same data sent to multiple servers - javascript

I hope this question is adapted.
Suppose I have a current session, that I take some form's input and that through a same javascript call, I send the data to 2 separate servers available through REST apis, does it induce any problem ? I was told this could induce a security browser alert. Is it right ?

As long as both the servers you're sending your requests to are able to serve them, there should be no issues. A browser would give you an error only if the servers are not able to serve you request due to a multitude of reasons including Bad Requests, CORS disabled or not configured for the domain making the request to server, etc.

Related

Send request from browser from HTTPS to HTTP, mixed content

I'm trying to make a fetch to my API hosted locally from my GitHub page, but I can't due to the mixed content error. Is there a way to get around it? I'm not sending sensitive information or whatever and I don't need a response.
You need to either use HTTPS or HTTP across the board. You can't use half one and half the other.
I'm not sending sensitive information or whatever
HTTPS is not just about the encryption of the information, but also to ensure that you're connected to an authorized server. There are many ways connections get hijacked... including broken public WiFi access points with captive portals. In any case, the browser vendors don't give us much of a choice these days.

Xampp accepts Ajax requests

I am trying to implement an API on my system, but every time of the problem, I do locally ... via server on hosting, handle calmly.
I have a question that is as follows, does XAMPP accept Ajax? I searched the internet and found nothing about it.
Ajax is just a term for making an HTTP request from client-side JavaScript without leaving the current webpage.
As far as the HTTP server is concerned, there is no real difference between an HTTP request initiated using Ajax and one initiated using any other method.
The only proviso is that browsers implement a Same Origin Policy which can lead to the browser forbidding JavaScript from reading the response (or, in the case of preflighted requests, making the request in the first place) unless the server adds headers granting explicit permission.
Apache HTTPD (the HTTP server distributed with XAMPP) is quite capable of being configured to add these headers, but it is more common to add them using a server-side programming language (such as PHP).
It should work, I've done it anyway. You may have to check the error log to find out why its failing. First off what does your browser log for code or connection issues, this will detail if its a CORS issue (F12 in chrome for me)? If the issue isn't there then you may have to check the Xampp log: \xampp\apache\logs\error.log for that application.
Also can be done this way:
https://stackoverflow.com/a/38347316/10980320
Yes, XAMPP accepts AJAX requests! All requests, no matter whether they're through AJAX or just directly visiting the page through a browser, request and receive the data in a specific way. As far as I know, there isn't really a way to not support one type of request or another, although they can probably be blocked.
Feel free to correct me.

Read/export HTTP requests from a Javascript-activated browser?

I want to test my website for certain vulnerabilities.
I'd like to read the HTTP requests send to the browser over a session and send them to another program in real time.
This way I can modify them and/or send my own malicious requests to the server.
Is there a way to do this?
I assume I could set up an SSL MITM locally, filter and sniff traffic with TCPDUMP, then feed the requests to my program as parameters, and then use cURL to reply, but this sounds like too much work.
Is there an easier way?

can I make the browser ignore the (CORS) rules?

I want a simple javascript script that exists on my localhost to make a connection to another domain(eg: anotherdomain.com) with ajax and get the response , but all my browsers tell me that error of (connection blocked , Reason: CORS header 'Access-Control-Allow-Origin' missing)
but when I check the network traffic with network monitor program like (fiddler), I see that the response already came from the server at (anotherdomain.com) to my local machine , it is just my browser who is blocking me from getting it !!
1- can I order my browser to ignore the CORS rules using javascript code?
2- what is my options to overcome this problem? is building a custom client disktop application with c# to send and receive requests freely is the best way to do it?
3- is CORS policy designed to protect the web clients or the web servers ?
thank you, and please consider that I'm complete newbie in web
but when I check the network traffic with network monitor program like (fiddler), I see that the response already came from the server at (anotherdomain.com) to my local machine , it is just my browser who is blocking me from getting it !!
Well for sure, the connection was estabilished to check the presence of the header you mentioned, but data was unlikely to be transferred.
Regarding your questions,
There are 2 options actually. One is to set the Access-Control-Allow-Origin header with proper origin according to yours. The second is to make a JSONP call, though the response of server must support such a solution.
The best option is to have a server with the above header specified. Your server would handle all the network stuff on its side and your script would just get/send some responses/requests.
I would say it designed more to protect the server. Imagine the following situations. Your script on your site makes a lot of POST requests to the another site. Actions like submitting forms etc. could happen and would be allowed. That's harmful, right? You can read about that in this stack question.

Can we get user name and email and\or any other user defining data from users openID via pure JS calls? (no server side at all)

Is it possible to obtain data from user open id (for example such google one https://www.google.com/accounts/o8/id) via pure JS calls (not using server side at all)?
If you'd be able to send XHR requests to other domains, it would be theoretically possible.
However, since browsers generally enforce same-origin policy, it's not. Also, if you do manage to send a request to another domain, you'd need to be able to parse both the returned content, and response headers (especially the Location and X-XRDS-Location).
However, it's pretty much pointless to try to implement OpenID in javascript, unless you are sure that your users don't have access to a debugger. If they do, they can modify the value of any variable, including the one where you store the user's identity, effectively making the system insecure.

Categories