is it possible to set custom headers on js <script> requests? - javascript

Is something like this possible?
<script src="http://myserver.com/some.js" my-custom-header="foo"></script>
Update (a bit more detail):
I've been asked if there was a way to communicate some parameters to the server as part of the script request using headers instead of GET params. I said, "no," but thought I'd double check.

Short answer: no. By default a script tag will just retrieve the resource specified in the src attribute.
However, if you use an AJAX request to retrieve the script (and add it later/execute it), you can use the setRequestHeader function of the XMLHttpRequest object (see http://www.developertutorials.com/learn-ajax/custom-http-headers-2643.php).
You could also use more complex methods, such as using mod_rewrite to rewrite paths, and include the parameters in the url. The best solution depends on what you want to do, and how much control you have over the server.

No. You'll need to set the headers on the server that's serving up the JS file.
EDIT: I misinterpreted what you meant, it turns out you wanted to set a request header, not a response header. This is still not possible (from HTML) as far as I know.

Related

Prevent Content Injection into HTTP Req Headers

I am using Requestly Chrome extension to intercept and modify HTTP request headers and change their original values inside my NodeJS app.
How can I prevent attack? For example, I can change Referer header and inject link.
There is no way to prevent users from doing this.
You can't trust the Referer header.
You cannot, but you can try to make the thing more difficult to do, thing a tricky way to sign the headers / datas (sha512, etc..) and add signature in the headers/cookie/datas.
Use the same function on your server to check if the value has been modified during the transport.
"But the 'hacker' can still try to inspect the client code and use the signature function to modify the values ?"
Yes, but you can transform the thing in something completely illisible:
Make your app include a bench of useless big script which doing nothing (uglified of course)
Divide your signature function in many (many) functions named with random char and then uglified them, put one of them inside your useless big scripts.
...
Nothing is trustable on client side, but you can try to discourage the hackers :D

Send a post request with an Electron webview

I want to send a POST request with an Electron webview from the outer script. At the moment I just set the src attribute to trigger a page load, which sends a GET request:
<webview id="view">
<script>
document.getElementById('view').setAttribute('src', 'http://example.com/?foo=bar');
</script>
Is there any way to navigate the webview to a URL by sending a POST request? Maybe a method of the webview, instead of just hacking with the src?
You can execute arbitrary code from within the webview context with .executeJavaScript.
Moreover your code has access to all browser built-in apis. Easiest would be to use fetch, with method set to post.
In your case (provided the webview has been already loaded; for example its .src has been set):
document.getElementById('view')
.executeJavaScript('fetch("http://example.com/?foo=bar", {method: "post"});');
Some remarks:
The origin of the request is controlled by .src of the webview.
It seems that all default security policy are still used by webview - specifically you cannot make calls to http: from https:.
It is bit painful to pass code as a string.
Now there is a new <webview>.loadURL() method with a postData option in the docs. I haven't used it yet but it looks exactly like what I was looking for in the past.
It seems they added it as a feature in the meantime.
Basically, Webview element does not have a property like "method" of Form so you can not specify a particular HTTP method for its request. I recommend you to use AngularJS or any other JS frameworks to archive your purpose.
I found two workaround since <webview> does not seem to currently have any way to send a POST request.
Maybe the site you're using will let you send the form as a GET by adding any form elements to the URL's query string. It turns out the site I was using did allow this and I wouldn't've guessed had I not actually tried.
You might be able to send a POST manually through AJAX/fetch etc then replace the HTML of the page in the webview with the HTML returned by your manual POST. You can achieve this using .executeJavaScript() and/or Electron's IPC.
Neither workaround will work in every case. It might be worth filing a feature request with the Electron team too...
So I just went ahead and submitted a feature request. You can follow it here: https://discuss.atom.io/t/add-http-post-method-to-webview/29702

Setting a custom header on the server-side, and retrieve its value using JavaScript on the client side

Is it possible to set a custom header as part of a GET response from the server-side, and retrieve its value using JavaScript/JQuery on the client side once the response is received?
If so, what is the proper way of doing this in JavaScript?
As mentioned in the comments to your question, the answer is no, not directly.
If you really need to do this, as a workaround you can push values as hidden fields if returning HTML, part of your response if returning JSON etc.
If you absolutely, unavoidably need to do this, you can make a separate HEAD XMLHTTPRequest to the desired page, and load the headers from there.
See Http headers in Javascript?

Know how of Cross Domain Request in Jquery

Can anyone please explain how jquery handles cross domain requests? I understand the theory that it does via script using src attribute as url. But i was trying to test the same thing in plain javascript . I need to know the sequence of activities to be done for a post request. at what stage the data is sent and script element is constructed ? I am tired of asking the same at different forums where i got to see links explaining CORS. i need a to-do solution here.
Thanks
PS: sorry if i am asking too much :)
The ajax request URL is set as the .src attribute on a dynamically generated script tag and a parameter is added to the URL &callback=someFunc where someFunc is a local javascript function. When the server receives the URL, it's job is to parse the generate javascript that contains the returned data and then calls the passed in function name with the data as an argument. This is usually referred to as JSONP.

Dynamically writing js file

Is it possible to create dynamic js file creation?
e.g. I am referring MyJs.js using tag as usual, but source will be accompanied with a context value.
now what I expect, at server side, MyJs.js will be written according to the context value; just like a jsp page.
Is it possible?
For sure. I guess you're using Java (given you mentioned jsp). Just map the request (MyJs.js) to your jsp (or whatever framework dispatcher you use) in web.xml, and then make sure to set the content-type of the response to text/javascript.
If you give more details then you might get a more detailed respones :)
YES
just make sure your response header: Content-type set as: 'text/javascript';

Categories