I would like to make a bookmarklet that users can add to click on while browsing websites. Clicking the bookmarklet grabs some page content and sends it to myserverapi.com
myserverapi.com then sends a reply back to the bookmarklet, which then displays the results to the user (without taking them away from the page they clicked the bookmarklet in). The user confirms something, and then data is once more sent back to myserverapi.com
Is this possible?
I am aware of JSONP but to my knowledge it only works for retrieving data: I was wondering if information can be somehow encoded and sent to the server in a back-and-forth manner.
Thanks!
ah, in this usage case CORS works because I have control of the server.
I can't think of a scenario in which back and forth is required to send data to a possibly "un-willing" server anyway, only the other way around.
So if you have CORS, why not just post that data to the server? see:
How to get a cross-origin resource sharing (CORS) post request working
This question is answered, but here is answer in case you can't use CORS:
I am aware of JSONP but to my knowledge it only works for retrieving data: I was wondering if information can be somehow encoded and sent to the server in a back-and-forth manner.
You were so close, the answer was right in your grasp.
You SEND data to the server in one of two ways:
1.) The most simple way is with GET. Your JSONP script can be like server/jsonp.php?data=antyhing+you+want. So this is basically the same way as using AJAX communication with the same domain, but instead of using XMLHttpRequest to perform the GET, you are appending a script.
2.) If the data to send exceeds what GET can handle, you can POST the data using a form and an iFrame. One of the form variables should contain a unique ID for that POST to use as a key. Since the POST can not return any data, yo must use the GET method to get the response which corresponds to that key. Because the POST is asynchronous, your GET should poll the server until the server responds with success, which dependent on the server having received a POST with the corresponding key.
Related
I have a problem that I got stuck how to receive POST data in angularjs sending from PHP? Let me explain in detail. My project url is http://test.com/callback and other party will use FORM POST to my callback URL. I want to display all FORM POST data inside that callback controller. Please let me know how to do it. Thanks.
To answer you question you must understand these two concepts:
Web server: (PHP, Node, Apache, etc): the server hosting your page
receives HTTP requests
sends HTTP responses
Web agent: (Chrome, IE, FF, curl, etc) displaying/requesting your page
sends HTTP requests
receives HTTP responses
And find out things does not work the way you want.
This question have been bothering me for a while. So here is the story. There is another domain name which consist of a php file that produce json result :
lets say http://www.otherdomain.com/token.php and it will produce:
{"token":"123455"}
I want to ajax from mywebsite.com to get and act on the response given. The problem is otherdomain.com is not own my me and I can't modify the content in it or whatsoever.
So I have searched for several answer on stackoverflow and will explain why this doesn't work.
set the CORS header.
It didnt work because the domain is not own by me and i can't do anything about it.
Use my server as a proxy to request the data. (This is workable for a few times, but when the visitor on my site get more and more there will be more data sent from single ip to the site which is from my server which then might triggered 403 error)
Use plugin on chrome or firefox. (This option is okay if i am the only one who using this website)
Use JsonP. It shown in jQuery getJSON works locally, but not cross domain but the answer shows you need to modify the response data on the otherdomain.com file and since i dont own the domain, I cant do anything.
You may not use your option number 4 correctly. jsonp is especially made for cross domain requests. So, jsonp is your solution. If you stuck, then look at google maps or other services, they have working jsonp examples.
I'm studying web security.
Form Security During studying, I wonder questions.
Can I send a post without a form?
It does not ask to transfer data to the server without post transmission.
When I send a 'post', I ask if I should go through the 'form'.
You can use XMLHttpRequest to send requests of all types (POST, GET, ...)
More information here.
POSTing in HTML without a FORM didn't work in the browsers I tried it in. Since the FORM element specifies the URL to access, there isn't really complete basis to perform such an operation.
However using curl or a custom HTTP client, it is definitely possible to construct & send handcrafted requests (POST, GET, PUT, DELETE, others) to an HTTP server. These are independent of any HTML pages the server might offer -- the client need never perform a GET -- and can be constructed completely arbitrarily.
For example, a request may specify parameters (eg "order.total", "customer.id", "developmentMode=true") which the web application never offered in the HTML or expected to be received. This can be a potential security hole if eg. automatic binding frameworks are used, and bindable fields should be carefully controlled when using such.
Applications must be robust against such requests as a basic principle of web security.
Google Chrome has an extension called "Postman" that allows sending HTTP POST requests: https://chrome.google.com/webstore/detail/postman/fhbjgbiflinjbdggehcddcbncdddomop?hl=en
I have a Meteor application I would like to let users retrieve data from via an ajax request. Currently if I send the ajax request it returns the HTML.
I understand I might have to do something with the headers but I can't quite figure out what given the flood of javascript, json, ajax search results that diminish the results of what I am looking for.
I am also curious how Meteor would even handle this since it is a one page application with dynamic headers which I am not sure I have control over.
So basically I need a client from cross origin to ping myurl.com/?myQuery=yadada and get back some data
I am building my first node.js webapp. I don't need to manage users registrations. I just need an admin page wich easly allow updating the content of some pages.
I have almost finished the development phase but there is something about security I would like to clarify.
ADMIN PAGE: there are 2 level of security:
1) The admin page is linked to mywebsite.com/hexadecimal_string .
Maybe it's very stupid but the admin page is a "secret" page. Linking
it to mywebsite.com/admin is too much common. Do you think that using
an hexadecimal string can be considered a first level of security?
2) Of course there is a password for admin, stored in my database. If
the password is right, a temp cookie is setted. Maybe I should
encrtypt this password while is posted but I'm not planning to use
https. Is there a way, different by using https, to make the posting
of the password more secure ?
CORS: I don't need CORS but there is a thing that is making me crazy:
In the homepage everyone can post some data to server (we are talking about newsletter emails and others personal datas)
suppose someone reads the javascript code of the home page(in particular the ajax urls) in same way and he tries to post data to the same urls but using a personal script that skip the validation phase. Of course I did the validation to server also but I'd like to not accept any req coming from personal scripts written by other than me. The server should respond only to requests coming from my javascripts, tha anyone can run accessing to www.mywebsite.com. All other requests coming from different scripts will recieve 500-server error.
Now, I read about lot's of people that is tryng to ALLOW CORS. So I was supposing that cors is disabled by default but I tried to post data from another website to mine and the data have been sent without problem and the server responds 200. Why? Can I manage this thing?
There are other common things that I need to analyze and manage for security in my situation??
Since you don't want to use https and are looking for an alternative to that I presume you don't want the password to be sniffed in transit. I suggest a simple encryption decryption algorithm might work out for you. For the second issue, you can add a validation string which the client JS will pass along with other parameters while hitting your server API's. If you generate this string each time the client loads some specific page, then duplication of string will also be tackled.
In case you don't want at all to maintain any sort of db on server side, then attach a hidden HTML field to the API hits. This hidden field again you can encrypt and sent. If you broadcast this field periodically from the server, replication of the field will not be possible.
Also in CORS, you cannot request for data from a cross domain. CORS block comes in place when the browser gets a reply back from the server. Only posting of data does not cause any issue.