Indeed API Access Control Allow Origin - javascript

I want to use the API from indeed.com (https://ads.indeed.com/).
The problem is, that they set their Response to "Same Origin" -> Meaning I can't use it on my platform. Since there is not much on google to find the question is, if anyone has figured out how to work with this API?
Example request:
http://api.indeed.com/ads/apisearch?publisher=xxxxx&q=java&l=austin%2C+tx&sort=&radius=&st=&jt=&start=&limit=&fromage=&filter=&latlong=1&co=us&chnl=&v=2&format=json&callback=results&v=2
Example response headers:
HTTP/1.1 200 OK
Date: Thu, 04 Aug 2016 12:59:01 GMT
Server: Apache
Set-Cookie: CTK=1apaq5d2k5mlkchh; Expires=Tue, 09-Aug-2033 07:47:32 GMT; Path=/
Set-Cookie: ctkgen=1; Expires=Thu, 04-Aug-2016 13:02:01 GMT; Path=/
Set-Cookie: JSESSIONID=47FBC363B7DE7AA7FB455319986F2DC3.jasxA_iad-job4; Path=/; HttpOnly
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Cache-control: no-store, no-cache, must-revalidate, private
Expires: Thu, 04 Aug 2016 12:58:01 GMT
X-Content-Type-Options: nosniff
Vary: User-Agent,Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=30, max=29977
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/javascript;charset=UTF-8
Set-Cookie: BIGipServerjob_iad=!WcxX2VJ58OOojFQRNhs+rOzpOInz86YFI2BZzMsbv9orNwX4rj5v6T936m7gDvyWulSDIiDuepFONA==; path=/

I basically fixed it by using a Server Side language (in this case Java) to make a request to the api. This solved the problem.
It is probably by design, so that the publisher ID is not visible by the client.

Related

Unable to display embedded Shopify app due to X-Frame-Options: SAMEORIGIN

I'm migrating a Shopify app from EASDK to App-Bridge. I have replaced the old API calls with the new ones, but the app is not loaded in the Shopify admin panel. I get an error in a JS console
Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN
the wget command shows this:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Status: 200 OK
Cache-Control: max-age=0, private, must-revalidate
Vary: Accept
Referrer-Policy: strict-origin-when-cross-origin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
X-Request-Id: 91a511cf-d434-43af-96b8-318356bbbb9a
Link: </assets/application-63f0e6a6cb6a5ecd85ba82b031064ed920a1015deae96cc86bf3de0f7f1c5eaf.css>; rel=preload; as=style; nopush,</assets/application-3111a09ab2c1b26ba99f1c96028fdc2f1677b792d7407284f5182655a8a722d7.js>; rel=preload; as=script; nopush
X-Download-Options: noopen
ETag: W/"e8fc9609e43ff20b0c13c3000ecf4f26"
X-Frame-Options: SAMEORIGIN
X-Runtime: 0.004762
X-Content-Type-Options: nosniff
Date: Tue, 29 Mar 2022 09:59:33 GMT
Set-Cookie: _product_image_slider_session=rpnUJ5yt9PH0EEIHRo4p0RWSKraymAdpsqLh%2BPHGuNx6VU25KhA%2BBxvY4nJDHgSkxQBbacT7SyG%2BGna9bpYxCS7sWGUliu3mlPKM7Df13xbfA%2F8B%2BZ%2FKhC0E00ulV990mmeCkaV0GrrsokmodJZRg76R1ArJTNUoi4PQ54YnQCtiScogv8F38KLC2dJI%2B8eaI6j%2F0U2X6IN87nzm3RhP6dcQsNb1%2BjqvhnxScQuGW37nr84dMzpM4lJscWYElvC6cKqo3Wa897bLnkjFy46m%2BQvBo5KRXyIzqXM%2FJxyqy%2FeDUAv5qg%3D%3D--1h%2B8JkCqosbY%2FtH%2B--5mkT1eQTPoFBpn8nXLkFUQ%3D%3D; path=/; HttpOnly; SameSite=Lax
X-Powered-By: Phusion Passenger(R) 6.0.12
Server: nginx/1.18.0 + Phusion Passenger(R) 6.0.12
Strict-Transport-Security: max-age=31536000
X-Frame-Options: https://grid-kit.myshopify.com
I had a look through the nginx config and I cannot find anywhere this X-Frame-Options' to 'SAMEORIGIN header. I even added new header X-Frame-Options (see a screenshot) with the correct website, but this won't help. I just get a message of Multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, https://grid-kit.myshopify.com') encountered when loading 'https://app.gridkit.net/?
Where to find the solution?

HttpOnly Secure Cookies not being sent

Yes, another question about httpOnly Cookies.
Like a lot of other people, i'm stuck at the same place.
I get the cookie from the server but it is never sent with other requests.
I have mysite.example.com in angularjs trying to connect to api.example.com.
Here is the response headers:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://mysite.example.com
Connection: keep-alive
Content-Length: 2855
Content-Type: application/json
Date: Wed, 09 Jun 2021 00:52:54 GMT
Server: Apache/2.4.46 (Amazon) OpenSSL/1.0.2k-fips
Set-Cookie: WEB-TOKEN=158b691a-65fb-49c2-9d88-63bd1935531f;Version=1;Comment=;Max-Age=3600;Secure;HttpOnly;Expires=Wed, 09 Jun 2021 00:52:54 GMT
vary: Origin
Then, in AngularJS, i send a request like this (from mysite.example.com):
$http.get('https://api.example.com/userdetails', { withCredentials: true, headers: { } });
Is there anything not sent or just wrong?
Thank you!
The Path. Yes. I was missing the Path to %x2F. :)

