I am writing a test JSP-Servlet page that calls an HTTP API. But when I run the call in Chrome browser it is converting the call to HTTPS and the call fails. The API is not mine and the developer of the API insists that the call has to be on HTTP.
So is there a way to allow this API call using HTTP and prevent Chrome from converting it to an HTTPS call?
Note: I checked the Web and all are saying to change the browser settings. But we will not be able to tell each and every user of our site to do so!
Add this Script on top of your JSP File!
<script>
if (location.protocol == "https:") {
location.protocol = "http:";
</script>
Note:
First, location.protocol checks Url
and the second location.protocol will change it to http.
This will redirect your Client. If he visits your website as https: it will redirect him as http:
I have implemented an OAuth2 client, in which the first step is to send a user to the relevant 3rd party (facebook for this example), I set them a state cookie, and when they return from facebook I validate that state cookie.
In Chrome, everything is great. When I send the user to the redirect URL, I can see (using inspect element) that they have the state cookie I set.
However, when I try on (desktop) safari on latest MacOS, I don't see that cookie.
I set the cookie in the response for my redirect request:
res.cookie('state', state.toString(), {
maxAge: 3600000,
secure: true,
httpOnly: true,
});
res.redirect(someRedirectUri);
How can I get those cookies to be saved on Safari as well? Am I just setting the cookies wrong?
I think you've found known WebKit issue.
So safari is ignoring the Set-Cookie header when encountering the 302 HTTP status
Late response but I hope this helps anyone else coming across this issue.
I ran into this issue earlier today. It was happening on iOS Safari and Chrome (Chrome on iOS uses WebKit). The workaround I implemented was changing the initial response to a 200 and return a web page which would do a JavaScript redirect in a few seconds.
Here's the HTML I used:
<html lang="en">
<head>
<title>Redirecting...</title>
</head>
<body>
<h1>Redirecting...</h1>
<div>You will be redirected in a moment. If you are not redirected, click the following link: <a id="link" href="https://example.com">Go Now</a></div>
<script type="text/javascript">
var host = "https://"+window.location.host;
document.getElementById("link").setAttribute("href", host);
setTimeout(function(){
window.location.href = host;
}, 3000);
</script>
</body>
</html>
This way the Cookies will be set with the response, and the redirect will happen a moment later.
In my case, I was completing an OAuth workflow. You should be able to customize/render the page in a number of ways to meet other requirements.
I came across this question and the answers when investigating a problem I have with cookies and an OAuth2 client (actually oidc). My problem turned out to be different, so it is not a good answer to the original question, but hopefully it will prevent others reading this from going on a wild goose chase.
I have a backend that sets a session cookie (__ac_session) with information that is used during the authentication with the oidc server. Problems:
At first it looked like this cookie was not saved in the browser, because it was sent in a redirect response. I tried doing the redirect in javascript, from the answer by Padge, but that did not help. Problem was that the cookie was only set on a path (/acl_users/oidc) and both Safari and Chrome did not show this cookie when looking at the homepage. Firefox does show it, but I had unrelated problems with that browser.
So the browser did get the cookie and sent it along with further requests on that path. But the cookie never reached the backend. The problem here was that I had the Varnish caching server in front of the backend, and this removed most cookies, including this one, to improve anonymous caching.
I don't know if you get this with standard Varnish, but with my configuration I did. Relevant part of the final varnish.vcl after I fixed it:
/* cookies for pass */
set req.http.UrlNoQs = regsub(req.url, "\?.*$", "");
if (req.http.Cookie && req.http.Cookie ~ "auth_token|__ac(|_(name|password|persistent|session))=") {
if (req.http.UrlNoQs ~ "\.(js|css|kss)$") {
unset req.http.cookie;
return(pipe);
}
return(pass);
}
My backend is Plone with an oidc plugin. Here is a link to my full issue report, created when I did not yet know the cause.
I'd like to use window.location.href in the tool codesandbox.io. This is because I want to do a test with a hard page load occurring. I'm running into an issue however.
location.href = "http://www.google.com"
I get this error:
Mixed Content: The page at 'https://codesandbox.io/s/lingering-bird-nyvfi' was loaded over HTTPS, but requested an insecure resource 'http://www.google.com/'. This request has been blocked; the content must be served over HTTPS.
Example: https://codesandbox.io/s/locationhref-usage-nyvfi (see src/index.ts and open Dev Console)
How do I accomplish this the ability to simulate a page load, in the fake virtual browser?
I think it may be possible once the security criteria are met; which is limiting.
Use HTTPS (Avoid mixed content)
Use same origin
Thus this works:
window.location.href = "https://www.codesandbox.io/docs";
I've have weird issue, on dev theme (preview mode) $.get request works fine -> https://woolet-co.myshopify.com/blogs/news
but on active theme on main domain https://woolet.co/blogs/news there is an error, I can't figure it out why its happening.
If you try this code in console on both URLs you will see the response code error on main domain:
$.get('/admin/blogs/19692355/articles/229491718.json', function(data) {
console.log(data);
});
I guess that it's connected with domains, on https://woolet-co.myshopify.com/blogs/news $.get request works fine and on https://woolet.co/blogs/news it shows error in console.
I've tried to execute $.get request through Shopify Private App with login and password included but without any result.
This isn't working for you because your XMLHttpRequest is for a different domain than the one the page is on.
