How to send https request to address https://www.googleapis.com/plus/v1/people/me from java script and most important how to get data from server?
I need it to identify users e-mail in my packaged chrome app.
Note that this would violate the same origin policy. Additionally, the whole point of HTTPS is so that the whole page (and request cycle) is secure.
The alternatives would be:
Make the request using JSONP, or
Set up a proxy: let your JS call your own server on the same origin,
which will in turn make an HTTPS request, or
Have an iframe which points to an HTTPS page (on your own server). This page should then be able to make Ajax requests to the server over HTTPS. Using the HTML5 postMessage API, you can then post a message back to the parent window.
Related
I've developed a plugin for a web site, for the sake of this post let's call it www.somesite.com
The plugin has authorization page on my website, let's call it www.mysite.com, which returns cookie upon authorization, which I obviously want to use in subsequent requests to www.mysite.com.
The plugin uses dynamic rules to change Access-Control-Allow-Origin on request to www.somesite.com to "*", so cross-origin requests can be sent from the page to www.mysite.com. However cookies of www.mysite.com are not passed automatically with the request when I send requests from plugin's injected code using XMLHttpRequest. As I understand this is intended browser behavior to prevent "stealing" cookies via cross origin requests, and cookies are only passed if the request is originated from the browser itself.
Question is, is there a way around this? Obviously I'm not trying to steal your cookies :) I just need the cookies of www.mysite.com to be sent automatically in XHR requests I send from the webpage on www.somesite.com domain.
I've seen a similar question, but it required to modify response headers of the origin site, which I obviously have no access to, so in my case that solution won't work. I have access to backend of www.mysite.com, front end of www.mysite.com, frontend of www.somesite.com (via script injection via plugin) and NO ACCESS to backend of www.somesite.com.
Thanks!
I have an Angular web application that I'm hosting on an Apache web server that's configured with the mod_auth_mellon module. With mod_auth_mellon, my Apache server acts as a Service Provider with a SAML 2.0 Identity Provider (iDP), for which I have an established Relying Party Trust.
Once authenticated, the web application will fire off an AJAX call in the background every minute. This call goes through a reverse proxy that I've set up on the Apache server.
The typical browser flow: Once the Apache mellon session (MellonSessionLength) expires, any request going through Apache will redirect back to the SAML iDP to re-negotate. Assuming I'm still authenticated with the iDP, mellon will establish a new session and automatically redirect me back to my original destination. Normally, this re-negotiation is an extra request or two that happens seamlessly behind the scenes.
The problem: The mellon session will typically expire when my background AJAX request is firing, which redirects that request back to the iDP. On the AJAX request back to the iDP, the browser is giving a CORS error and the response includes a generic log-in page (rather than my redirect destination). My (Apache) requests should appear to originate from the same domain as the iDP, but not the same subdomain (but, in reality, they are two different servers): (mywebapp.mydomain.com vs. idp.mydomain.com). If I simply copy the request URL into the browser bar manually, the re-negotiation happens without a problem.
Question #1: As far as I can tell, it's the browser that's blocking this request. Is this an Apache configuration issue?
Question #2: If I can fix the CORS issue, will the JavaScript be able to successfully interpret the response from the iDP such that mellon establishes a new session? I've been reading some articles that give me some pause - some people talk about potentially having to embed a hidden iFrame on the page to handle the iDP response prior to redirecting to the destination URL.
I am using jQuery.post() method to send request to another server and get response from that server.
$.post('http://www.example.com:9876/example/myServletURL',{param1:param1}).done(function(data)
{
alert(data);
});
But I am not getting any response from the server. I have checked on server I am getting the request sent by post method.
If change the URL to Servlet which is in same war file(same domain) I am getting the response.
I have searched and found that this might be because of same origin policy.
My question is that how should I allow cross domain request using jQuery.post() method.
EDIT1
Domain is the same one, but the port numbers are different, for two different servers used for deployement.(Apache web server for php and Glassfish for java)
Solution
I have put following code to allow cross domain requests in my servlet.
response.addHeader("Access-Control-Allow-Origin", "*");
You can't change the cross domain request policy in the request, as that would defeat the security purpose of the same origin policy. CORS (Cross Origin Resource Sharing) has to be enabled on the server that sends the response. The response header must contain 'Access-Control-Allow-Origin': '*'. * allows any site to access the server and can be substituted with a single site if you don't want to give access to everyone. If you have control over the server to which you are posting, http://enable-cors.org/index.html is a great resource on how to enable CORS for your request/response.
What I did in a past project was Posted the data to an ASPX page on my own server from jQuery which then Posted the data to the true destination server. This page also Responded back the Response from the destination server.
I called the page PostData.aspx and sent the destination url as an escaped querystring parameter which kept it soft enough to use on other projects.
You can actually allow Cross Domain Requests on your server but be very careful because this is not very security friendly way.
I did this with PHP where you can allow cross domain by sending some headers in the request. You can do the same in PHP.
May be this link can help you => CrossDomain ajax request using CORS
If not let me know in comments.
i have in my localhost:8111 a restlet app running. This app have a ServerResource that respond http requests from a javascript api that i'm doing.
This Javascript api is running in my apache in localhost, and i want to do http request to the localhost:8111, but i can't for the cross domain problem.
The restlet response in json, which solution is the best in this case?
Thanks!
The same as any other case.
CORS if you want control and are willing to sacrifice some cross-browser support.
JSON-P if you can live with GET only requests and no security over which sites can trigger the request
A proxy on the same origin if you don't need the final server to get credentials directly from the client
I'd like a post request to be sent once a certain text input field is changed, using javascript.
So here is my current code:
<input name="message" onchange="$.ajax({type: \"POST\", url: \"http://example.com/example.php\", data: \"message=\" + document.getElementsByName(\"message\")[0].value});" />
Now, it's working on a regular connection, but it's not working on a secured connection (SSL).
I mean, the page is secured, but the request is sent to a non secured page.
Is there a solution?
Set the target attribute of the form to point to a hidden iframe.
You won't be able to read the response, but you can make the request.
If you want to read the response, you will need to proxy the request through your own server.
As David points out, t is not possible to do an asynchronous POST to a service on another domain, due to the (quite sensible) limitation of the same origin policy. JSON-P only works because you're allowed to insert tags into the DOM, and they can point anywhere.
YOu can do cross-domain AJAX w/ GET using JSONP: JSONP CrossDomain
It also covers how to do JSONP w/ jQuery
same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from another origin. Two pages are considered to have the same origin if the protocol, port, and host are the same for both pages. http://rj3.net/mdc/sop
make sure you specify ssl in the ajax url, when the rest of your page uses ssl too e.g https
You can't send it from a https to a http site. any https asset (html or otherwise) can only be accessed by something on the same domain / ssl certificate. so, you won't be able to do what you are trying to do (https to http). so since your page is served on https the targeted http site can not access it due to the policy