I am doing a jquery.ajax() call on one of our pages to fetch a small text file. I see some of the requests (not all) fail with resp.statusText: "No Transport" and resp.status : 0
What does the error mean (No Transport with a resp code of 0). Strangely it works on some browsers, and doesn't work on some. I couldn't find a patter by looking at the user agents of browsers, where it failed.
Any help would be highly appreciated. I am a beginner to javascript and jquery library, let me know if I omitted crucial information.
My use case:
abc.mydomain.com contains jquery.ajax(url:xyz.mydomain.com) call
Most likely it prevents you from firing a request because it things you are trying to access another domain. xyz.mydomain.com !== mydomain.com.
Why that is not allowed?
Read
Use a Web Proxy for Cross-Domain XMLHttpRequest Calls
Why the cross-domain Ajax is a security concern?
An example to why this is a security issue, assume you installed a bad plugin to your browser. If that plugin got the permission, it can read all loaded files to your browser and be able to edit/change/inject content and codes. Then it might send all collected data to designer own server.
... The most common business needs that are easily accomplished with browser plug-ins are: modify default search, add side frames, inject new content into existing webpage ...more
A good practice is to fetch the data thru ajax via JSON, if you are trying to access another site beside the one the script is calling from, then use JSON-P.
Read
JSON-P
JSON-P call to subdomain
Chrome ajax call to subdomain
A common architecture is to call the current domain that the script is loaded from, then use server script to fetch data from the other domain where the other domain will response to the request and return the data.
A code snippets of your function will help us understand your issue more.
Related
I am trying to implement a simple request to Wikipedia's API using AJAX (XMLHttpRequest). If I type the url in the address bar of Firefox, I get a neat XML, no sweat there. Yet, calling the exact same url with:
// this is my XMLHttpRequest object
httpObjectMain.open("GET", "http://en.wikipedia.org/w/api.php?action=query&format=xml&prop=langlinks&lllimit=500&titles=kaas", true);
httpObjectMain.send(null);
returns an empty response. According to FireBug, I get a 200 OK response, but the content is just empty.
I suspect I might be missing something on the header of the GET http request.
Help! (and thanks!)
The Wikipedia API does support JSONP.
Your query string'll become something like this:
http://en.wikipedia.org/w/api.php?action=query&format=json&callback=test&prop=langlinks&lllimit=500&titles=kaas
But you'll have to build the jsonp handler (or you can use your favorite library to do it), switch to json output format from the xml you choose and create the callback function to parse the result and do the stuff you need on the page.
The browser will not allow you to send an XHR to another domain other than the one the page is on. This is for security purposes.
One way around this that I have seen is to setup a proxy on the domain the page is hosted on that will pass requests through to the actual api server. See http://ajaxpatterns.org/Cross-Domain_Proxy
After reading the famous (and only) article about trying to explain why asmxs should NOTallow Get requests
so we shouldn't use : [ScriptMethod(UseHttpGet = true)] , I still I have a question :
Why ?
Web service , as its name is a service , he doesn't suppose to care if it's GET or POST :
Even if a person do a CSRF : like embedding in his malicious site :
<script type="text/javascript" src="http://contoso.com/StockService/Stock.asmx/GetQuotes?symbol=msft" />
so what ?
Via asmx POV - it is just a normal request.
Can someone please spot for me the problem with example ?
edit
there are many problems solved with new browsers.
this link shows some other methods which should be tested in new browsers.
JSON hijacking is briefly explained in this article.
Let's suppose that you have a web service that returns a list of credit card numbers to the currently authenticated user:
[{"id":"1001","ccnum":"4111111111111111","balance":"2345.15"},
{"id":"1002","ccnum":"5555555555554444","balance":"10345.00"},
{"id":"1003","ccnum":"5105105105105100","balance":"6250.50"}]
Here's how the attack could be performed:
Get an authenticated user to visit a malicious page.
The malicious page will try and access sensitive data from the application that the user is logged into. This can be done by embedding a script tag in an HTML page since the same-origin policy does not apply to script tags. <script src="http://<json site>/json_server.php"></script>. The browser will make a GET request to json_server.php and any authentication cookies of the user will be sent along with the request.
At this point while the malicious site has executed the script it does not have access to any sensitive data. Getting access to the data can be achieved by using an object prototype setter. In the code below an object prototypes property is being bound to the defined function when an attempt is being made to set the "ccnum" property.
Object.prototype.__defineSetter__('ccnum',function(obj) {
secrets = secrets.concat(" ", obj);
});
At this point the malicious site has successfully hijacked the sensitive financial data (ccnum) returned by json_server.php.
There are also other forms of JSON hijacking techniques which do not rely on the browser support for the __defineSetter__ function. That's just one way to conduct the attack but there are many others as described in this article such as Array constructor clobbering, UTF-7, ES5 functionality.
For this reason, GET requests returning JSON are disabled by default in ASP.NET.
Well if you follow the article that is then linked in the one you provided which can be found here: http://ajax.asp.net/docs/overview/AsynchronousLayerOverview.aspx, you can then read on and the only reason it specifically specifies is this:
GET requests are not recommended for method calls that modify data on
the server or that expose critical information. In GET requests, the
message is encoded by the browser into the URL and is therefore an
easier target for tampering. For both GET and POST requests, you
should follow security guidelines to protect sensitive data.
