How to identify javascript cross domain policy error - javascript

I am looking for a method that helps quickly identify if a js form error is related to cross domain policy mecanism. If possible this method needs to be done from remote connection, as I do not have access to production server and everything is working fine in local sandbox and staging server. The issue only comes up on production server.
This occurs on a drupal webform that has a file upload field, used for an image upload. Ie8 and Ie9 fail to upload, the throbber runs indefinetely and a js ajax message is returned and interpreted as a downloable file. The file contains the ajax response.
I am by no means a js guru and this one has me stumped. How would one identify / troubleshoot this issue?

Related

Difference between Localhost and opening html file

What is the fundamental difference running a file using a server in localhost, and opening a file such as file:///Users/$user_name/$your_directory/index.html, assuming no backend is used, and it is only frontend and contains html/css/js
How does this also affect interactions with other server ie. ajax requests?
I am sorry if this is too broad, but I haven't found a solid answer to these underlying questions.
Fundamentally, assuming at some point you're going to host the result on an actual web server, the former matches the target environment while the latter doesn't. Browsers treat local files and files served from web servers (even localhost web servers) differently, although very similarly. One aspect of this is the encoding: When you retrieve a file from a web server, the process of determine what encoding the data is in is different from opening a local file.
How does this also affect interactions with other server ie. ajax requests?
This is one of the primary ways in which they're handled differently, and it even varies from browser to browser. A page loaded from a file:// URL has origin null from a Same Origin Policy standpoint. Some browsers (like Chrome) disallow Cross-Origin Resource Sharing entirely for origin null, even when the server you're trying to talk to has a wide-open CORS policy (*). Others (like Firefox) allow origin null to match the wildcard.
In general, for best results, ensure that your development environment matches your deployment environment in the important ways. That means doing your development using a web server process rather than local files. Most IDEs will happily provide that process for you; if not, Apache or Nginx aren't hard to install.
answer is simple,
if u don't have made active backend yet for "index.html" then it would not effect.e.g.-"localhost" and "index.html" will be same this time.
but when u start working with the backend,then most of the backend processes need an active server (need localhost).
e.g.-
1.
fetch('local.json')... //fetch json or any file would not work for local files.
2.
u may not ineract with mysql/django etc. databases.
means it cause errors in signup/login , store any image/video/docs at database etc.
so better is work in localhost, it's most easy way is :-
VScode(IDE) >> extenctions >> live server (just need to click a button to make
localhost and click again to stop localhost)
https://marketplace.visualstudio.com/items?itemName=ritwickdey.LiveServer
It won't make any difference, I think.
But there is an exception when using Chrome! Sometimes I have seen if a html file is added with some CDN link, then it doesn't loaded into html specifically in Chrome but if you try the same file in Firefox or Internet Explorer, it works.
I have faced this problem and hence I always put it under local IIS default website.

Can a file served by http (localhost or remote) be accessed from a local file opened through file:// protocol? And vice versa? How to implement this?

I've got several html files (TiddlyWiki Classic instances) which are stored on a USB-stick (and for it to remain removable, I open them through the file:// protocol). I use Ajax (via SharedTiddlersPlugin, but that's not that improtant) to load contents of some of them into others of them and that works nicely.
I've also set up several TWs using localhost (WAMP # Windows 10 and a simple saving server called MicroTiddlyServer, the latest version can be found here). But "including" (via Ajax request) from localhost to file and from file to localhost does't work.
So, the question is which ways of including (loading content of an html using JavaScript) is possible:
from file to localhost? Meaning that I open a TW at localhost and get contents of a file on my USB-stick (looks like a big security issue, so it's more likely that this is forbidden, at least using Ajax, but may be there's some workaround),
from localhost to file? (my guess is it's possible via CORS, but adding Header set Access-Control-Allow-Origin "*" to <Directory ...> of Apache's httpd.conf prevents my server (WAMP pack # Windows 10) from working and putting .htaccess file with the Header set Access-Control-Allow-Origin "*" content into the TW directory causes Internal Server Error \n The server encountered an internal error or misconfiguration and was unable to complete your request.)
from remote server to file? (I guess this shouldn't differ much from 2. aside that I usually can't configure the server as I'm not an admin; but as I'd like to use TW as an RSS aggregator, let me include this here, too; this also would help including from and TWs on my smartphone which can be served from there using a PHP server; including to TWs on the smartphone requires localhost->remote server, though, which seems forbidden, too)
I really need some working examples (not necessarily with TW, just with html files) as I'm kinda lost in all those CORS questions and tutorials (the latter being about http, not file protocol). Actually, any working solution (not necessarily via Ajax) will do if:
my USB-stick remains removable at any time except for saving moment
the server-side part can be done at Android as well (PHP is good, Python should do as well, although I haven't tested it yet) and server config is described clearly (well, this happened to be not clear enough in my case)
including remains async
In fact, there's quite a number of ways described for servers, but working with file:// is somewhat different (there's no server to configure!).
The main goal of this question is to understand whether I have to create a server which will serve TWs on USB-stick once it's inserted or I can achieve all 3 goals in a "mostly client-side" way (opening TWs through file protocol). But also I hope that working examples will be helpful for others since this topic seems somewhat poorly documented.
For evident security reason this behaviour is not allowed.
from file to localhost? Meaning that I open a TW at localhost and get contents of a file on my USB-stick (looks like a big security issue, so it's more likely that this is forbidden, at least using Ajax, but may be there's some workaround),
It is not allowed as you cannot use Access-Control-Allow-Origin in an html meta tag.
from localhost to file?
from remote server to file?
Actually, that's the same, there's a web-server, so it's the same mechanism. And as no server will respond with the Access-Control-Allow-Origin header, you cannot access file:// url.
yes accessing file from a server is surely a security issue, but why accessing a server from a file-served html is an issue?
If you could do that, you could send your entire hard drive anywhere on the web just by double clicking on a file.html in your file explorer...
The only way to access your content is to serve it, sorry.

