I having problems to access the "Set-Cookie" header where AWSELB id is stored in order to set it for the subsequent requests.
I thought it was a problem with CORS configuration so i tried:
cors.headers = [
'Access-Control-Allow-Origin' : '*',
'Access-Control-Allow-Headers': 'origin, authorization, accept, content-type, x-requested-with, X-Auth-Token, Set-Cookie, set-cookie',
'Access-Control-Expose-Headers': 'Set-Cookie, set-cookie'
]
cors.allow.origin.regex = '.*'
cors.expose.headers = 'Set-Cookie, set-cookie'
In the server side.
I can see all those CORS headers in the response, still when i try to getAllResponseHeaders from client side i cannot see "Set-Cookie" neither i can get specific header by name.
I am missing something?
I've check this in both Chrome and Firefox
EDIT1: This is my JS side
$.ajax({
url: url,
type: "POST",
cache: false,
crossDomain: true,
data: JSON.stringify(dataMock),
dataType: "text",
contentType: "text",
success: function(response, textStatus, jqXHR) {
if (jqXHR.getResponseHeader('Set-Cookie')) {
document.cookie = jqXHR.getResponseHeader('Set-Cookie');
}
}
});
};
Cookies are explicitly excluded from getResponseHeader and getAllResponseHeaders:
client . getAllResponseHeaders()
Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2.
client . getAllResponseHeaders()
Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2.
If you want to access them directly from JS then you must change the server so that it duplicates the information in them elsewhere in the response.
Related
I'm trying to use API to get information about a specific user based on user ID. I need to use basic auth and pass some headers with my call.
I'm getting this:
Cross-Origin Read Blocking (CORB) blocked cross-origin response "rest/user/getProfile?callback=jQuery224033348109431646855_1548684613983&userId=24068..." with MIME type text/plain.
My code:
$.ajax
({
type: 'GET',
crossDomain: true,
async: false,
url: 'example_URL_/api/user/getProfile',
headers: {
"Accept": "application/json",
"Content-Type": "application/json",
},
beforeSend: function (xhr) { xhr.setRequestHeader("Authorization", "Basic ZHVubmVzYXBpskjoi43u5409543o9tI654kjhugjy"); },
dataType: 'jsonp',
data: { "Id": "1234" },
success: function (data) {
console.log(data);
},
error: function (xhr, status, error) {
console.log(xhr);
console.log(status);
console.log(error);
}
});
is there anything I'm missing?
You said:
dataType: 'jsonp',
… so jQuery makes a JSONP request (i.e. inserts a <script> element).
The browser makes a request to the URL and the server said:
Content-Type: text/plain
Since a plain text document is not a JavaScript program, the browser refused to execute it and threw a CORB error instead.
A JSONP response must be application/javascript, not text/plain.
You need to either:
Not make a request for JSONP
Change the server to respond with JSONP
Aside: Since you are using JSONP, the type, crossDomain, async, headers, and xhr.setRequestHeader properties have no effect.
Since you said you needed to set basic auth, that rules out option two. You can't use JSONP for this.
In your API configure CORS to accept all domains, or enter the domain that you're using to send the request from.
If your API is created by PHP here is an example:
<?php
header("Access-Control-Allow-Origin: *");
Or if you are using a third party API, try to see the documentation. I'm sure there will be a part talking about CORS.
I'm trying to create an issue but it returns the "XSRF check failed" error.
I'm using the following code:
$.ajax({
async: true,
crossDomain: true,
url: 'https://testejiraloupen.atlassian.net/rest/api/2/issue',
method: 'POST',
headers: {
'Authorization': 'Basic ' + btoa('email:pass'),
'Content-Type': 'application/json',
/*'X-Atlassian-Token': 'nocache',*/
'Access-Control-Allow-Origin': '*',
'Access-Control-Alow-Methods': 'POST, GET, PUT, OPTIONS, DELETE',
'Access-Control-Max-Age': '3600',
'Access-Control-Allow-Headers': 'x-requested-with, content-type'
},
processData: false,
data: JSON.stringify(issue),
success: function(data) {
console.log('Issue created. Id >>> ' + data.id);
}, error: function(err) {
console.log(err);
}
});
Can anyone help me in this case?
It seems to be a known problem by Atlassian, caused by the User Agent sent by your request.
it's in their knowledge base : "REST API calls with a browser User-Agent header may fail CSRF checks", cf https://confluence.atlassian.com/jirakb/rest-api-calls-with-a-browser-user-agent-header-may-fail-csrf-checks-802591455.html
Another discussion thread here : https://community.atlassian.com/t5/Jira-questions/Jira-7-rest-api-XSRF-check-failed-for-post-issue-with/qaq-p/488706
concludes : "Overwrite the User-Agent String with some dummy value, and it will work"
I have used following header for my rest api calls and it worked.
