i have an iframe with src set to (let say) domainA.com and parent url is domainB.com, from this iframe i make an ajax call to domainA.com/ajax.asp, this works in chrome and firefox, but not with safari and IE. bellow are complete header request for chrome and safari.
REQUEST HEADER (Chrome)
POST /Ajax.asp HTTP/1.1
Host: domainA.com
Connection: keep-alive
Content-Length: 29
Accept: */*
Origin: http://test.takeoutmenuz.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://domainA.com/menu.asp?userid=1025
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,id;q=0.6
Cookie: userid=1025; ASPSESSIONIDAQCQASBD=IDGHMLJDBHOKJFBIKMCNDHDA; ZZZZZ=here
REQUEST HEADER (Safari)
POST /Ajax.asp HTTP/1.1
Host: domainA.com
Connection: keep-alive
Content-Length: 29
Accept: */*
Origin: http://test.takeoutmenuz.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://domainA.com/menu.asp?userid=1025
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,id;q=0.6
as you see, there is no Cookie header in safari, based on explanation from this page the problem is that Cookie stuff (if i not mistaken). how to make it work without Cookie, should i do something on response header in Ajax.asp or do something in ajax script (i already add withCredential field to it)?
Related
I have tried some times and looking for the best result in some similar questions but I have not got any rational result, I have got response with postman and js AJAX but not with axios. my header request is as bellow:
:authority: www.sample.com
:method: POST
path: /api/v1/contact
:scheme: https
accept: application/json, text/plain
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,fa;q=0.8
content-length: 549
content-type: application/x-www-form-urlencoded
origin: http://localhost:3000
referer: http://localhost:3000/contact-us
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/83.0.4103.61 Safari/537.36
any idea? thanks a lot.
This is kind of strange. I make a rest post call to couchdb 2.0 to update the user database and I get back a 401 status message "error=bad_request" and "reason=Referer header must match host."
However if I change the "post" to "put", then it is happy and returns status of 201 as expected. I could continue use puts, but that isn't the standard.
Suggestions?
POST http://localhost:5984/_users/org.couchdb.user:test1 HTTP/1.1
Host: localhost:5984
Connection: keep-alive
Content-Length: 364
Pragma: no-cache
Cache-Control: no-cache
Origin: http://localhost:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
content-type: application/json
Accept: */*
DNT: 1
Referer: http://localhost:9000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: io=YBMMIY0pejGjeHV9AACO; AuthSession=foo
{
"_id":"org.couchdb.user:test1",
"_rev":"1-8e2136e07f62238327f87d1ae54a29df",
"type":"user","roles": "user"],
"name":"test1",
"email":"test1#foo.bar",
"fullName":"Test1 esq",
"phone":"555-555-5555",
"id":"org.couchdb.user:test1",
"password_scheme":"pbkdf2",
"iterations":10,
"derived_key":"0e076f6f85f1389fd90ff181d433e1438e8e30a4",
"salt":"37f590de042f07956f6cc11b8a9eb012"
}
Response
HTTP/1.1 400 Bad Request
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:9000
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Cache-Control: must-revalidate
Connection: close
Content-Length: 67
Content-Type: application/json
Date: Thu, 29 Dec 2016 23:15:25 GMT
Server: CouchDB/2.0.0 (Erlang OTP/17)
X-Couch-Request-ID: b45ec52b5c
X-CouchDB-Body-Time: 0
{"error":"bad_request","reason":"Referer header must match host."}
**This works**
PUT http://localhost:5984/_users/org.couchdb.user:test1 HTTP/1.1
Host: localhost:5984
Connection: keep-alive
Content-Length: 364
Pragma: no-cache
Cache-Control: no-cache
Origin: http://localhost:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
content-type: application/json
Accept: */*
DNT: 1
Referer: http://localhost:9000/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cookie: io=62j8pWngSUNyLwKjAACX; AuthSession=xyyz
{
"_id":"org.couchdb.user:test1",
"_rev":"1-8e2136e07f62238327f87d1ae54a29df",
"type":"user",
"roles":["user"],
"name":"test1",
"email":"test1#foo.bar",
"fullName":"Test1 esq",
"phone":"555-555-5555",
"id":"org.couchdb.user:test1",
"password_scheme":"pbkdf2",
"iterations":10,
"derived_key":"0e076f6f85f1389fd90ff181d433e1438e8e30a4",
"salt":"37f590de042f07956f6cc11b8a9eb012"
}
So, you have troubles with mismatching referrer and expected host because of different port numbers. According to this https://github.com/couchbase/couchdb/blob/2.5.1.1/src/couchdb/couch_httpd.erl#L344
you can place X-Forwarded-Host header with your value - localhost:9000
I have written a servlet Filter in which I am trying to get the value of custom header=samlRequest, From rest client/postman chrome plugin i am getting the value of samlRequest, but using ajax call i have provide samlRequest key and its value but in java i am getting the only key samlRequest in "Access-Control-Request-Headers", how to get value of samlRequest.
