if I get data from an external website in JSONP form, how do I access the http header response? I have heard this may be difficult but my experience is that everything is possible.
Nope.
This is completely impossible.
The whole point of JSONP is to bypass the same-origin policy by passing a result through executable Javascript code.
Other than JS code generated by the remote server, you cannot get any information.
Related
How do I make the tag carry the request header? I use the <a> tag to download. And I need to carry a token in the request header.
When you use a tag to download files or link to any document, in general, it is not possible to manipulate extra headers! Browsers will send the typical headers. To solve this problem, following are the alternative solutions.
Your token must be query parameter in the URL so that back-end server can read it.
Or you can use cookies to save the token and browser will ensure that cookies are sent for your request automatically. (For security, ensure that you cookie is HTTP only and rejects CORS requests)
Alternately, if you are not really after downloading the file or simply trying to show on browser, then you can use XHR or fetch where you are free to manipulate headers.
I have created a vue js app for frontend development.
In our case, we will be getting auth info in authorization header from some other web app.
I dont understand how can i fetch authorization header from URL.
I know we can fetch params from URL.
Can anyone please help me with this - How can i fetch authorization header from URL.
Thanks & Regards,
Jyoti
I'm pretty sure it's not possible for client-side JS to access headers in the request that initially loads the page. You can add headers to outbound requests made by client-side JS, but only the server getting the request has access to the headers. If it makes the information in that header available to the client, either as a cookie or in the source of the page, you can work with it, but depending on your application, that might be a security risk (e.g. for replay attacks).
I know there are several questions related to this-- but I couldn't find my answer with them. Plus I wanted a bit more clarification.
I am running a rails app locally which makes a jsonp call to a sinatra application which is being used as an API.
When I put this URL in my browser I end up getting the correct response, yet when I make this call through jQuery using $.getJSON I get a forbidden 403 Error. I understand that the $.getJSON is making a jsonp request based on the url having callback=? parameter.
I'm trying to figure out what is causing the 403 Error. Is there some default configuration on the api application that is refusing the request because the script is being requested from an included script tag?
Right now the api request return json data. I assume it's my responsibility to look at the callback parameter and construct a response that actually calls the callback...
so if url was http://myapi.com?callback=blah, then I should be returning something like:
blah({foo: 'bar'})
But I don't know exactly what the 403 is all about. If it's the api server that is returning, then what is it trying to protect against?
here is an example of what the jsonp call looks like:
$.getJSON( 'http://myapi.com?callback=?', {biz: 'buzz'})
I see posts about setting headers for cross origin concerns-- but not sure why this is needed for jsonp request.
You need to add jsonp support to your sinatra api application.
Here is one way of adding jsonp support to your sinatra app
Add rack-contrip gem to your Gemfile
gem 'rack-contrib'
Add following to your config.ru
require 'rack/contrib'
use Rack::JSONP
Restart your sinatra app and start testing jsop from javascript
I'm very new to CSRF protection so please excuse if I make poor assumptions or if I'm missing something, but I'd like to make sure I'm doing all I can to prevent CSRF. From my research so far, I've found the following:
CSRF can be thwarted (and is probably best thwarted) by placing a nonce parameter within the request body of all HTML POSTs, only using POSTs to modify data, and on the server side verify the token is valid before processing the request.
A malicious website can send requests to my site (thwarted by the nonce), but they can't read responses because of same-origin policies in place on browsers. Assuming that someone is using a secure browser, a malicious site cannot GET a page from my site using AJAX, read the nonce, and use it for themselves.
Script tags are not bound by same-origin policies in most (possibly any) browsers and can therefore allow for content to be read from other sites.
When I got to point 3 I decided to try to get at HTML content in Chrome using JSONP; I opened up my console (with a page not from localhost) and ran the following code:
$.ajax({
url: "http://localhost:8080/my-app/",
dataType: "jsonp",
jsonp: "alert"
}).done(function(data) {
alert(data);
});
What I received in the console window was the this:
Resource interpreted as Script but transferred with MIME type
text/html
As far as I can tell the browser is essentially telling me that it received the content, proceeded to parse the response, but stopped because the type was not application/json. So finally, my question is, can this be compromised? Even though the browser failed to parse the response as JSON, it does have the response. Is there a way that this response could be parsed as HTML, grab my CSRF nonce, and compromise the protections I'm trying to enforce? It would seem to me (and I hope this to be true) that browsers will not allow this, just like they don't allow cross domain requests in the first place for basically all other communication, and that's what we as developers are relying upon (in addition to same-origin policies) to protect our sites. Is my thinking correct?
When I load an Url using the load method, like this:
load(QUrl("http://www.foo.com"));
Cookies work correctly with no problems. However, when I load the content using the setHtml method, like this:
setHtml(htmlCode, QUrl("http://www.foo.com));
The website indicates that cookies aren’t enabled in my browser. I wonder if this is a known issue, and whether there’s a way to have cookies working for the setHtml method.
Thanks in advance.
Cookies are from HTTP protocol, not part of HTML. You need a http server embedded, Take a look at this project