I'm working on an Electron app which heavily uses webview to provide a custom interface to a remote site (Salesforce). The webview is loading pages which contain ajax requests. I need to capture the responses to these requests so that I can refactor out the screen scraping the app is currently doing.
I have tried several methods:
WebRequest (Only captures request headers, not response bodies)
Monkey Patching XMLHttpRequest (Failed to work after injecting via preload= and was extremely difficult to debug in a webview)
protocol.interceptHttpProtocol (Did not contain response body from webview)
mainWindow.webContents.debugger.attach (Did not work)
Related
I'm front-end dev and my app run inside android WebView, after I call api method form my react app by axios(or fetch/xhr), WebView developers inject some important headers into my request.
they expect me to reed request headers and show some where inside my react app.
the problem is how can I read request header after api call???
I installed mode-header extension to simulate development environment. in chrome devtool I can see other request headers injected by browser into my api requests but I cant read them!
I'm creating a Progressive web app and need to make requests to an API which is HTTP and doesn't have HTTPS. Can't change the app to HTTP as PWA's require HTTPS, can't change request link to https.
Getting this error:
Mixed Content: The page at 'https://current-site.herokuapp.com/' was
loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://the-api.com/api/customer?$filter=contains(CustomerName,%20%27test%27)&$select=CustomerName,CustomerId&$top=10'.
This request has been blocked; the content must be served over HTTPS.
Hoping there's a way around this. Currently using nodejs and express to serve. Requests are being made from frontend vuejs with axios.
Thanks for helping.
Shy of using an insecure or old browser, or telling your users to use some command line flags before surfing the web, there is not a direct method for this. This is by design and would be a major security flaw if apps could do this directly.
However, if you're determined to use the insecure API, you can write an HTTPS proxy API on your server, that turns around and does the request to the real API over HTTP.
I'm trying to perform an ajax request to a third party api from my web site using javascript (On the client side) and I receive a No 'Access-Control-Allow-Origin' error. When trying to access this from node.js project everything is working fine.
More over, when opening Chrome with --disable-web-security everything is working fine as well.
Any information about this issue will be appreciated :-)
You cannot access a third-party API without using CORS. CORS adds special headers (e.g. Access-Control-Allow-Origin) to the HTTP response. This makes sure, that the API can control which front-end can make a request to it. This means, however, your API needs to recognize your front-end URL and accept requests from it.
You can (a) use CORS on the API side (changes are necessary on the API) or (b) use your server-side language to make the API request (e.g. PHP makes the request to the API and the front-end receives the response from the PHP back-end). Everything else is prohibited by the browser's security settings.
You can read more about CORS e.g. here.
I'am reading the 'Getting MEAN with mongo, express, angular and node' book made by Simon Holmes. I like it alot but i had a big question which doesn't Seems to be covered in the book, he is talking about rest-api through http request (i went a bit forward in the book and saw there was a login system) and that triggered me a bit isn't it risky to do everything in http. And my other question was when you load your rest api in Heroku (and all your website) are the request in https since they force https (i know it cause i couldnt load Google font due to me making the request in http)
isn't it risky to do everything in http
It's less secure. People can read any request in plain text.
when you load your rest api in Heroku (and all your website) are the
request in https
Whist you can use HTTP, you can make any request over HTTPS with no cost. When you upload your real app you will also want to configure your server to redirect to HTTPS too.
I'm working on a single page app that uses Backbone.js and marionette on the front end, and Django with Tastypie on the back. I just added a ssl certificate to the web server, and redirected all the http traffic to https.
Everything seems to work fine except for the backbone (sync) request that continues to send request over http, causing the browser to block those requests, and I don't know how to tell backbone to use https by default.
The backbone models url/urlroot are relative so they should take the same protocol as the rest of the site right? Thanks,
Backbone.sync is a wrapper around jQuery.ajax(...) in the end. You are correct that Backbone (via jQuery) should use the protocol of the hosting page. And the Same Origin Policy dictates the browser reject any request made to a different host, port, or protocol.
All this suggests the way you're hosting the page is getting jQuery's signals crossed. If you access the page directly via HTTPS instead of relying on the HTTP --> HTTPS redirect, does it work? If so, the problem isn't a Backbone one, but a hosting one.