I am having a problem passing my test user's PKI certificates in the headless mode. I am using Java Selenium WebDriver 4.3.0. When I run my test suite in normal mode, my profile and certificates are picked up perfectly. Profile users are selected by the ChromeOptions class by identifying the --user-data-dir= . I have different profiles for each of my test users. Then the certificate is selected by the policy setting (i.e, AutoSelectCertificateForUrls). That also works perfectly. As I navigate to different URL locations my test certificates are presented and accepted correctly when I run in the normal mode.
When I change the mode to Headless=true (i.e., ChromeOptions.addArguents("--headless"), it all falls apart and no certificate is presented when I open a Chrome browser and hit any webpage.
I found that Firefox was extremely simple to manage profiles and PKI test certificates!!! When a test runs in normal mode and works perfectly, all I have to do is set the FirefoxOptions.addCommandLineOptions("--headless"); and it still works perfectly in the headless mode. Not so with Chrome!!!
Does anyone know the correct solution? I could use the information. I am really stuck here.... Is there a way to still make Chrome present PKI certificates in headless mode or does anyone know that this feature really does not work for Chrome/Chromium? Then I could stop wasting my time!
Thanks in advance for your help!
Well I actually found my own answer.
Unfortunately, it does not work!!!
It is all explained in the following issue.
Issue 1310715: Headless Chrome not using installed client (authentication) certificates from the store.
This issue shows the steps to reproduce.
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Steps to reproduce the problem:
Have a website behind a webserver that has browser client authentication with an SSL certificate.
Install the certificate in the certificate store of Chrome under $HOME/pki/nssdb folder. My certificate was in pk12 format, so I used pk12util to install it.
The installation must exit with: 'pk12util: PKCS12 IMPORT SUCCESSFUL' message.
Add a policy to your website under /etc/opt/chrome/policies/managed, so that Chrome provides the certificate automatically to the site's webserver.
Open the website.
What is the expected behavior?
When the browser is started in headless or headful mode, the browser should provide the certificate to the webserver and proceed further.
What went wrong?
Only in headful mode does the browser provide the certificate to the webserver. Headless mode does not. There's this error in the logs:
The issue response states the following:
Headless Chrome doesn't currently implement client certs. Switching this to a feature request that the headless folks can triage. Mechanically, client certs are come out of //content via CreateClientCertStore and SelectClientCertificate. Headless doesn't have a way to show UI, so it always continues without a client certificate.
https://bugs.chromium.org/p/chromium/issues/detail?id=1310715&q=component%3AInternals%3EHeadless&can=2
I have Google Chrome Browser running version 89.0 The user agent of my browser displays the following string:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
What does each field in the above syntax format represents ?
It’s entirely arbitrary what you put in the user agent field so there is no standard as to what format to use.
Saying that, for historical reasons, browsers like to claim to be lots of different browsers. Great post on that here: https://webaim.org/blog/user-agent-string-history/
This was mostly because some sites would use the user agent to guess the capabilities of the browser asking for a page and try to serve different versions depending what that said.
This was fraught with problems (hence why browsers had to pretend to be other to avoid getting a substandard page) and there are now much better ways to feature detect on the client side in CSS and JavaScript.
Additionally there are privacy issues with having such a specific version as with, along with just a few other items to make it more unique, it’s pretty easy to track individual users.
On the server side, User Agent Client Hints will allow a browser to tell the site what it supports, rather than a site guessing based on the user agent. Much more accurate and future proof.
Chrome has even said to it intends to freeze the user agent at some point to stop people depending on it. So I wouldn’t build anything depending on it.
I am not an experienced web developer by any means, so I apologize if this is very basic / newb question. I did try researching this error message, but my skillset lies in different areas, so I was hoping someone could maybe give me a pointer.
We have a SWG (secure web gateway) inline that may or may not be causing this, since access works in IE, but not in Chrome - and the SWG just went inline recently - so am trying to find some root cause for this error.
here is the error message that I pull out of Chrome's Console debugger:
XMLHttpRequest cannot load .... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.youtube.com' is therefore not allowed access. The response had HTTP status code 403.
the "..." shows a URL that referes to a googlevideo.com link, but I am trying to view a video on youtube.com - any video for that matter.
seems that this is an XSS defense mechanism, but I dont see any blocks in the SWG, nor are some of the next-gen features even enabled
Chrome version - Version 51.0.2704.63 m (64-bit)
IE version - 11.0.9600.18314
any help is appreciated.
