Let's say, I'm a logged-in user in google.
Now I'd like to send one ajax request there WITHOUT sending any cookies.
(But naturally, I want to keep those cookies for the future).
How is that possible?
i'm interested in solution for ajaxing INSIDE chrome extension
important edit: I'm talking about intercepting requests sent FROM the extension itself! There the beforeHeadersSend don't work...
Related
This answer here says I can't pass headers while using window.open. Although I couldn't find any documentation stating this.
Is it really not possible to do so. Are there any possible hacks ?
My client requests are sent to a server which I can't control. The request sent by browser for opening pdf (window.open) is received at that server without auth headers. Hence, user is prompted for username and password.
Is there a way I can resolve my issue and be able to open pdf from my Angular application. I would also like to know how window.open works internally as I could not find it online ?
Thanks in advance
I was able to solve the problem by getting the file twice, once from the server and once from cache. This required a Cache-Control header on the response. I'm working with Angular, AdalJS, and Web Api but this might apply more broadly.
I use a $http call with auth header added by AdalJS to securely retrieve the file. This response is cached by the browser. When complete, I use window.open to open the cached file.
Pop-up blocking can be a problem. If you can't disable blocking, consider displaying a second button to click when the download is complete, calling window.open from that.
I am wondering how I can see exactly what webrequests I am receiving from Facebook?
Lets say that we are on Facebook event and I want to invite all my 1000 friends.
I start clicking all my friends one by one and at some point Facebook sets a limit of 498 and then I continue to do all the clicks until I reach 498 and then it says you cant invite anyone else.
Facebook to do this at some point sends back an ajax.php page as a packet and sets this limit. This ajax php page i'm trying to find somehow.
I've tried some ajax jQuery capture Chrome extensions but I dont quite understand them much.
Do you have any idea of how I can track any ajax php request from Facebook to my browser to set this limit?
I am using Chrome Extension Live HTTP Headers
and this shows me anything that Facebook webrequest is "POST" in my browser.
But i dont think its actually all of them.
Because its only loading the photos of the chat
and some thread updates.
Here is a video of what limitation is showing in my frame of friends invite in facebook.
Youtube Video Here.
Press F12 and find the network requests section of your browser's dev tools.
http://www.devtoolsecrets.com/secret/general-finding-the-development-tools.html
I think you are misunderstanding the process. Web servers don't send requests to web browsers. They only respond to requests sent from the web browser.
When you click to invite friends you are sending an ajax request to Facebooks server. That ajax request passes the information about the event, you and your friend to a method on the server. Part of that method is to check and see if the limit on invitations has been exceeded. If not it sends your invitation and sends a response to your ajax request showing this person was invited. However if the limit has been reached the invitation is not sent and the response comes back from your ajax request stating that the limit has been exceeded.
If you know what your doing, you use Chrome or Firefox developers tools to debug javascript and follow the ajax request to the server and the response from the server. But this is difficult with the minified javascript. There are tools to deminify the javascript making it easier.
However, if you're looking for a way around the invitation limit. It's not going to happen. This all occurs on the Facebook servers to which you do not have access.
Try to use Fiddler (http://www.telerik.com/fiddler). With Fiddler you can see all requests (also HTTPS requests with an intermediate certificate), modify those or simply replay requests. It's worth a try and a must have for each web developer
I can't believe that I'm asking this right now, but I have no idea how solve the following problem:
I have a web app that logs every visited page in a browser for better browser history search. The extension is a chrome extension that needs to make a POST request to my API. Obviously, I need to avoid CSRF issues, i.e. other sites using the user's session to post arbitrary data to his browser history. However, since the extension runs in a different origin as a content-script, I cannot retrieve CSRF tokens, hence I cannot make authenticated POST requests.
EDIT:
So I now know that I can use chrome.storage (and equivalents in other browsers) to store a token that only my content_script can read. However, I still haven't solved the issue of how getting that token into chrome.storage in the first place
I seem to miss something really obvious ...
I suspect a content script isn't necessary, and you should just be using the chrome.webNavigation API from your event page to get the user's browsing activity.
You'll still need the user to log into your service somewhere in the browser. If you take your service's origin as a host permission, your extension will be able to make XHRs as the user, which may be enough to solve your XSRF problem, at least as long as nobody else can intercept the user's login cookies.
FYI, I realized that chrome.storage provides a means to sync/pass confidential data like your token that is only accessible to your scripts.
Hence, the solution is to visit a webpage of yours, and have a content script extract the token and store it in chrome.storage.
I have an asp.net website with client javascript making lots of ajax calls back to the server. Is there any way I can prevent a google chrome extension from calling my ajax endpoints or to detect when they are being made by the chrome extension code and not my own javascript code. So far I have tested using the referer, httponly cookies, but there is no difference between the 2 calls. Any ideas would be appreciated.
No, there is not.
Chrome extensions have elevated permissions. They 'out-permit' your website JavaScript code and may manipulate and call it.
Even if you add something like an anti CSRF token, an extension could still read it and bypass that protection. They can run JavaScript code on your site and make modifications to your own code on the site on the fly without notifying your or your users.
The only thing you can do is not trust the client with anything critical, treat all requests you receive as hostile and require clients to authenticate before making requests to your server.
(I'm assuming you mean a chrome extension running on your site)
Just wondering if it's possible to use an XMLHTTPReq to login to a website, and store the cookie. Specifically I'm after the PHPSessionID from the website I am logging into.
I then want to pass this cookie into another request to submit a form.
Any ideas of how to do this?
Cheers,
Nick
You will be able to get your own site's cookies from document.cookie. In the AJAX callback, use a library to parse the value and read the cookie you're looking for.
Of course, if the server sets the cookie HttpOnly (which it should be doing), it won't be available in document.cookie.
At this pont, you need to reevaluate what you're doing:
If the form points to your website, your server script would have access to the cookie anyway.
If you're sending the user's session ID to another domain, why? This is a huge red flag that screams security problem.
If you're logging in to another site, then no – the same-origin policy prevents you from accessing another site's cookies.
Edit: Since this is for your own use, you can do this in a way you're not limited by the browser's origin restrictions. Some thoughts:
You could make a Chrome extension. Extensions aren't subject to origin restrictions, and the development model and API is pretty much the same as what you'd do on a regular web page.
You could use Node, which has no restrictions. You'd be able to invoke your script from the command line, but the API is going to be slightly different that what you'd use in a web page.
Use your language and framework of choice to POST to the login page, get the Set-Cookie header in the response, and use it to send a Cookie header in another POST to the form target.
You can only send cross-origin requests using XHR if both the browser and server support CORS. Additionally, the third party site needs to allow your site to send such requests and to receive its responses. If it doesn’t, you aren’t allowed to send the request or receive its response respectively.