This answer here says I can't pass headers while using window.open. Although I couldn't find any documentation stating this.
Is it really not possible to do so. Are there any possible hacks ?
My client requests are sent to a server which I can't control. The request sent by browser for opening pdf (window.open) is received at that server without auth headers. Hence, user is prompted for username and password.
Is there a way I can resolve my issue and be able to open pdf from my Angular application. I would also like to know how window.open works internally as I could not find it online ?
Thanks in advance
I was able to solve the problem by getting the file twice, once from the server and once from cache. This required a Cache-Control header on the response. I'm working with Angular, AdalJS, and Web Api but this might apply more broadly.
I use a $http call with auth header added by AdalJS to securely retrieve the file. This response is cached by the browser. When complete, I use window.open to open the cached file.
Pop-up blocking can be a problem. If you can't disable blocking, consider displaying a second button to click when the download is complete, calling window.open from that.
Related
I'm in the midst of integrating an app with Ionic (v5) /Capacitor (v2.4.2). On iOS, my URL is capacitor://localhost. When I'm trying to load up iframes from a third-party source, I notice that the request is always failing because the Referer field isn't getting sent from the WKWebView, as compared to what I would expect when I do the same, but load up the files from my desktop browser.
Reading the link on the Referer field, I see that the browser doesn't send in the Referer field in the browser if the protocol is not http or https.
Looking at Google/SO answers, I can't find any previous answers that might address my use case, but I'm trying to be able to load up the iframes for my credit card form on my Ionic integration.
Are there any ways to make this work, and is my understanding of the bottleneck correct, where it's the fact that the custom URI schema present on my Ionic iOS app is causing the Referer from not being sent in the GET request?
I notice that it is being sent in the POST requests, so I am really curious here.. The Origin was being sent in the POST requests, apologies.
Would appreciate any advice on this.
I am using laravel and Vue js.
In Vue js, I am requesting API using axios.
when I inspect and get request header and parameters in a browser and it is possible to request in Postman.
Everyone can request any APIs after login because it is possible to get header and parameters.
It is not possible to hide this. However if you use HTTPS, the connection to your website is secure and no one in the middle can see it. The token is only visible to the user that it belongs to, so it poses no security risk as the user should have access to it.
Being able to inspect the requests sent is a feature of the browser and it is in no way related to your site.
Let's say, I'm a logged-in user in google.
Now I'd like to send one ajax request there WITHOUT sending any cookies.
(But naturally, I want to keep those cookies for the future).
How is that possible?
i'm interested in solution for ajaxing INSIDE chrome extension
important edit: I'm talking about intercepting requests sent FROM the extension itself! There the beforeHeadersSend don't work...
I can't believe that I'm asking this right now, but I have no idea how solve the following problem:
I have a web app that logs every visited page in a browser for better browser history search. The extension is a chrome extension that needs to make a POST request to my API. Obviously, I need to avoid CSRF issues, i.e. other sites using the user's session to post arbitrary data to his browser history. However, since the extension runs in a different origin as a content-script, I cannot retrieve CSRF tokens, hence I cannot make authenticated POST requests.
EDIT:
So I now know that I can use chrome.storage (and equivalents in other browsers) to store a token that only my content_script can read. However, I still haven't solved the issue of how getting that token into chrome.storage in the first place
I seem to miss something really obvious ...
I suspect a content script isn't necessary, and you should just be using the chrome.webNavigation API from your event page to get the user's browsing activity.
You'll still need the user to log into your service somewhere in the browser. If you take your service's origin as a host permission, your extension will be able to make XHRs as the user, which may be enough to solve your XSRF problem, at least as long as nobody else can intercept the user's login cookies.
FYI, I realized that chrome.storage provides a means to sync/pass confidential data like your token that is only accessible to your scripts.
Hence, the solution is to visit a webpage of yours, and have a content script extract the token and store it in chrome.storage.
I recently found an exploit in my router to basically give me root access. The catch? There is a nonce hidden form value that is randomly generated and must be sent in for it to work that makes it difficult to do "easily"
So basically I'm wanting to do something like this in javascript:
get http://192.168.1.254/blah
use a regex or similar to extract the nonce value
put the nonce value into a hidden field in the current page
submit the form by POST to http://192.168.1.254/blah complete with the nonce value and other form values I want to send in.
Is this at all possible using only HTML and Javascript? I'm open to things like "must save HTML file locally and then open", which I'm thinking is one way around the cross domain policy.
But anyway, is this at all possible? I'm hoping for this to be able to run from at least Firefox and Chrome. The audience for this is those with some technical know how.
EDIT: I've rewritten this since my original answer was not correct.
Since you can make an AJAX call to a local file, here is what you do.
"The AJAX page" is the page making the request.
"The requested page" is self explanatory.
You have your AJAX page on your computer. The AJAX pages calls the requested page from your computer, in the same folder as itself.
You instruct the user to fetch the requested page from their router and put it in the same folder as the AJAX page.
The cross-domain policy now no longer applies, since both files are in the same folder.
Your page can have a POST form where the action (target page) is cross-domain and there should be no restrictions.
If you can run PHP code on your page, try using cURL. This can make cross-domain requests.
This cannot be done from a regular HTML page. The Same-Origin policy will prevent you from connecting to the router. (Saving the page locally won't help; browsers started heavily restricting what a local page can do several years ago.)
If you're really bent on making this happen from a browser, you could write an extension. Origin restrictions do not apply to browser extensions.