This is my doubt after going through
How to send headers while using jsonp proxy?
and
How Ajax call is working in mobile app (PhoneGap), but not in PC browser?
As per this we can use json proxy instead of jsonp in mobile but not in desktop browser. This sounds good but my problem is I am using my desktop as develop environment and browser is quickest way to test and debug whatever I am doing but if I use json proxy this won't work because of cross domain issues. Please suggest ways such that I can easily develop and debug application on my desktop itself.
My workstation has Ubuntu OS and I use Chrome browser for testing.
I think for the development purpose you can disable cross domain policy in your browser as given here.
create a short cut for the chrome browser in you desktop
add the following flag to the short cut --disable-web-security
Or
You can setup your dev server to allow cross domain requests as given here or [here]
1.
Add the following header to your response Access-Control-Allow-Origin: *
Related
Many modern Web APIs are gated by the browser to be HTTPS only. This is good for users but can make developing painful. During development I'd like to be able to turn off that requirement just for testing.
Is there a flag I can set (about:config in firefox, about:flags in chrome) or a command line parameter I can pass in to turn off that requirement so I can test without having to setup https certs and add them to the browser?
Note: I understand the https requirement is dropped for localhost but I'm often hosting on one machine (like a laptop) and testing on another (like an Android device) or a different desktop. I know I can generate a local cert and run a server that supports https. I then have to deal with security warnings on the browsers (invalid cert) and/or add the private certs to all the devices OR I have to register a domain solely for the purpose of getting a valid cert via letsencrypt. For my own dev I'd just like to temporarily turn off that check in the browser if possible. Of course what I actually serve to users will be https but during dev if I could turn off that requirement things would be so much easier.
In my particular case I'm trying to use WebXR so dev happens on my laptop but actual testing happens on an Android device where the page is served from my laptop.
One solution suggested here is to use Chrome's port forwarding
https://developers.google.com/web/tools/chrome-devtools/remote-debugging/local-server
That works for Chrome desktop to Android
On your desktop you tell desktop chrome what site at what port to forward to your android device at another port. That site can be a server on the internet or a server running locally on your desktop. On the android device you can then access that site at http://localhost:<port-you-specified>. https requirements are dropped for locahost host so you can now use the APIs that were restricted otherwise.
Chrome has a developer setting Insecure origins treated as secure in chrome://flags/, this is a text field where you can add a list of origins treated as secure for development purposes. (Via https://github.com/immersive-web/webxr/issues/60)
We are developing an application using node.js and meteor.js, this application is working fine in Firefox, Chrome and IE 10, but when we try to browse this application in IE-9, it doesn't load.
I have investigated the request/response of both browsers (IE9, Firefox) and I have found that for XHR requests, IE 9 uses iframe polling instead of web sockets for data transfer. IE 9 does not maintain the cookies in this case and that causes 401 errors for every XHR request. So the cookie is not being sent in the iframe in IE 9.
I have investigated how we can enable cookies for the iframe, and I have found that we can achieve this using privacy policy platform (p3p). To enable the p3p you will have to add p3p key in response header and privacy.policy file in w3c folder inside the domain folder. I have done all of this.
But things are not working in my case, I have done a lot of R&D to set the different -2 key of p3p. But still facing the issue of loading the application in IE9.
You may not be able to get there from here.
But there's support in Flow Router apparently. Support appears to be package by package.
https://kadira.io/blog/meteor/flow-router-ie9
While debugging a client app that uses a Google backend, I have added some debugging versions of the functions and inserted them using the Chrome Developer Tools script editor.
However there are a number of limitations with this approach, first is that the editor doesn't seem to always work with de-minified files, and when the JS file is 35K lines long, this is a problem.
Another issue is that all the initialization that is done during load time, uses the original "unpatched" functions, hence this is not ideal.
I would like to replace the remote javascript.js file with my own local copy, presumably using some regex on the file name, or whatever strategy was suitable, I am happy to use either Firefox or Chrome, if one was easier than the other.
So basically, as #BrockAdams identified, there are a couple of solutions to these types of problem depending on the requirements, and they follow either 1 of 2 methods.
the browser API switcharoo.
The proxy based interception befiddlement.
the browser API switcharoo.
Both firefox and chrome support browser extensions that can take advantage of platform specific APIs to register event handlers for "onbeforeload" or "onBeforeRequest" in the case of firefox and chrome respectively. The chrome APIs are currently experimental, hence these tools are likely to be better developed under firefox.
2 tools that definitely do something like what is required are AdBlock plus and Jsdeminifier both of which have the source code available.
The key point for these 2 firefox apps is that they intercept the web request before the browser gets its hands on it and operate on the other side of the http/https encrpytion stage, hence can see the decrypted response, however as identified in the other post that they don't do the whole thing, although the jsdeminifier was very useful, I didn't find a firefox plugin to do exactly what I wanted, but I can see from those previous plugins, that it is possible with both firefox and chrome. Though they don't actually do the trick as required.
The proxy based interception befiddlement This is definitely the better option in a plain HTTP environment, there are whole bunch of proxies such as pivoxy, fiddler2, Charles Web HTTP proxy, and presumably some that I didn't look at specifically such as snort that support filtering of some sort.
The simplest solution for myself was foxyproxy and privoxy on firefox, and configure a user.action and user.filter to detect the url of the page, and then to apply a filter which swapped out the original src tag, for my own one.
