Making crossdomain ajax requests with addons for Firefox - javascript

I'm a bit confused about how you can or cannot make crossdomain ajax requests in addons for Firefox. Addons such as LastPass and Xmarks suggest you can do it, however when I try to google how you do it, everyone seem to say you cannot, unless the user has set a preference in the settings of Firefox. If crossdomain isn't possible, then how do Xmarks, LastPass and other addons handle the communication with theirs respective servers?

You most definitely can make cross-domain XMLHttpRequests in Firefox add-ons.
There's a reference to it here: https://developer.mozilla.org/en/Extension_Frequently_Asked_Questions#I_cannot_initiate_an_XMLHttpRequest_from_my_extension

Related

How to log XHR request in Network Tab in Chrome even when dev tools is not opened?

Chrome Console always keeps logs, no matter if the dev tools are opened or not. I want same for network tab.
Is it possible to log XHR requests in Chrome even when developer tools are not opened? If not, is it possible in other browsers?
You could use a proxy outside of the browser such as Fiddler for this. It's great, and the author of the tool even responds to questions about it on Stack Overflow!
https://www.telerik.com/fiddler
(I don't work for Fiddler, but it was there for us in the days before browsers had dev tools)
It sounds like you want some logging. Chrome has a bunch of internal things it stores, you can check out chrome://chrome-urls/
Specifically chrome://net-export/
Also chrome://net-internals/#events may be of interest. These things work across tabs, so imo it's nicer than having 20 chrome consoles open =p
https://dev.chromium.org/for-testers/providing-network-details
Unfortunately, it is not possible to log XHR request in Network Tab in Chrome when developer tools are not opened. And I do not know which another browser supports it.
Alternative solution
But you could try the following extensions for Chrome:
ApiRequest.io Ajax Capture Debugging Tool. Capture API Requests and Responses in browser and share via a link. Makes collaborative debugging and issue solving easier.
Tamper Chrome (extension). Allows the user to modify requests as they happen.
Live HTTP Headers. Monitor all HTTP/HTTPs traffic from your browser. Live HTTP Headers logs all HTTP traffic between your Chrome browser and the Internet.
And about "ApiRequest.io Ajax Capture Debugging Tool" you could read this developers article:
How we captured AJAX requests from a website tab with a Chrome Extension
Some of this extensions you could find for another browsers too.

Chrome Extension to solve Mixed Content?

I would extremely appreciate some help with the following issue:
I have a payment web app hosted in IIS and configured for SSL. I need to integrate a POS terminal (or pin-pad) with a static IP that's not SSL compatible. I can talk to it running the site without SSL (HTTP to HTTP), but not HTTPS to HTTP - obviously getting "Mixed Content ..." error as Chrome doesn't allow that. I don't need to care about other browsers, but I can't run my site HTTP and as mentioned terminal doesn't support HTTPS.
Now, before you mark it as duplicate - I've read:
sending request from https to http from chrome extension,
Chrome extension - Disable Blocking of Mixed Content
Since v38, Chrome extension cannot load from HTTP URLs anymore, workaround?.
And it looks like Chrome extension might provide a solution. I don't have any experience with Chrome extensions though, but comfortable with JavaScript. I would prefer to avoid chasing something that would result in a dead-end. So, my question is - am I on the right path? If so, how do I go about implementing this? How do I go about delegating the ajax post call to the extension?
Any thoughts, ideas, tips, suggestions would be highly appreciated!
If you are going to use chrome-extension, do you want everyone who visits your payment site install the extension first? If the answer is yes, then sure, chrome-extension can help with that. Take at the following guide:
Cross-Origin XMLHttpRequest, it tells you that background page can send request to http site, even if current page is https
chrome.webRequest.onBeforeRequest, it tells you that you could redirect a http(s) request.

How to do a Cross-Domain AJAX request in IE8 with Chrome Frame

I've got an application that needs to support IE8 (with Google Chrome Frame), that will make cross-domain requests. I understand regular IE8 makes use of XDomainRequest for these calls, but when using Chrome Frame and looking through the console, I don't see XDomainRequest listed in the window object.
Since I'm using Chrome Frame, I understand I'm using the Chrome JavaScript engine... but does this mean I should be able to use XMLHTTPRequest for CORS? When I try that, I get a cross-domain error in the console.
Can someone clarify how this should be working? I'm confused.
IE 8 doesn't support CORS, but you can look into JSONP if you're only doing Get requests. There are however a few security concerns with JSONP though.
Another approach is doing a reverse proxy which means you create a page/service on your own domain that in turn makes the request to the other domain. This gets around the cross domain issue since the browser requests a resource on your domain.

Can Internet Explorer send cookies from Flash?

I have a webpage that embeds a flash widget that sends AJAX POSTs. I use PHP to interpret these on the server.
The problem is that Internet Explorer doesn't send the "Cookie" HTTP header from the requests generated in the Flash, so I'm unable to pick up my PHP session on the server.
Chrome and FF do send the Cookie header from inside the flash.
I've tried the P3P headers and browser security settings changes.
Does anyone know if this is possible within IE? I can't change the flash, so would have to be a browser setting, or ideally, some HTTP change...
If its a problem with IE you can probably fix it for yourself by installing the newest version of IE and Flash on your computer. Other people are probably going to have trouble with it however. I really don't know what you are talking about with "Cookie" header but I don't see why that would stop you from handling a request if it is getting sent. If you wanted to post the code that is handling the request that would probably be helpful.
In reality, you probably shouldn't be using a Flash solution to handle your ajax requests.

Cross domain cookie using CORS in Safari

I followed the example: http://arunranga.com/examples/access-control/credentialedRequest.html
from this page: http://arunranga.com/examples/access-control/
The example work in Firefox, but not Safari, anyone have tried in implementing CORS cross domain cookie handling, and being success in Safari?
Thanks.
Safari also blocks cookies from sites that haven't been visited directly. You can see in the security settings. It's default setting is Accept cookies: "Only from sites I visit".
This will help get you started.
Setting cross-domain cookies in Safari
I have jsonp working in safari using methods in the above link. So assumed that the cookie would work in the CORS context, but at this stage it doesn't seem to be working. Also, changing the security setting seems to have no effect.
Safari might demand a stricter set of headers to be returned?
This sounds like a Safari bug. I just verified that cross-domain cookies aren't being set in Safari. Cross-domain cookies are working in Chrome, so this may be fixed in WebKit and the latest hasn't made it to Safari yet. I haven't seen a Safari or WebKit bug report about this.
I encountered this with API/UI apps on different subdomains of Heroku, like my-api.herokuapp.com and my-ui.herokuapp.com, session cookie was set for my-api.herokuapp.com. Even visiting my-api.herokuapp.com didn't seem to help Safari in this case with its default 'Only from sites I visit' policy #23inhouse mentioned: http://content.screencast.com/users/artemv/folders/Jing/media/4dfc08d7-0e9c-483f-a272-bbe91549ea95/00000759.png.
However, Safari worked just fine when we assigned a custom domain to these apps and it became my-api.mydomain.com and my-ui.mydomain.com - so it looks like Safari has particularly low trust to popular hosters' subdomains. No direct visit to my-api.mydomain.com was needed in this case.

Categories

Resources