$.ajax({
url: "http://indlin500.corp.test.com:31000/test/Portal/index.html",
type: "GET",
headers: { 'samlRequest': 'eJzVWVlz4roSfs6/oJhHJvECBkMRTsk2+2ow68stY8u2wBuWjQ2//srsyUlmJufOramTSjm41f '},
beforeSend: function(xhr){xhr.setRequestHeader('samlRequest', 'eJzVWVlz4roSfs6/oJhHJvECBkMRTsk2+2ow68stY8u2wBuWjQ2//srsyUlmJufOramTSjm41f ');},
success: function() { alert('Success!' + authHeader); }
});
FirewalledRequest[
weblogic.servlet.internal.ServletRequestImpl#4f839843[ OPTIONS
/testsOSS/Portal/index.html HTTP/1.1 Connection: keep-alive
Access-Control-Request-Method: GET Origin: http://10.19.121.17:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Access-Control-Request-Headers: authorization, samlrequest,
x-partnerkey Accept: / DNT: 1 Referer:
http://10.19.121.17:7001/authentication-uxf-login-0.0.1-SNAPSHOT/customLoginPage.html Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8
]]
Using chrome rest client plugin I am getting samlRequest in the header with value i have provided.
FirewalledRequest[
weblogic.servlet.internal.ServletRequestImpl#24d746a[ GET
/testOSS/Portal/index.html HTTP/1.1 Connection: keep-alive
Cache-Control: no-cache samlRequest: eJzVWVlz4roSfs6/oJhHJvECBkMRTsk2+2ow68stY8u2wBuWjQ2//srsyUlmJufOramTSjm41f User-Agent: Mozilla/5.0
(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/55.0.2883.87 Safari/537.36 Postman-Token:
ce7765d0-94b5-a1e1-d6ba-2abada3dfdd6 Accept: / DNT: 1
Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8
]]
When you make a cross-origin request from browser, the browser makes a preflight request before the actual request. It is an OPTIONS request, unlike the intended GET request.
Try adding a CORS filter before the actual filter which will reply OK for any OPTIONS request. A sample code can be found here :
https://amodernstory.com/2014/12/27/using-cors-headers-with-java-example/
by the way, you don't need to set header in request twice. You can remove the beforeSend block from the ajax request.
I've caught this packet sent from my browser to X site when I login:
POST http:/page_to_login HTTP/1.1
Host: host_name
Connection: keep-alive
Content-Length: 63
Accept: application/json, text/javascript, /; q=0.01
Origin: http:/host_name.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://name_host.com
Accept-Encoding: gzip, deflate
Accept-Language: en,it-IT;q=0.8,it;q=0.6,en-US;q=0.4
Cookie: __gads=ID=ba4aa3e1f26167ce:T=1420379969:S=ALNI_Max051cucDaIPAjfr_u43Jz3tF-eQ; mlUserID=qoqCnShSTTHg; ebNewBandWidth_.name_host.com=2137%3A1424452854024; ff11_lastvisit=1424960092; ff11_lastactivity=0; __adnt_intro=1; __utma=85431950.643346397.1420379964.1425039982.1425049087.44; __utmb=85431950.10.10.1425049087; __utmc=85431950; __utmz=85431950.1425032713.42.10.utmcsr=dotnethell.it|utmccn=(referral)|utmcmd=referral|utmcct=/forum/messages.aspx; sly_cook_fc=17313 18 0_; comp_drogat-premier-leagueLeghe2015Quad=0=87834; _ga=GA1.2.643346397.1420379964; _gat=1; rta_nxtml=
And this is how the password and username have sent to the server:
{"u":"my_username","p":"my_password","aliaslega":"","check":"u1-L12"}
How can I encapsulate this information and create js/php functions to automatically login to X site?
I am trying to add a completely custom HTTP header - in this case as an example - Header=dog with value=cat. When I run this, in stead of getting a new header, it appends dog to the values in access-control-request-headers? How do I get a new custom header?
Code:
HR = new XMLHttpRequest();
HR.onload = function (e) {
}
HR.open("GET", URI);
HR.setRequestHeader('dog', 'cat');
HR.send();
Request headers as viewed through Chrome developer tools:
access-control-request-headers: origin, dog
access-control-request-method: GET
origin: http://localhost:8888
accept-encoding: gzip,deflate,sdch
accept-language: en-US,en;q=0.8
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
:path: /
accept: */*
:version: HTTP/1.1
cache-control: max-age=0
referer: http://localhost:8888/x.html
:scheme: https
:method: OPTIONS
Response Headersview source
access-control-allow-headers:origin, dog
access-control-allow-methods:OPTIONS
access-control-allow-origin:*
access-control-max-age:300
cache-control:private, no-cache, no-store, must-revalidate
content-length:0