From c581d78453b3825b5f60784fbbe7a3c6adc56983 Mon Sep 17 00:00:00 2001
From: yatru <yuritogor@gmail.com>
Date: Tue, 24 Aug 2021 01:53:19 +0200
Subject: [PATCH] Added security and privacy feature, use private parameters
 after hastag to avoid server logging

Added security and privacy feature, use private parameters after hastag to avoid server logging

Added security and privacy feature, use private parameters after hastag to avoid server logging
---
 app/webutil.js | 11 ++++++++++-
 vnc_lite.html  | 12 ++++++++++--
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/app/webutil.js b/app/webutil.js
index a9fee322..ef25bf8c 100644
--- a/app/webutil.js
+++ b/app/webutil.js
@@ -20,10 +20,19 @@ export function initLogging(level) {
 }
 
 // Read a query string variable
+// A URL with a query parameter can look like this (But will most probably get logged on the http server):
+// https://www.example.com?myqueryparam=myvalue
+// 
+// For privacy (Using a hastag #, the parameters will not be sent to the server)
+// the url can be requested in the following way:
+// https://www.example.com#myqueryparam=myvalue&password=secreatvalue
+// 
+// Even Mixing public and non public parameters will work:
+// https://www.example.com?nonsecretparam=example.com#password=secreatvalue
 export function getQueryVar(name, defVal) {
     "use strict";
     const re = new RegExp('.*[?&]' + name + '=([^&#]*)'),
-        match = document.location.href.match(re);
+        match = ''.concat(document.location.href," ", window.location.hash).match(re);
     if (typeof defVal === 'undefined') { defVal = null; }
 
     if (match) {
diff --git a/vnc_lite.html b/vnc_lite.html
index 36b062b0..a9045c13 100644
--- a/vnc_lite.html
+++ b/vnc_lite.html
@@ -109,13 +109,21 @@
         // query string. If the variable isn't defined in the URL
         // it returns the default value instead.
         function readQueryVariable(name, defaultValue) {
-            // A URL with a query parameter can look like this:
+            // A URL with a query parameter can look like this (But will most probably get logged on the http server):
             // https://www.example.com?myqueryparam=myvalue
+            // 
+            // For privacy (Using a hastag #, the parameters will not be sent to the server)
+            // the url can be requested in the following way:
+            // https://www.example.com#myqueryparam=myvalue&password=secreatvalue
+            // 
+            // Even Mixing public and non public parameters will work:
+            // https://www.example.com?nonsecretparam=example.com#password=secreatvalue
+            // 
             //
             // Note that we use location.href instead of location.search
             // because Firefox < 53 has a bug w.r.t location.search
             const re = new RegExp('.*[?&]' + name + '=([^&#]*)'),
-                  match = document.location.href.match(re);
+                  match = ''.concat(document.location.href," ", window.location.hash).match(re);
 
             if (match) {
                 // We have to decode the URL since want the cleartext value