I mean, there are some developer/other tools that let change variables in Javascript enviroment and so on. Consider I have an AJAX request. So could user, for instance, manipulate variables I send with AJAX request so that they see something they are not used to see? Or, for instance, manipulate value of <select> so that it is other, not like in options given. I hope you understand what I mean.
But how to implement AJAX in this case? Can client create his own request? So just send error back if request was not like it should be?
I send with AJAX request so that they see something they are not used to see?
YES!
You can't rely on client side scripting for security!
Check out:
Fiddler
Firebug
After your edit:
Can client create his own request?
Yes.
So just send error back if request was not like it should be?
Yes.
It's not "your" Javascript code. It's a bunch of characters you send to the client in the hopes that it will do something useful with it.
Javascript doesn't "work" by default. Everything that happens happens because the client did it. So yes, the client affects everything about the workings of your Javascript code.
Related
Ok here's my problem. I'm working on this little site called 10winstreak and I'm trying to detect if a stream is live or not with javascript because our server that we run the site off of cant handle processing every single request with PHP. The basis of detecting if a stream is live or not is you go to their XML file and in one of their tags (if it's live) it will say something along the lines of true and often time the XML file on their site will be empty if a particular stream isn't live. for example if you have a twitch.tv stream for gamespot you go to http://api.justin.tv/api/stream/list.xml?channel=gamespot and if it's got stuff in it then it's live if not then it's not.
so basically my code looks like this:
function check (URL, term){
$.get(URL , function(data){
console.log(data);
//data is whatever the server returns from the request, do whatever is needed with it to show who is live.
var number = data.search(term);
if (number > -1)
{
document.write("Live");
}
else
{
document.write("Offline");
}
});
}
and URL is a url that gets passed in and term is the term to search for in the xml file (usually "true" or "True"). but before anything happens I end up with "XMLHttpRequest cannot load http://api.own3d.tv/liveCheck.php?live_id=6815. Origin (my server's URL) is not allowed by Access-Control-Allow-Origin."
I've looked into it all over the net and i dont seem to be able to find anything that I can use. there's alot of theory stuff but not enough actual code and i dont understand the theory stuff to be able to start typing code out. from what i've seen you have 2 ways to go, use JSONP or add a line somewhere in your sever to allow for cross-domain accessing. neither of which i understand fully nor know how or what to do. It would be alot of help for someone to show me what needs to be done to get rid of this error. of course if you can explain it to a non-coder like me it would be even more awesome but at my current point, as long as the code works for all I care it might as well be magic lol.
You can solve it :)
Take a look at xReader
<script src="http://kincrew.github.com/xReader/xReader.full.js"></script>
<script type="text/javascript">
xReader("http://api.own3d.tv/liveCheck.php?live_id=6815", function(data) {
alert(data.content);
})
</script>
I think you need cacheburst option. but you can be banned from YQL.
I think its because the path is not relative. You may be calling this from a different domain/sub-domain. You can potentially allow other origins to access, which may open up a security hole or you can create a proxy locally.
In PHP creating a proxy is easy: http://blog.proxybonanza.com/programming/php-curl-with-proxy/
Now, instead of directing your request straight to that URL send the request from jQuery to your own local url and have it access it on the server side.
Another option would be to use YQL: http://www.parrisstudios.com/?p=333 (I wrote an article about this a while ago)... In that way you can turn the response into JSON, which can be accessed cross-domain (as can javascript).
You could ask for the API responses to all be returned using a JSONP server and in JSON.
You aren't going to be able to do this via client-side javascript unless they've enabled some way to retrieve their data cross-domain (CORS, JSONP, some flash widgety thing getting read permissions from crossdomain.xml file(s) located on their server...)
Short answer: unless 10winstreak offers a JSONP service, you'll have to do things on the server-side.
Slightly longer answer:
For security reasons browsers won't let you make AJAX requests from www.example.com to www.example2.com (or any other domain except www.example.com). There isn't much you can do about this except use JSONP (and you can only do that if the remote webservice offers it).
Therefore, what you end up needing to do is ask your server "hey what's on that other server?" and (since it's not limited the way a browser is) it can go get the XML from that other server. There are various ways of doing this, either with code or Apache config; not sure what's right for you, but hopefully now you understand the general principle.
P.S. See this question: Wouldn't have been simpler to just discard cookies for cross-domain XHR? if you are curious why browsers do this.
* EDIT *
I just checked out JustinTV's site, and it appears that they already have a PHP library for you to use:
https://github.com/jtvapi/jtv_php_api
This is very likely your best bet (if you want to keep using PHP that is; if not they have libraries for other languages: http://www.justin.tv/p/api).
Is it possible HTTP Accept headers using only javascript? I know using PHP I would do something like this $_SERVER['HTTP_ACCEPT'], but as far as I can tell javascript doesn't have this.
Perhaps I could do something with an XmlHttpRequest?
Any help would be awesome!
Thanks,
Mike
RE: "The headers sent to the server."
You could echo them back out in the server's response, and get them that way.