X-Atlassian-Token: no-check
Here is another wiki regarding From token handling:https://confluence.atlassian.com/display/JIRA043/Form+Token+Handling?_ga=2.108983109.653657921.1530909405-1000252910.1505150128
It helped for me:
Resolution: Since REST API doesn't require a User-Agent header, removing the header works.
from this knowledge base page
Using MVC Asp.Net
Below code works with actual user name and password. But I do not want to use it. :
WebClient client1 = new WebClient();
client1.Credentials = new NetworkCredential("actualUserName", "actualPassword");
string code1 = client1.DownloadString(#"http://Domainname/GetValue");
Tried the javascript approach :
$.ajax({
type: 'POST',
url: Url,
processData: false,
contentType: 'application/json; charset=utf-8',
dataType: 'jsonp',
crossDomain: true,
jsonpCallback: 'CallBackMethod',
success: function (json) {
console.log(json);
},
error: function (xhr, textStatus, errorThrown) {
console.log(errorThrown);
}
});
But getting the below error :
Multiple Access-Control-Allow-Origin headers are not allowed for CORS response.
XMLHttpRequest: Network Error 0x80070005, Access is denied.
Tried to add the header in Global.asax in Application_BeginRequest and similar entries in webconfig :
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");
if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
{
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept");
HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", "1728000");
HttpContext.Current.Response.End();
}
All the above were tried and it does not work from Win7 machine. But works from Win10 machine!! Also tried to deploy in server and checked, but same errors pops up.
The key to your problem is right in the error message:
Multiple Access-Control-Allow-Origin headers are not allowed
The server is responding with duplicate headers. That's causing some browsers to fail. You mentioned you implemented CORS in two places. That's a good place to start. Remove one implementation and see what happens.
There are frameworks that implement CORS as well. The bottom line is that you only need one, and one that works best. Whatever implementation you keep, it needs to handle standard requests and preflight requests (OPTIONS) as well.
Below fixed the issue :
IIS -> Authentication -> Windows Authentication -> Providers -> Remove Negotiate
I'm having troubles with an AJAX request. I was getting the below error:
Error: Access is denied
I tried this jQuery AJAX request:
$.support.cors = true;
$.ajax({
url: 'http://testwebsite.com/test',
type: "GET",
dataType: 'json',
contentType: 'application/json',
crossDomain: true,
headers: {
'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
'Access-Control-Allow-Origin': 'http://testwebsite/test',
'Access-Control-Allow-Headers': '*',
'Access-Control-Allow-Credentials': 'true'
},
xhrFields: {
withCredentials: true
},
success: function(data) {
alert("Data from Server" + JSON.stringify(data));
},
error: function(jqXHR, textStatus, errorThrown) {
alert("You can not send Cross Domain AJAX requests: " + errorThrown);
}
});
Can anyone kindly let me know what I am missing. Thanks in advance.
As rory-mccrossan mentioned in a comment, CORS protection is designed so that a website cannot directly access the content of another website (in a browser) unless the website being accessed agrees to it.
It would completely ruin the point of CORS if a site just has to send some headers in order to circumvent the defence
Instead, you will need to use a CORS proxy. It's a server that when given a request like yourCORSproxy.example.com/http://testwebsite/test would load the page and return it, but with CORS allowed (like a normal proxy but with CORS enabled).
One of these CORS proxies is https://crossorigin.me, but at the time of writing this it is down. It might be more stable if you simply create your own proxy.
tl;dr: testsite.test should be sending the headers on its response. You should not be sending the headers on your request.
The problem only occurs on Safari for Mac.
I'm loading clean json data files, with the following:
$.ajax({
url : url,
type : 'POST',
dataType : 'json',
contentType : 'application/json; charset=utf-8',
crossdomain: true,
context : contextObj.context,
success : function(data) {
// Irrelevant
callBackHandler.call(contextObj.context, event);
},
error: function (xhr, ajaxOptions, thrownError) {
console.log(xhr.status);
console.log(thrownError);
}
});
My CORS enabled server has the following:
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, If-Modified-Since, If-None-Match, *"
Header set Access-Control-Max-Age "3600"
I captured the request headers and the only difference I see is in the following. To be clear, the following is included in the failed request, while the next refresh does NOT include the following. Hence the addition of items to the Access-Control-Allow-Headers:
If-Modified-Since: Fri, 08 Mar 2013 15:57:07 GMT
If-None-Match: "6801d-c550-4d76be008fac0"
Is this a server configuration problem, jQuery usage, or something else? It's odd to me that Safari consistently changes the headers on every other refresh.