Receiving different response headers when accessing site through browser vs node http module

I'm writing a function in my node server that detects whether a particular URL can be rendered inside an i-frame by checking the x-frame-options field in the header.
While this works correctly, for some sites I am receiving a header without this field when accessed through the http module. However the header for these sites correctly includes this option when opened in the browser.
For example: when accessing artstation.com:
In Node.js the Response headers are:
{"date":"Fri, 17 Jan 2020 03:37:06 GMT",
"connection":"close","cache-control":"private,
max-age=0, no-store, no-cache, must-revalidate,
post-check=0, pre-check=0","expires":"Thu, 01 Jan 1970 00:00:01 GMT",
"location":"https://www.artstation.com/",
"x-content-type-options":"nosniff",
"server":"cloudflare",
"cf-ray":"556549e5fbeaefd8-EWR"}
In Chrome browser the response headers are:
cache-control: max-age=0, private, must-revalidate
cf-cache-status: DYNAMIC
cf-ray: 5565511b5d3fe6d0-EWR
content-encoding: gzip
content-type: text/html; charset=utf-8
date: Fri, 17 Jan 2020 03:42:01 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
set-cookie: _ArtStation_session=TEFNMnlrR0UrK1A0UTgzM2FqOGJhMXZkU2dhYitxVW83ajJhMXo0SzJ4T0tENGhwYVppVTZpL0lOSHZ1M0pmRERRaUZ5Z0FTMWRuWTRsTm95VHQwUlhlcEdXN1JCSGtsL0pPdHNtSFF4R3ZScjhUOHFDOWkrSEg3RjNoemZ5aFVWMGJweXFwQU56Q3dOV25icXNNNGtjK3RwbDB4Tml0cjZWSHRWZ1dMK0FSajl2OHZoazFrckVaSTcyRkxFRHAzbHQrbTlpUnZudmRoVXNKYkF5TmlyUT09LS1rVkhhWG5OZ3ZOK0hUckdhY0pRbDJ3PT0%3D--083e61c9e5af420688bc4d309212aafb2de70ebb; domain=.artstation.com; path=/; expires=Fri, 17 Jan 2020 05:12:01 -0000; secure; HttpOnly
status: 200
status: 200 OK
strict-transport-security: max-age=0
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-powered-by: Phusion Passenger Enterprise
x-request-id: 1e36371b-eb7c-419e-97ae-6c9ac901c240
x-runtime: 0.040934
x-xss-protection: 1; mode=block
As you can see the x-frame-options: SAMEORIGIN is present in the response headers in Chrome but not in Node.
Why are the response headers different?
Also, please note that this behaviour does not apply to all sites. When accessing google.com, the headers match in the browser and node.

Fetch chunked content with Google AppScript UrlFetchApp

Trying to get chunked content with Google AppScript UrlFetchApp:
UrlFetchApp.fetch(url, {muteHttpExceptions:true});
Unfortunately, it does not handle it well and stops after first chunk or somewhere between.
Here are the HTTP response headers:
HTTP/1.1 200 OK
access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers:
cache-control: max-age=0, private, must-revalidate
content-type: application/json; charset=utf-8
date: Fri, 26 Oct 2018 11:15:24 GMT
x-request-id: 2lgi8mvh6onm5jrvf8000tl1
transfer-encoding: chunked
Connection: keep-alive
Does UrlFetchApp even support chunked responses? If not, is there any alternative?

Access-Control-Allow-Origin: * is set but I still get Origin not allowed

I'm working on a web client that reads a JSON file from a remote server using jQuery. And I'm having trouble getting it to work.
Code:
jQuery.getJSON('http://[remote-ip]/openbeacon/test.json', updateJsonCallback);
Error:
XMLHttpRequest cannot load http://[remote-ip]/openbeacon/test.json.
Origin http://[remote-ip] is not allowed by Access-Control-Allow-Origin.
I've read up on the whole Access-Control-Allow-Origin thing and thought I had found the solution: Add 'Header set Access-Control-Allow-Origin "*"' to the Apache config file (httpd.conf) and restart the service. Unfortunately this didn't work.
I checked the header: the options does show up now - but Chrome still won't let me have access. I even compared the header to that of a json file that does work remotely:
http://api.openbeacon.net/get/brucon.json < WORKS
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2012 15:01:43 GMT
Server: Apache
Last-Modified: Tue, 20 Nov 2012 15:01:43 GMT
ETag: W/"d073949-154d-4ceee830cdae1"
Accept-Ranges: bytes
Content-Length: 5453
Access-Control-Allow-Origin: *
Connection: close
Content-Type: application/json; charset=utf-8
http://[remote-ip]/openbeacon/test.json < DOES NOT WORK
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2012 15:01:41 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_perl/2.0.4 Perl/v5.10.1
Last-Modified: Tue, 20 Nov 2012 15:01:41 GMT
ETag: W/"2b8ab16-1e7-4ceee82edbf40"
Accept-Ranges: bytes
Content-Length: 487
Acces-Control-Allow-Origin: *
Connection: close
Content-Type: application/json
Help?
Okay this was pretty stupid. As #Rocket already pointed out I mistyped Access. Sigh.
Acces-Control-Allow-Origin: *
Should be
Access-Control-Allow-Origin: *

Categories

Resources