IE.) On a web-page you could make a hidden form field with the value, or pop the value into the javascript that gets emited from the page.
From a web service, you could include the value of the incoming header in part of the outgoing XML or JSON.
If you're using XmlHttpRequest, you could send a header back to the client with this value.
Possibilities are endless.
I'm dubious of why this would ever be useful though. The client should know what it's expecting before it requests it.
Are you looking for headers sent from the server or to?
If you're using Firefox and want to look at or alter headers going from the browser to the server, you might look at the sources for the Modify Headers plugin. It's not pure javascript, but it may help shake something loose.
I need to submit a form using JavaScript. The problem is my JavaScript POST request gets an “OK — 200” response. In order to make it 302 I think I need to use response.sendredirect in my JavaScript JSP function. Can any body tell me how to use it? With example code.
You won’t use response.sendredirect in your JavaScript, there’s no such thing. If you’re submitting a form using JavaScript, then JavaScript is your HTTP client. It sends the POST request, with the form data, to whichever server you’re submitting to.
The server then sends the HTTP response back to your JavaScript. It’s currently sending 200, but you’re looking for it to return a 302 redirect instead. You’d use response.sendredirect on the server to do that — it’s not part of your JavaScript. There’s also no way to specify what sort of response you want in HTTP. It’s entirely up to the server.
So, judging by your tags, you’ll want to use response.sendredirect in your JSP code on the server. I’m afraid I’m not familiar with JSP, so I can’t really help there. It might help other answerers if you post some of your server-side code though — at the moment we’ve got no idea what’s going on there.
Is it possible to communicate and update data in a page without reloading, but without using the XMLHttpRequest object, AND sharing the same connection or socket every time (so, without closing the connection for every request)?
Make your server send back a "page" which is the usual HTML followed by a series of <script> tags that are output slowly over time. The whole thing works over the single socket that delivered the HTML page.
You can't communicate back from the client to the server that way - you'd need to make a new request to the server each time you did that, but with HTTP 1.1 that will reuse the same socket each time anyway.
No.
You can change the content on the page with just Javascript, however if you want content from the server, you're going to have to use an XMLHttpRequest object.
Edit: Looking at the link above about "long polling"
My answer changes depending upon what you mean. Do you mean you don't want to use an XMLHttpRequest object at any level? Or do you mean that you don't want to have to use the raw XMLHttpRequest object.
Because in the end jQuery is going to use an XMLHttpRequest object. However if you just don't want to have to deal with the raw object, then you can use something like jQuery.
Looking at the answer above:
Okay, I understand what you were talking about...however the page you are linking is talking about something completely different.
Here's the problem:
1.) We have page here... www.blah.com/mypage.html
2.) That page requests a js file www.foo.com like this...
<script type="text/javascript" src="http://www.foo.com/jsfile.js" />
3.) "jsfile.js" uses Prototype to make an Ajax request back to www.foo.com.
4.) The ajax request calls www.foo.com/blah.html. The callback function gets the html response and throws it into a div.
This doesn't seem to work though, I guess it is XSS. Is that correct?
If so, how can I solve this problem? Is there any other way to get my html from www.foo.com to www.blah.com on the client without using an iframe?
It is XSS and it is forbidden. You should really not do things that way.
If you really need to, make your AJAX code call the local code (PHP, ASP, whatever) on blah.com and make it behave like client and fetch whatever you need from foo.com and return that back to the client. If you use PHP, you can do this with fopen('www.foo.com/blah.html', 'r') and then reading the contents as if it was a regular file.
Of course, allow_remote_url_fopen (or whatever it is called exactly) needs to be enabled in your php.ini.
There is a w3c proposal for allowing sites to specify other sites which are allowed to make cross site queries to them. (Wikipedia might want to allow all request for articles, say, but google mail wouldn't want to allow requests - since this might allow any website open when you are logged into google mail to read your mail).
This might be available at some point in the future.
As mentioned above JSONP is a way around this. However, the site that you are requesting the data from needs to support JSONP in order for you to use on the client. (JSONP essentially injects a script tag into the page, and provides a callback function that should be called with the results)
If the site you are making a request to does not support JSONP you will have to proxy the request on your server. As mentioned above you can do this on your own server or what I have done in the past is use a http://www.jsonpit.com, which will proxy the request for you.
One option is to implement a proxy page which takes the needed url as a parameter. e.g. http://blah.com/proxy?uri=http://foo.com/actualRequest
JSONP was partially designed to get around the problem you are having
http://ajaxian.com/archives/jsonp-json-with-padding
JQuery has it in their $.getJSON method
http://docs.jquery.com/Ajax/jQuery.getJSON
The method shown above could become a large security hole.
Suggest you verify the site name against a white list and build the actual URI being proxied on the server side.
For cross domain hits this is a good working example and now is considered as some what "standard" http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html.
there are other ways as well, for eg injecting iframes with document.domain altered
http://fettig.net/weblog/2005/11/28/how-to-make-xmlhttprequest-connections-to-another-server-in-your-domain/
I still agre that the easy way is calling a proxy in same domain but then it's not truly client side WS call.