For this to properly work, you need to enable CORS. I would also suggest putting in the absolute URL of where this JSON file is located.
It would work on your preview mode. Because there both shop url and admin url are on same domain
https://woolet-co.myshopify.com/blogs/news
But when you try to browse using your real domain "https://woolet.co/". The domain from where you are making the get request and the domain from where the file is coming becomes different. ( https://woolet-co.myshopify.com/admin/blogs/19692355/articles/229491718.json )
As far i know you can not enable cors on shopify
and
It wont work because "https://woolet-co.myshopify.com/admin/blogs/19692355/articles/229491718.json" requires you to be logged it to the store as admin.
Try some other way.
I want to share some dynamic content on google+. For this I checked it https://developers.google.com/+/web/share/interactive#rendering_the_button_with_javascript
<head>
<script type="text/javascript">
(function() {
var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
po.src = 'https://apis.google.com/js/client:plusone.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
})();
</script>
</head>
<body>
<button
class="g-interactivepost"
data-contenturl="http://www.pubandbar-network.co.uk/"
data-clientid="102180630313.apps.googleusercontent.com"
data-cookiepolicy="single_host_origin"> Share
</button>
</body>
But when executing I am getting this error
Error: origin_mismatch
Request Details
scope=https://www.googleapis.com/auth/plus.login
response_type=code token id_token gsession
access_type=online
redirect_uri=postmessage
cookie_policy=single_host_origin
proxy=oauth2relay554026710
origin=http://www.pubandbar-network.co.uk
state=1995523240|0.4607792083184853
display=page
client_id=102180630313.apps.googleusercontent.com
authuser=0
Please suggest how to fix this
Origin mismatch is normally caused by the Javascript origins not being set correctly in the API project console. You need to make sure that the Javascript origins match the domain from which your requests are coming and to which you are returning the user after sign in.
More details can be found in the developer documentation in the "Create a client ID and client secret" section.
Note: A common mistake here is to add javascript origins for http:// but not https:// (or vice versa). If you want to allow users to access your site from both then you need to list both in the javascript console.
Note (Thanks Bethel Goka): You must include the port number of your server in the javascript origins if a port number appears in the url when users access your site.
It worked for me by removing "www." from google console. I simply used http://example.com and it worked ...
For VS users:
Open Properties of your project and get Project URL:
This is your Javascript Origins
Change also the Redirect URIs. It should be your origins + "/oauth2callback"
For me:
(The error has the answer for you)
need to set javascript origin in google console api As
origin=**http://www.pubandbar-network.co.uk**
scope=https://www.googleapis.com/auth/plus.login
response_type=code token id_token gsession
access_type=online
redirect_uri=postmessage
cookie_policy=single_host_origin
proxy=oauth2relay554026710
*origin=http://www.pubandbar-network.co.uk*
state=1995523240|0.4607792083184853
display=page
client_id=102180630313.apps.googleusercontent.com
authuser=0
My default javascript origins is https://www ,
my website does not support https:// ,
I included http://www. http:// https://www. and https:// ,
it works.
If your client id, client secret, and your javascript origins url is correct you might want to check whether the port you're using is exactly the same with the url you put in for javascript origins. I mistyped mine by one digit: e, g localhost:888 instead of localhost:8888 and got that error because my javascript origins was localhost:8888 not 888
Just a little addition to Lee's answer: listing both the www.whatever.ext and whatever.ext forms of your URL in JavaScript origins may get rid of the error. That's what did the trick for my app.
I did a stupid thing which took a few minutes to resolve, so I thought I would post a warning in case somebody else falls in this trap.
In the console, when origins are displayed, 'Redirect URIs' come above 'Javascript origins'. When you open the edit pane, it's the other way around, so if you are not paying attention, you could paste your origins in the Redirect URIs field and ....
1: Open the Credentials page for your project.
2:Double-click on your OAuth 2.0 Web client in the client ID list.
3: Make sure that in the web client ID form, change the Authorized JavaScript origins field to http://localhost:8080 when you are running the server locally.
When running remotely add the corresponding appspot server url.
The most common oversight resulting in this error is forgetting to add both HTTP and HTTPS origins on the consent settings in the App Credentials dashboard.
To fix, go to https://console.cloud.google.com/apis/credentials?project=YOUR-APP-ID
Select the OAuth 2.0 client IDs if you had already created one.If not, you will have to create a new client ID for your origin.
Under Authorised JavaScript origins, add both https and http origins for you app if had not added both.
Log out from all google services from your browser.
I same had the problem for google + api sign in.I was getting Error:origin_mismatch and same details were there as they are in the question .. my javascript credentials had http://localhost:4567
but when I run the python file it opened the link as 0.0.0.0:4567 thats basically a localhost but when i changed the url in browser to http://localhost:4567 now the error was removed .. and my application was able to get the OAuth box .. and all went fine!!! this thing removed my error... Please let me know whether I was correct because I just started learning how to use apis
Please check the origin url set in google console for you WEB application/Android
and check the http or https because your site does not work on https (in general site).
You must read the developer guide here
https://developers.google.com/analytics/devguides/reporting/embed/v1/devguide
Good luck !
I had this error trying to use the "Google Play Games Services Management Demo" and it was because of missing "www" in the URL
I fixed it by change JavaScript origins and redirect URIs in google console from http://0.0.0.0:4567 to http://localhost:4567, remember adding /oauth2callback after redirect URIs and change url on browser to http://localhost:4567