I'm attempting to port a Chrome extension to Edge. The Chrome extension works fine, and all HTTP requests are working as expected. When these same requests fire in the port, I get this error:
XMLHttpRequest: Network Error 0x2efd, Could not complete the operation due to error 00002efd.
This issue seems to pop up for a lot of Microsoft stuff, including Windows Phone. Maybe there is a similar answer to my issue for this extension, but I'm permitting ALL URLs in my manifest...
This is the request:
$http.get(url)
.then(function () {
})
.catch(function () {
var args = arguments;
});
I've also tried the jQuery way:
$.ajax({
url: url,
success: function () {
},
error: function () {
var args = arguments;
}
});
I can't share the exact URL because it is part of our business architecture, but the Chrome extension consumes it just fine. If I open the URL directly in a browser (Edge or Chrome) it shows the result just fine... I'm at a loss. I know the error means the request can't connect, but why? And how do I fix it?
Seems to be a known bug that hasn't been fully triaged as of 2016-10-07.
In another bug report Microsoft mysteriously says "This is by design as extensions don’t support loopback" and closed it as such. That would certainly be an incompatibility with the Chrome model.
The symptom seems to be that connections to sites that are considered part of the Local Intranet by Windows network stack are denied as part of an aggressive XSS prevention policy.
There is definitely nothing you can do on the extension side until this is resolved by MS. If anything, extension code needs to be privileged enough to do this, even if that breaks their compartmentalization model.
It's possible that you can do some environment changes though. I would experiment with Internet Options for "Local intranet" zone, for example setting Protected Mode on, disabling that for Internet zone, or more likely somehow making sure the site isn't considered intranet. A domain name instead of an IP address may also help "fooling" Edge that it's not intranet.
Related
I am currently in the process of creating a browser extension for a university project. However as I was writing down the extension I hit a really weird problem. To understand fully my situation I will need to describe it in debt from where my issue comes.
The extension that I am currently working on has to have a feature that checks if the browser can connect to the internet or not. That is why I decided to create a very simple AJAX request function and depending on the result returned by this function to determine if the user has internet connection or not.
That is why I created this very simple AJAX function that you can see bellow this line.
$.ajax({
url: "https://enable-cors.org/index.html",
crossDomain: true,
}).done(function() {
console.log("The link is active");
}).fail(function() {
console.log("Please try again later.");
});
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
So far, as long as I understand what it is doing, it is working fine. For example, if you run the function as it is, it will succsesfully connect to the url and process with the ".done(function..." if you change the url to "index273.index" a file which does not exist it will process with the ".fail(function...". I was happy with the result until I decided to test it further more and unpluged my cable out of my computer. Then when I launched the extension it returned the last result from when the browser had connection with the internet. My explanation why the function is doing this is because it is caching the url result and if it cannot connect it gives the last cached value. My next step to try and solve this was to add "cache: false" after the "crossDomain: true" property but after that when I launch the extension it gives the following error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://enable-cors.org/index?_=1538599523573. (Reason: CORS header 'Access-Control-Allow-Origin' missing).
If someone can help me out sorting this problem I would be extremely grateful. I would want to apologise in advance for my English but this is not my native language.
PS: I am trying to implement this function in the popup menu, not into the "content_scripts" category. I am currently testing this under Firefox v62.0.3 (the latest available version when I write this post).
Best regards,
George
Maybe instead of calling the URL to check if the internet connection is available you could try using Navigator object: https://developer.mozilla.org/en-US/docs/Web/API/Navigator/connection
unless the remote server allowed origin (allowed cors) then you can't access it because it's a security issue.
But there are other things you can do:
You can load image and fire event when an image is loaded
You can access remote JSON via JSONP response
but you can't access other pages because (unless that server allows it) it's a security issue.
I have a web page that serves as a configuration editor, which means that it will be accessed by opening the .html file and not using http.
This page needs to access to another file (the configuration file to be edited), located in the same directory. The file is accessed using a relative path General.json.
var getJSONFileContent = function( url ) {
return $.ajax({
type: "GET",
url: url,
async: false
}).responseText;
};
var currentConfigAsJson = getJSONFileContent( "General.json" );
It works perfectly on Firefox, without changing settings or anything, but it fails on both IE and chrome.
Chrome error:
file:///C:/Users/XXX/Desktop/XXX/General.json.
Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https, chrome-extension-resource.m.ajaxTransport.send
# jquery-1.11.3.min.js:5m.extend.ajax
# jquery-1.11.3.min.js:5getJSONFileContent
# General.html:68(anonymous function)
# General.html:75m.Callbacks.j
# jquery-1.11.3.min.js:2m.Callbacks.k.fireWith
# jquery-1.11.3.min.js:2m.extend.ready
# jquery-1.11.3.min.js:2J
# jquery-1.11.3.min.js:2
Internet Explorer error:
SCRIPT5: Access denied.