The https case. proxy vs plugin
When the request is https the proxy can't see the request url or the response body, so it can't do the cool swapping stuff. However there is one option available for those who like to mess with their browser. And that is the man-in-the-middle SSL proxy. The Charles Web HTTP proxy appears to be the main solution to this problem. Basically the way it works is that when your browser makes a request to the remote HTTPS server, the ssl proxy intercepts the request and from the ip address of the server generates a server certificate on the fly, which it signs with its own root CA, and sends back to the browser. The browser obviously complains about the self-signed cert, but here you can choose to install the ssl proxy root CA cert into the browser, befuddling the browser and allowing the ssl proxy to man in the middle and make replacements and filters on the raw response body.
Alternative roll your own chrome extension
I decided to go with rolling my own chrome extension, which I am planning to make available. Currently its in a very hardcoded to my own requirements state, but it works pretty good, even for https requests and another benefit is that a browser plugin solution can be more tightly integrated with the browser developer tools.
Hy,
So I've got this problem: I'm trying to develop an HTML file on my localhost, and all the browsers I have installed are preventing me to send cross-domain requests.
What I'm trying to do is to convert a script I wrote in Python (with Mechanize, pyquery and lxml) to Javascript, the reasons don't really matter (I thought in Javascript it would be easier to simulate something).
Cross-domain requests from local files used to work, and are still working on the latest Safari (stable), but I can't install Safari on this machine (it's a Linux box).
EDIT
I discovered the escalated privileges of Firefox, e.g.:
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
// among others
Problem is, I'm also trying to access the content loaded in an iFrame ... as I said, I'm trying to simulate a browser session, like I would with a library like Mechanize, but from Javascript. My script still works in Safari.
So how to force Chrome / Firefox / Opera to bypass all security restrictions from locally stored files?
I'm interested in a browser command-line option, I would even consider a patch to the browser (I'm the user, not trying to distribute this to anyone else).
Thanks,
I'm unsure whether or not you have control of the content in the IFrames but since you are speaking of local files I guess you do. This article on Ajaxian should cover your use case.
Since you are targeting grade A browsers (e.i. not IE) you could use html5 window.postMessage instead of IFrames.
Cheers, Jon.
I have no working knowledge of Python Mechanize lib.
Why don't you start a simple http server instead to solve your problem?
import sys
import BaseHTTPServer
from SimpleHTTPServer import SimpleHTTPRequestHandler
HandlerClass = SimpleHTTPRequestHandler
ServerClass = BaseHTTPServer.HTTPServer
Protocol = "HTTP/1.0"
if sys.argv[1:]:
port = int(sys.argv[1])
else:
port = 8000
server_address = ('127.0.0.1', port)
HandlerClass.protocol_version = Protocol
httpd = ServerClass(server_address, HandlerClass)
sa = httpd.socket.getsockname()
print "Serving HTTP on", sa[0], "port", sa[1], "..."
httpd.serve_forever()
This python code will start a simple http server listening on port 8000 or the first argument and handles all files in the folder from this script.
I'm not sure if this works when the page is on localhost, but it might be worth a try: http://www.asual.com/jquery/address/
That jQuery plugin lets you make cross-domain requests from any domain... Perhaps it might work with localhost? Haven't tested it though.
I want to develop JavaScript on my Windows machine. Do you know a browser where I can turn off Same Origin Policy so I can develop locally? Firefox would be optimal.
Or if you know a proxy I could use for a SOAP/WSDL site it would be great too.
I am trying to work with the JavaSCript SOAP Client.
UPDATE 6/2012: This used to work at the time of the writing, but obviously no more. Sorry.
In Firefox (might apply to other Gecko-based browsers as well) you can use the following JavaScript snippet to allow cross-domain calls:
if (navigator.userAgent.indexOf("Firefox") != -1) {
try {
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
}
catch (e) {
alert("Permission UniversalBrowserRead denied -- not running Mozilla?");
}
}
It looks like there's an issue created in the Chromium issue tracker for achieving the same functionality, so you could try starting Chrome with the argument --disable-web-security. I don't know which builds this works on exactly, but at least Nokia's WRT Tools comes with a Chrome installation that does in fact allow loading content from other sites.
Unfortunately, using the following:
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
has been disabled in Firefox 5.
https://bugzilla.mozilla.org/show_bug.cgi?id=667312
Make a page on your local server that calls the remote server and answer the same as the remote server.
Example, javascript calls local server for a JSON. The local server makes the call to the remote server for that JSON. The local server receives the JSON from the remote server and send it to the javascript.
Using the Chromium 13.07, you can start it with security disabled:
/usr/bin/chromium-browser --disable-web-security
That's on Ubuntu 11, but change the location as your system.
All of the given answers are good ones when it comes to getting around the same origin policy in production.
For development, there is no convenient way to "disable" this security check. There are workarounds (see other answers) or hacks (you could use Greasemonkey to wrap up the JavaScript and use their GM_xmlhttprequest as a temporary measure), but no way to actually "turn it off" as you describe.
i run this command on mac, it works on me when i use google chrome to run my project.
open -a Google\ Chrome --args --disable-web-security --user-data-dir
I have no real experience with this, but FireFox 3.5 allows Cross-Site JS according to the W3C Cross-Origin Resource Sharing Draft.
See: https://developer.mozilla.org/En/HTTP_access_control
Firefox would be optimal.
If you can live with Internet Explorer, you may be able to use an .hta application
http://msdn.microsoft.com/en-us/library/ms536496(VS.85).aspx
(This is one of the ways the Selenium test automation tool deals with the issue)
In Chrome (& Chromium) 48 and above you should add the flag --user-data-dir like this:
chromium-browser --disable-web-security --user-data-dir
And it works.
You can also redirect a local port to the remote server and port via ssh.