015 5:30:00 PM

Mel Smith wrote:

> My intent is to force users to actually 'click' on the download anchor
> rather than using automated 'Gets' via Curl or other methods of automating
> downloads. My downloads range in size from 14Meg thru 29Meg, and some
> 'abusers' start up 25-50 downloads simultaneously, then '206' then and let
> some continue. But if I force the downloader to actually 'click' on the
> file, this may discourage them from 'practicing on me and my small home
> office site. Maybe !

Well, it pretty much appears that those "abusers" are actually download
managers. If the web server is able to deliver partial content, I
wouldn't worry about those, because they won't increase the overall
bandwidth considerably.

--
Christoph M. Becker

Mel Smith

3/19/2015 7:29:00 PM

Christoph said:
> Well, it pretty much appears that those "abusers" are actually download
> managers. If the web server is able to deliver partial content, I
> wouldn't worry about those, because they won't increase the overall
> bandwidth considerably.

But it still bugs me !

-Mel

Christoph M. Becker

3/19/2015 8:29:00 PM

Mel Smith wrote:

> Christoph said:
>> Well, it pretty much appears that those "abusers" are actually download
>> managers. If the web server is able to deliver partial content, I
>> wouldn't worry about those, because they won't increase the overall
>> bandwidth considerably.
>
> But it still bugs me !

If you really want to prohibit the usage of download managers, you
should do this server side. So don't give a direct download link to the
file resource, but instead to a script that will pass the file contents
through. Signal the client that range requests are not supported by
sending Accept-Ranges: none, and respond with an appropriate 4xx status
code, if a Range header field is contained in the request.

However, this would be OT for this newsgroup, if you won't use a server
side ECMAScript implementation to do it.

--
Christoph M. Becker

Mel Smith

3/19/2015 11:34:00 PM

Christoph said:

">> But it still bugs me !
>
> If you really want to prohibit the usage of download managers, you
> should do this server side. So don't give a direct download link to the
> file resource, but instead to a script that will pass the file contents
> through. Signal the client that range requests are not supported by
> sending Accept-Ranges: none, and respond with an appropriate 4xx status
> code, if a Range header field is contained in the request.
>
> However, this would be OT for this newsgroup, if you won't use a server
> side ECMAScript implementation to do it.

Thanks -- I'll consider it.

But, I'm still in the punishment phase -- i.e., I'm angry and don't want
to play 'nice' anymore.

I placed a new 'build' on my site this morning, and let my group know of
its existence on our ng.

Just a few minutes ago, I had the first 'sniff' by an abuser where he
was (apparently) setting up for an attack tonite maybe, and where I
substituted an 'O' in place of a '0' in the 'files' sub-dir, and of course,
he got my '404' response. He's probably a bit confused now -- I hope. But,
he'll see I tried to 'spoof' him, and he'll take action again tonite. If he
had 'clicked'on the download, it would have worked correctly

But soon (in a week or so), I'll be ready. Then *all* downloads will
requirea 'click' to get them going not just 'Gets' by CURL .

-Mel

-Mel

Christoph M. Becker

3/20/2015 12:29:00 AM

Mel Smith wrote:

> Christoph said:
>
>> If you really want to prohibit the usage of download managers, you
>> should do this server side. So don't give a direct download link to the
>> file resource, but instead to a script that will pass the file contents
>> through. Signal the client that range requests are not supported by
>> sending Accept-Ranges: none, and respond with an appropriate 4xx status
>> code, if a Range header field is contained in the request.
>>
>> However, this would be OT for this newsgroup, if you won't use a server
>> side ECMAScript implementation to do it.
>
> Thanks -- I'll consider it.
>
> But, I'm still in the punishment phase -- i.e., I'm angry and don't want
> to play 'nice' anymore.
>
> I placed a new 'build' on my site this morning, and let my group know of
> its existence on our ng.
>
> Just a few minutes ago, I had the first 'sniff' by an abuser where he
> was (apparently) setting up for an attack tonite maybe, and where I
> substituted an 'O' in place of a '0' in the 'files' sub-dir, and of course,
> he got my '404' response. He's probably a bit confused now -- I hope. But,
> he'll see I tried to 'spoof' him, and he'll take action again tonite. If he
> had 'clicked'on the download, it would have worked correctly
>
> But soon (in a week or so), I'll be ready. Then *all* downloads will
> requirea 'click' to get them going not just 'Gets' by CURL .

Have you considered users who have JavaScript disabled, or for whom
JavaScript is not available at all? Have you considered that this first
"abuser" might have been on of these?

--
Christoph M. Becker

Mel Smith

3/20/2015 4:42:00 AM

Christoph said
> Have you considered users who have JavaScript disabled, or for whom
> JavaScript is not available at all? Have you considered that this first
> "abuser" might have been on of these?

Yes -- I've gone all over that -- there's a more complex 'back story' here.

-Mel

Thomas 'PointedEars' Lahn

3/20/2015 11:30:00 AM

Mel Smith wrote:

> But, I'm still in the punishment phase -- i.e., I'm angry and don't
> want to play 'nice' anymore.

You must learn to control your emotions or they will be your undoing.

--
PointedEars
FAQ: <http://PointedEars.... | SVN: <http://PointedEars.de...
Twitter: @PointedEars2 | ES Matrix: <http://PointedEars.de/es-...
Please do not cc me. / Bitte keine Kopien per E-Mail.

Evertjan.

3/20/2015 12:52:00 PM

Thomas 'PointedEars' Lahn <PointedEars@web.de> wrote on 20 mrt 2015 in
comp.lang.javascript:

> Mel Smith wrote:
>
>> But, I'm still in the punishment phase -- i.e., I'm angry and don't
>> want to play 'nice' anymore.
>
> You must learn to control your emotions or they will be your undoing.

Unduly pressing the undo-button will not undull emotionlessity.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

comp.lang.javascript

onclick and tag question

Mel Smith

Thomas 'PointedEars' Lahn

Mel Smith

Christoph M. Becker

Mel Smith

Christoph M. Becker

Mel Smith

Christoph M. Becker

Mel Smith

Thomas 'PointedEars' Lahn

Evertjan.

x Login to ForumsZone