I am working on a component which uses xmlHttpRequest to get DOM element positions from a xml on the server. Than after drag and drop I update the xml with the new positions and I want to post it back via XMLHttpRequest to the server to update the same file.
The responseText message states that HTTP Error 405.0 - Method Not Allowed. The page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used.
I checked the applicationhost.config file and looks like every handler is configured with POST method. Also turned on all the features of IIS on Win 7 components.
My pc: Win7 home basic, visual studio professional, iis 7.5 express.
p.e.: I don't use webrequest method since mainly using javascript for the update process, because of the drag and drop functionality of the mootools library.
Thank you in advance!
The configuration you mention in your comment, sets the default IIS modules for handling "static files", that is responding to GET requests by returning a file based on mapping the URI path to the file system.
These are set up to handle all verbs but to 405 to everything except GET and HEAD because that is the default IIS behaviour for "static files" is to refuse to allow them to be POSTed to (or PUT to, or DELETEd).
The bug therefore is that the URI you are POSTing to isn't mapping to your handler for dealing with the data the javascript is POSTing. If that handler is an ASPX page, then check that other ASPX pages are working and that the correct URI is used. Then try debugging it with a simple HTML form that POSTs appropriate data (or even inappropriate data so you can at least get an error message about the data being wrong rather than it ending up somewhere that refuses to handle POST at all).
If the code to handle the POST is in an IHttpModule or IHttpHandler, then you need to add something to the web.config to override the default for the URI(s) in question.
Is your component and the server handling the XMLHttpRequests served from the same origin? Ie. is it served from the same, protocol://host:port combination. If not, the browser will issue a HTTP OPTIONS instead of the POST you are expecting it to. To handle this situation either do:
JSONP
Cross-origin resource sharing
I am closing this conversation since the issue was resolved with JSON request and object mapping via WebService. I assume the problem was a security one regarding to local permission configuration on the directory.
Thank you for your help!
Kornél
I want to post some data via javascript to another domain. Something like:
http://www.othersite.com/submitfunnyname?name=blah
The other site (othersite.com) has a REST interface that you can call (well actually this is a get example) to submit a funny name to them.
Can I do this already with javascript? I'm a little confused on this - I know if that service wants to return some data, I'd need to use something like JSON-P - even though here I'm submitting some data, I guess the service will return some message structure letting me know the result, so it would have to be JSON-P, right?
Thanks
Not a particular expert in JavaScript, but isn't this an example of "cross-site scripting", which is not allowed due to possible security threats?
I believe you need to have all HTTP calls being made to the same server domain as the page. You could have a handler on your own site pass the information on to the othersite.com.
You can either use JSON-P if the site supports it, or you can use your web server as a proxy - by making requests to your server, which will in turn use a library such as cURL to make the actual request to the remote site.
How do you get around this Ajax cross site scripting problem on FireFox 3?
If you're using jQuery it has a callback function to overcome this:
http://docs.jquery.com/Ajax/jQuery.ajax#options
As of jQuery 1.2, you can load JSON
data located on another domain if you
specify a JSONP callback, which can be
done like so: "myurl?callback=?".
jQuery automatically replaces the ?
with the correct method name to call,
calling your specified callback. Or,
if you set the dataType to "jsonp" a
callback will be automatically added
to your Ajax request.
Alternatively you could make your ajax request to a server-side script which does the cross-domain call for you, then passes the data back to your script
To update the answer (I guess, mostly for my benefit when I come looking for this answer later on), if are loading XML or something else, you can always ask the user if he will allow us to read from another site with this code:
try {
if (netscape.security.PrivilegeManager.enablePrivilege)
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
} catch (e) {
alert("Sorry, browser security settings won't let this program run.");
return;
}
(from the RESTful web services book) But, this only works in firefox, when the html file is loaded from local file. So, not that useful.
One more solution: if all you need is the headers, you can specify "HEAD" as the method and it won't trigger the security issue. For instance, if you just want to know if the web page exists.
var client = new XMLHttpRequest();
client.open("HEAD", my_url, false);
client.send(null);
if(client.readyState != 4 || client.status != 200) //if we failed
alert("can't open web page");
Some more details would be nice: which AJAX library are you using, what would you like to achive, how you do it.
For example it can be a cross-domain Ajax request, which is not allowed. In this case use JSON.
I came across this problem recently and it was while I as AJAX loading the local request, not cross site scripting problem. Also, Jimmy himself seems to have the same problem. This seems to be the FF security problem, this article describes the cause and the solution to access to restricted uri denied" code: "1012 problem.
Sorry, got that error using JQuery
$.ajax on FireFox 3. Tried jsonp
suggestion but I think that will only
work with something that will serve up
json. I'm trying to create a sample
local html file based mashup that will
pull data from Yahoo!Finance, but they
are serving .csv, so I think I'm SOL.
– Jimmy Chandra (Sep 9 at 17:20)
I hope you'll find it useful.