Fichier : jsoneditor.min.js, line : 7, column : 8725
I read that this is forbidden on Chrome (and probably IE and others) for security reasons, and that I have to start chrome with special arguments to bypass this.
But why is it working on Firefox? Is there a way to make it work on Chrome without passing special arguments when running chrome ?
Are there Chrome specific features that would allow me to read/write files without having to change settings or pass arguments ? An-end user wouldn't want to bother with that.
To solve the origin issue, set up a web server and host your page via localhost.
If you are releasing an HTML based app, you would probably include a web server in your app.
Another approach is to give a try on NW (formerly NodeWebkit) which includes a Chromium with very high authorities that allows you to do the job.
It's rather opinion based to assume the reason why this works and that doesn't. But Chrome and IE are products belong to some company, while Firefox is supported by Mozilla foundation. So it makes sense that commercial companies acting much more sensible on security issues for their interests. Meanwhile, Mozilla foundation would like to be more experimental on techniques, regarding Brendan Eich (the creator of JavaScript) is a big one in Mozilla.
I have a very simple ajax request (see below). The server is using CORS and works fine in IE 10+, Chrome, Firefox and Opera. On Microsoft Edge however, it fails with
XMLHttpRequest: Network Error 0x80070005, Access is denied.
I have researched the posts here, here, here and here, but cannot find an answer that works. Those people have had issues with IE, but adding the contentType (not required for this get) and crossDomain has it working fine.
CanIUse seems to state that CORS is usable in Edge. The request also fails on IE9 down, but CanIUse states only partial support for CORS, so that's understandable.
Any ideas how I can fix this please?
Code:
$.ajax({
crossDomain: true,
url: "http://localhost:2023/api/DoAction/test",
success: function (a) {
var res = JSON.parse(a);
alert(res.content);
},
error: function (a, e, r) {
alert(a.responseText);
}
});
Update
To add further information in case it provides any clues - the ajax request is coming from Azure and posting to a localhost website created using OWIN self hosting. This is unusual, but required for the software (which can only be used locally) to get data from a cloud service. As stated, it works fine for all other browsers, Edge is the only problem.
This problem should no longer exist for developers using Microsoft Edge. If you experience issues with localhost testing, navigate to about:flags, and make sure Allow localhost loopback is checked.
Microsoft Edge does not currently support (out of the box) localhost testing. You can however enable it by following the guidance provided here: http://dev.modern.ie/platform/faq/how-can-i-debug-localhost/.
We're working on resolving this in a future release.
For Build 10158 the command has changed slightly, with the rebranding of Spartan fully into Microsoft Edge, so to enable it in Microsoft Edge run the following command from an administrator command prompt:
CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Just before your ajax call use this : $.support.cors = true;
I am maintaining a website that uses Javascript. The script uses jQuery and loads some content from the server at which the site is normally hosted.
Just for convenience while maintaining the site, I run a local copy of the site on my iMac. This works perfectly fine when I use Safari. But Firefox, Opera and Chrome refuse to work. I guess it is because of cross-domain-policy. (I couldn't test this with IE, because IE has to run in a virtual machine on my iMac, so for this reason it is not possible to access any local files)
Is there a setting within Firefox and the other browsers where I can tell the browser that it is ok to ajax-load files that are located on a remote server from a local html-page with a local javascript?
In a nutshell: This my html-page:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>some title</title>
<link rel="stylesheet" type="text/css" href="../css/stylesheet.css">
<script src="../js/jquery-2.1.3.min.js"></script>
<script src="../js/myScript.js"></script>
</head>
<body>
<!-- some content with a div-container to receive the ajax-content -->
</body>
</html>
This is myScript.js:
var errorMsg = function (msg) {
//insert the message into the html-page
};
var JSONerror = function (jqXHR, textStatus, errorThrown ) {
var msg = 'JSON-answer: '+jqXHR.responseText;
msg += '<br>'+'JSON-Errorstatus: '+textStatus;
if ($.type(errorThrown) === 'string') {
msg += '<br>'+'Error: '+errorThrown;
}
errorMsg(msg);
};
var JSONreceive = function (JSONobj, StatusString, jqXHR) {
//insert the data in JSONobj into the html-page
}
var StartAJAX = function () {
$.ajax({
url: 'http://my.domain.tld/cgi-bin/myPerlScript.pl',
data: "lastID=" + lastID
+ '&qkz=' + Math.random(),
dataType: "json",
success: JSONreceive,
error: JSONerror
});
};
There is also an event-listener, that listens for page-scroll and resize and checks some other constraints (like: is there already an ajax-call in progress?). This listener calls StartAJAX.