Javascript library (tabSlideOut) hosted on GoogleCode returning 403 error

One of the Javascript files we use in a website is reporting a 403 error when we try to request it from googlecode.com.
http://tab-slide-out.googlecode.com/files/jquery.tabSlideOut.v1.3.js
Failed to load resource: the server responded with a status of 403 (Forbidden)
This has previously been working without any problems for many months.
The problem is inconsistent in that it seems to work in my office but if I log on to an external machine it returns the 403. This may be down to caching so I'm not focusing too much on that.
Does anybody have any ideas how this might have happened? It's quite worrying that code hosted externally can suddenly be inaccessible!
It seems working at my end as well.
You may track the URL requested using firebug.
or
Please provide the URL of webpage in which you are accessing JS file because sometimes cross site scripting is the reason.
Thanks,
Krishan
Alan, I had to find another source for the .js file. I downloaded it from the page below and referenced it from within my site. The file I found is under the Android section of code.google.com, but it appears to be working fine:
http://code.google.com/p/androidoc/downloads/detail?name=jquery.tabSlideOut.v1.3.js&can=2&q=
Vince

Client side includes on local machine

I obviously can't use server side languages, this is just a page on my desktop.
I tried using AJAX with jquery, but I get the following error message
Sorry but there was an error: 0 [Exception... "Access to restricted URI denied" code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)" location: "https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js Line: 4"]
It has to do with the browser not loading scripts because it's hosted locally or something. So is there any way I can include files on a local machine without installing web server software?
This is an XSS error. You can't make http requests to third party sites (urls not on your domain). You would need to use a proxy to make requests to the page (or have the owner allow your site to make XSS requests).
Shameless plug of a library that I wrote the solve similar problem. We wanted to be able to splice HTML files for backend implementations without the overhead of a local HTTP server implementing server side includes. This library works on HTTP or local filesystem. But, as the repository README notes, you'll have to enable a --allow-file-access-from-files flag to your Chrome runtime. Other browsers work out of box.
https://github.com/LexmarkWeb/csi.js
<div data-include="/path/to/include.html"></div>
The above will take the contents of /path/to/include.html and replace the div with it.

Getting an ActiveX warning when I load a page via HTTP that has an HTTPS remote javascript included

So basically I have a basic page that is loaded via http.
Inside this application I want to include a remotely hosted JS file. Currently when I load the page I always have the active X warning about security. I pretty much tried every possible way to include th Javascript file (jquery.getScript, creating a node programmatically, escaping characters and all that stuff).
The JS file itself is on a domain that is on HTTPS but that the certificate is not valid (pointing somewhere else apparently). (It's our QA server). I do not have access on the server and therefore am not able to modify anything server side.
If I click on the warning and select "Display blocked content" the JS file is still not loaded.
The warning bar itself says :
To help protect your security, Internet Explorer has blocked this
website from displaying content with security certificate error. Click
here for options...
Options are :
Display blocked content
What's the risk ?
Information bar help
If I go to the javascript file itself I have this warning :
There is a problem with this website's security certificate.
The security certificate presented by this website was issued for
a different website's address.
Security certificate problems may indicate an attempt to fool you or
intercept any data you send to the server. We recommend that you
close this webpage and do not continue to this website. Click here
to close this webpage. Continue to this website (not recommended).
Is there a way to make a workaround ?
This message: "The security certificate presented by this website was issued for a different website's address" means that the URL/hostname that you're using to access the site isn't the URL/hostname for which the site has a certificate. If you run Fiddler (www.fiddler2.com) with HTTPS-decryption enabled, you'll get a popup alert that explains this mismatch more clearly (specifically, by showing you what Hostname the server is expecting you to be using). You can then correct your markup to refer to the site using the correct hostname, which will correct the certificate error and make the problem go away.

Categories

Resources