--disable-web-security now requires the use of the --user-data-dir flag.
Start-up your chrome with below command on windows:
chrome.exe --disable-web-security --user-data-dir
OR
Open Properties window of Google Chrome short cut icon available on desktop.
Go to the Shortcut tab
Specify the following flag at the end of path
"C:...\Application\chrome.exe" --disable-web-security --user-data-dir
Just specifying --disable-web-security --user-data-dir (without a value) worked for me.
If this didn't work for you then try specifying some folder path:
--user-data-dir=$HOME/path/to/some/folder
We are beginning to see requests in our Apache Logs in the form
/abc/(null)
These requests all have MSIE 8.0 and Trident 4.0 in the User-Agent field. The requests began to appear when we hadn't deployed any changed code for several weeks.
What is the source of these requests? Is this a bug in MSIE 8?
What is a systematic way to determine if this is a browser bug, javascript library bug or an issue with our code?
It's likely either a buggy browser, buggy plugin, or a bot. There are a lot of bots out there crawling websites (badly) and pretending to be browsers.
I wouldn't worry about it unless it's actually causing a problem.
Here's a discussion of the (null) requests and how to block them: http://www.webmasterworld.com/apache/3837651.htm
Given that Chrome and Safari use webkit has anyone yet found anything that renders differently on Chrome than Safari? Is there any reason at the moment to test sites on both, or would testing Safari be sufficient for right now?
Part of this is knowing what is dependent on the rendering engine and what isn't. Javascript, for example, is handled differently in both browsers (google has their own custom javascript renderer), so if your page uses javascript substantially I'd test it in both.
This is probably a good place to note that Chrome has been added to BrowserShots so you don't even need to have it installed to test on it and Safari.
Google Chrome also uses an earlier version of Webkit than the current Safari, so pages should be checked in both browsers.
They are very similar, but not identical. For example, I remember reading that Apple put a lot of work in Safari to get Apple-style font rendering there, and I doubt Google duplicated that effort.
They don't ship synchronized releases of WebKit. For example,
Google Chrome
Official Build 2200
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.30 Safari/525.1
versus
Safari
3.1.2
Mozilla/5.0 (Windows; U; Windows NT 6.0; pl-PL) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21
WebKit is very modular, so they have different drawing and javascript engines. Plugins are handled in significantly different manners as well.
In practice, I have not seen any site that acts differently, and the two browsers should have identical behavior, as far as any sane webpage is concerned. You could, of course, sniff the user-agent and force different behavior...
So no, there is no reason at the moment to test both. Keep in mind that Google does not have a stable release of Chrome yet.
No, and some specific UI differences include not rendering text-shadow and box-shadow the same between them. Same with border-radius. I'd avoid using these three (advanced) CSS rendering rules if you're working with Chrome.
Chrome and Safari have different font rendering on Windows. Safari includes Apple's font rendering which to a Windows user is a bit fuzzy-looking. On OS X, they both use the platform's native font rendering. So Safari looks like OS X on both systems, whereas Chrome looks like the platform it's running on.
This is in addition to other points mentioned by people who know more than I do. :)
No. This would be a similar question to "Does Chrome Render the same as Konqueror", and altho the Webkit ( HTML Renderer ) versions may be different, the Java script engines are very different between Chrome, Safari and Konqueror. This will affect a lot of Google apps since they are written using javascript heavy stuff (AJAX). This also seems to affect a lot of modern sites, especially ones with complex menu's and editors ( such as this ). In the end it depends how much of the site you are viewing is written with javascript features.
FWIW, Google's Chrome FAQ says they should render very similarly:
http://www.google.com/chrome/intl/en/webmasters-faq.html#useragent
http://www.google.com/chrome/intl/en/webmasters-faq.html#renderie
They still have different JavaScript engines, which might behave differently (propably only in some rare conditions, however).
Chrome is currently using a slightly older version of Webkit than Safari.
Over time it will be updated, of course, but there is the possibility that it will always be a little behind, depending on how Apple release their source.
In addition the Javascript engines are different, which may affect behaviour, although they're both extremely fast.