It's that even possible to handle that kind of request? I can't find a decent explanation.
From a network perspective, an Ajax request is just a regular HTTP request, sometimes with some specific HTTP headers such as X-Requested-With or CORS headers.
Gatling sends HTTP requests (or other protocol), so it really doesn't care that a request is an "Ajax" one.
Then, Gatling is not a browser, so it doesn't run your client-side JavaScript and won't automatically trigger Ajax requests for you. You have to include them explicitly in your scenario.
Related
I've been working on a classic SPA where the front end app lives on app.example.com while the API lives on api.example.com, hence requiring the use of CORS requests. Have setup the server to return the CORS header, works fine.
Whenever an AJAX request is not simple, the browser makes an extra OPTIONS request to the server to determine if it can make the call with the payload. Find Simple Requests on MDN
The question is: What are the actual benefits of doing the OPTIONS request, especially in regards to security?
Some users of my app have significant geographical latency and since the preflight cache doesn't last long, the preflight requests cause latencies to be multiplied.
I'm hoping to make POST requests simple, but just embedding the Content-Type of application/json negates that. One potential solution is to "hack" it by using text/plain or encoding in the url. Hence, I hope to leave with a full understanding of what CORS preflight requests do for web security. Thanks.
As noted on the article you linked to:
These are the same kinds of cross-site requests that web content can
already issue, and no response data is released to the requester
unless the server sends an appropriate header. Therefore, sites that
prevent cross-site request forgery have nothing new to fear from HTTP
access control.
Basically it was done to make sure CORS does not introduce any extra means for cross-domain requests to be made that would otherwise be blocked without CORS.
For example, without CORS, the following form content types could only be done cross-domain via an actual <form> tag, and not by an AJAX request:
application/x-www-form-urlencoded
multipart/form-data
text/plain
Therefore any server receiving a request with one of the above content-types knows that there is a possibility of it coming from another domain and knows to take measures against attacks such as Cross Site Request Forgery. Other content types such as application/json could previously only be made from the same domain, therefore no extra protection was necessary.
Similarly requests with extra headers (e.g. X-Requested-With) would have previously been similarly protected as they could have only come from the same domain (a <form> tag cannot add extra headers, which was the only way previously to do a cross-domain POST). GET and POST are also the only methods supported by a form. HEAD is also listed here as it performs identically to GET, but without the message body being retrieved.
So, in a nutshell it will stop a "non simple" request from being made in the first place, without OPTIONS being invoked to ensure that both client and server are talking the CORS language. Remember that the Same Origin Policy only prevents reads from different origins, so the preflight mechanism is still needed to prevent writes from taking place - i.e. unsafe methods from being executed in a CSRF scenario.
You might be able to increase performance using the Access-Control-Max-Age header. Details here.
I am making a program to monitor my network, and in this program I am reading the HTTP traffic which is going through my network. One thing I want to do is to separate the AJAX HTTP traffic from the "normal" HTTP traffic. Is it possible to do such a thing? Is there maybe something in the HTTP headers that tells you if a request is an AJAX request?
There is the X-Requested-With header that most frameworks set when making AJAX requests. It looks like this:
X-Requested-With: XMLHttpRequest
There are no guarantees (obviously the headers are under the client's complete control), but usually it's there.
I'm loading my script on a domain and sending some data with POST and the use of Ext.Ajax.request() to that same domain.
Somehow the dev-tools show me, that there is a failed OPTIONS request.
Request URL : myurl-internal.com:8090/some/rest/api.php
Request Headers
Access-Control-Request-Headers : origin, x-requested-with, content-type
Access-Control-Request-Method : POST
Origin : http://myurl-internal.com:8090
It's both HTTP and not HTTPS. Same port, same host ... I don't know why it's doing this.
The server can't handle such stuff and so the request fails and the whole system stops working.
It's not really specific to Ext JS -- see these related threads across other frameworks. It's the server properly enforcing the CORS standard:
for HTTP request methods that can cause side-effects on user data (in
particular, for HTTP methods other than GET, or for POST usage with
certain MIME types), the specification mandates that browsers
“preflight” the request, soliciting supported methods from the server
with an HTTP OPTIONS request header, and then, upon “approval” from
the server, sending the actual request with the actual HTTP request
method.
If you're going to use CORS, you need to be able to either properly handle or ignore these requests on the server. Ext JS itself doesn't care about the OPTIONS requests -- you'll receive the responses as expected, but unless you do something with them they'll just be ignored (assuming the server actually allows whatever you're trying to do).
If you are NOT intending to use CORS (which sounds like you aren't purposefully going cross-domain) then you need to figure out why the server thinks the originating domain is different (I'm not sure about that). You could also bypass CORS altogether by using JsonP (via Ext's JsonP proxy).
Use relative url instead of absolute, then you will get expected result.
use before request
Ext.Ajax.useDefaultXhrHeader = false
I want to ask you how the browser sends ajax request i mean what is the format of ajax request. So what is actual format of AJAX request sent by browser.
Thanks in advance
If you install Firefox and Firebug you can see for yourself:
http://codeclimber.net.nz/archive/2007/08/01/How-to-debug-XmlHttpRequest-with-Firebug.aspx
It's a standard HTTP request - just like any other request the browser makes.
You can read more about the XMLHttpRequest call and indeed the structure of a HTTP request on WikiPedia.
AJAX is shorthand for Asynchronous JavaScript and XML and does not define a standard on how the data is transferred.
Because the browsers are designed primarily as HTTP clients you should study GET and POST and maybe PUT and DELETE for RESTful web services.
Is it possible to know that a HTTP request is from Ajax?If yes, how?
Many frameworks add a header X-Requested-With set to XMLHttpRequest when sending an AJAX request. If you are using jQuery or Microsoft frameworks, this should work. If using another framework, you'll have to check the documentation. Since normal requests don't have the header, a check for the presence of the header should be sufficient.
If you are using your own "home-built" AJAX or the framework doesn't do this, but does allow you to set a header, you could simply follow this convention and add your own header when making the request.
Most frameworks set X-Requested-With header to state it. But standard AJAX requests doesn't.
I would assume that any request received by a server would appear to be the same (ie http post/get) and that you would need to look at the referer, but that may just give you the browser details?