When it calls StartAJAX on a local copy of my page (file:///User/...) within Safari, I get the Ajax-content perfectly fine inserted into my html-document. within the other browsers i get the error-message inserted into the html-page. It is:
JSON-Answer: undefined
JSON-Errorstatus: error
Error:
Why does it work in Safari but not in Firefox, Chrome and Opera?
How can I make those browsers work?
(I need to test it with all browsers, because all browsers render the same html-domument differently, but I don't want to upload all files to the server after every change just to test it.)
EDIT:
After reading some answers, I want to make something clear, that I obviously did not make clear enough:
I am searching for settings in Webbrowsers
I will NOT change the settings of my remote webserver (Apache)
I will NOT manipulate any files on my remote machine (.htaccess)
I will NOT set up a webserver on my local iMac
I will NOT change the code of the AJAX-calls in my Javascript-files
I will NOT change the code of the Perl-Scripts on my remote Server
I can tell you why:
I am just doing a short maintainance, and i am too lazy to upload every manipulated file to the remote machine after I edited it. The settings of the webserver are fine for actual operation. I don't want to change them (and maybe forget the changes before finishing my work). Same for the scripts: Those parts that some of you want to change work fine as they are now. There is no reason to touch the Ajax-Calls, because there is nothing wrong with them in the productive environment.
All I want is that those stupid browsers Firefox, Opera and Chrome behave like Safari and process the Ajax-calls correctly.
BTW:
Please can anyone explain what is so risky to call data via Ajax from an other domain in Firefox, Opera or Chrome while it seems to be harmless doing the same thing in Safari?
CHROME
There is a plugin for chrome that will force it to ignore the security policy. You can also do this with flags. Note, please do not browse the "real web" with this enabled as it is a security risk for your computer.
FIREFOX
This thread indicates that there is presently no way to do this in firefox.
OPERA
Again, there does not appear to be a built in way to ignore CORS policies.
The alternative would be to have the server (http://my.domain.tld) in your case return the proper headers - specifically Access-Control-Allow-Origin:
To avoid this issues, you should develop your page (in your local computer it's ok) using a webserver (like apache, nginx, ...), so, your url ajax calls starts with the protocol http or https, not "file". "File" is the path of your file but using SO path system, not a web server system.
In the other hand, browsers has "Same Origin Policy". This is a security feature but what are the "problems" in web development using ajax calls? Well, your ajax calls always be done to the same server, for example, if you have your web on domain "http://my-domain.com" then your ajax calls must be to the same domain "http://my-domain.com".
To "bypass" SOP in ajax calls, you have three solutions:
Create a proxy on your "my-domain.com" that use curl (in php for example) to retrieve the data and return it to your ajax call
Use JSON-P
Allow your domain in your webserver (.htaccess for example) setting a proper configuration to CORS: http://enable-cors.org/
BTW
I am going to answer: "Please can anyone explain what is so risky to call data via Ajax from an other domain".
(Copy & paste from mozilla MDN https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)
The same-origin policy restricts how a document or script loaded from
one origin can interact with a resource from another origin.
Same-origin Policy is used as a means to prevent some of the
Cross-site Request Forgery attacks.
Due to the same origin policy you aren't normally able to request resources from a different domain. Try adding crossDomain: true to your AJAX request since you are trying to make a request to a different domain.
$.ajax({
url: 'http://my.domain.tld/cgi-bin/myPerlScript.pl',
crossDomain: true,
data: "lastID=" + lastID
+ '&qkz=' + Math.random(),
dataType: "json",
success: JSONreceive,
error: JSONerror
});
Assuming the web site is domain A, and the perl script is on Domain B, you have two options:
1) Enable CORS on the web server at Domain B. http://enable-cors.org/
2) Create a script (php, perl, ashx, etc) on Domain A that calls the script on Domain B. The script on Domain A will act as a proxy and will be allowed by all web browsers.
I have been trying for a while to access a restless interface within a firefox addon. After reading in a bunch of places I came accross getJASONP jquery function that gets around the cross-origin resource sharing problem but it feels like a hack. Isn't there a more elegant way of getting get and post data with jquery through a firefox plug in. I would be really surprised if a hack was the only way.
thanks.
$(document).ready(function () {
//var url = "http://132.205.237.32:8182/services";
var url ="http://127.0.0.1/learning.php";
$.getJSON(url+'?callback=?', {type:"json"}, function (results) {
alert(results.service1);
});
});
You just access them - e.g. using XMLHttpRequest. Firefox extensions aren't bound by same-origin policy and are allowed to request any address from the web.
A side-note: Please never use JSONP in a Firefox extension, it's a security vulnerability. By using JSONP you are running some code from the web with the privileges of your extension.