I'm trying to implement Etag features to my Spring Boot application, so browsers can update image cache when the server image is changed.
I changed Spring Boot setting via a YAML file:
spring:
jackson:
serialization:
WRITE_DATES_AS_TIMESTAMPS: false
resources:
static-locations: classpath:static/
chain:
strategy:
content:
enabled: true
cache:
cachecontrol:
max-age: 0
must-revalidate: true
no-cache: true
mvc:
static-path-pattern: /resources/**
and added a ShallowEtagHeaderFilter bean:
#Configuration
public class MvcConfig implements WebMvcConfigurer {
#Bean
public ShallowEtagHeaderFilter shallowEtagHeaderFilter() {
return new ShallowEtagHeaderFilter();
}
}
The first request & response header:
GET /resources/image/product/list/foo.png HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,ko-KR;q=0.8,ko;q=0.7,vi;q=0.6
Cookie: _ga=GA1.1.134751806.1551948465; loginFlag=undefined; branchId=admin
HTTP/1.1 200
Last-Modified: Wed, 08 May 2019 05:17:32 GMT
Cache-Control: no-cache, must-revalidate
Accept-Ranges: bytes
ETag: "0b99ccc3070d4e65cd155b768a56f97e4"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: image/png
Content-Length: 101070
Date: Fri, 10 May 2019 08:03:37 GMT
Second request & response header without changing the static file:
GET /resources/image/product/list/foo.png HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,ko-KR;q=0.8,ko;q=0.7,vi;q=0.6
Cookie: _ga=GA1.1.134751806.1551948465; loginFlag=undefined; branchId=admin
If-None-Match: "0b99ccc3070d4e65cd155b768a56f97e4"
If-Modified-Since: Wed, 08 May 2019 05:17:32 GMT
HTTP/1.1 304
Last-Modified: Wed, 08 May 2019 05:17:32 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Fri, 10 May 2019 08:05:32 GMT
For the third, I stopped the localhost server, overwrote foo.png with the other file, rebuilt the project and run server. I expected the request should return the changed image file, but the status was 304 with the same image as before:
GET /resources/image/product/list/foo.png HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,ko-KR;q=0.8,ko;q=0.7,vi;q=0.6
Cookie: _ga=GA1.1.134751806.1551948465; loginFlag=undefined; branchId=admin
If-None-Match: "0b99ccc3070d4e65cd155b768a56f97e4"
If-Modified-Since: Wed, 08 May 2019 05:17:32 GMT
HTTP/1.1 304
Last-Modified: Sun, 05 May 2019 19:08:52 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Fri, 10 May 2019 08:09:32 GMT
I'm clueless how to refresh browser's cache when the file is changed. What am I missing?
It seems there was no problem with the settings. Instead of building and running the project via IDE(IntelliJ IDEA), I tried Gradle bootJar and ran the jar file and it worked as intended.
From a web page of domain A, I am firing up an ajax request to domain B in order to get JSON for which basic auth is configured on domain B. I have access to the code on both the domains. I configured the all the required CORS header on domain B (Even made Access-Control-Allow-Origin header value specific and not "*", after reading some stackoverflow) What I am expecting is browser basic auth pop up, But POST request just fails with 401.I can see that server has responded with expected response header for PRE-FLIGHT OPTION request, below the request & response headers of the OPTION & actual POST method call that happens
***OPTION REQUEST***
Host: DOMAIN_B:8085
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: POST
Access-Control-Request-Headers: x-requested-with
Referer: http://DOMAIN_A:2280/app/
Origin: http://DOMAIN_A:2280
Connection: keep-alive
***OPTION RESPONSE***
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: http://DOMAIN_A:2280
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Headers: Content-Type,Authorization,x-requested-with
Access-Control-Max-Age: 1
Allow: GET,POST
Content-Type: text/html; charset=utf-8
Content-Length: 8
Date: Fri, 04 Jan 2019 12:48:48 GMT
Connection: keep-alive
*** ACTUAL POST REQUEST***
Host: DOMAIN_B:8085
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://DOMAIN_A:2280/app/
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 105
Origin: http://DOMAIN_A:2280
Connection: keep-alive
*** ACTUAL POST REQUEST***
HTTP/1.1 401 Unauthorized
X-Powered-By: Express
Vary: X-HTTP-Method-Override, Origin
Access-Control-Allow-Origin: http://DOMAIN_A:2280
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST,GET,PUT,DELETE
Access-Control-Allow-Headers: Content-Type,Authorization,x-requested-with
Access-Control-Max-Age: 1
WWW-Authenticate: Basic realm=artist
Content-Type: text/plain; charset=utf-8
Content-Length: 12
Date: Fri, 04 Jan 2019 12:48:48 GMT
Connection: keep-alive
So its expected that browser looking at the response of the POST call(401 HTTP code & WWW-Authenticate header) should get prompted to show the native authentication pop up, But it's not doing so. I am not sure what I am doing wrong here. Showing custom form to capture the credential and passing them in "Authorization" header using btoa function is not an option
Appreciate any help, I am ripping my hair apart here!!!
use basic-auth npm plugin
const auth = require('basic-auth');
app.use(function (request, response, next) {
var user = auth(request);
console.log("user => ",user);
if (!user || !user.name || !user.pass) {
response.set('WWW-Authenticate', 'Basic realm="example"');
return response.status(401).send();
}
return next();
});
I've been battling with Chromium, jQuery and AJAX. My extension takes some resources from some sites using ajax, then parse the results and store it somewhere. One of those sites decided to do the jump to https. Neat. I just have to change the http for https, and fix any problem I hit down the road. No joy.
I use the following ajax method to get the stuff (is the smallest unit I could reproduce):
$.ajax({
url: "https://reader.japanzai.com/search/",
type: 'POST',
data: {
'search': "onna"
},
beforeSend: function (xhr) {
xhr.setRequestHeader("Access-Control-Allow-Origin", "*");
},
headers: {
'Access-Control-Allow-Origin': '*'
}})
Lets ignore for a while that I've set the headers twice, since just using one don't work either and throw the result:
OPTIONS https://reader.japanzai.com/search/ No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'chrome-extension://nhjloagockgobfpopemejpgjjechcpfd' is therefore not allowed access. jquery.js:5
x.support.cors.e.crossDomain.send jquery.js:5
x.extend.ajax jquery.js:5
(anonymous function) VM4000:2
InjectedScript._evaluateOn VM3770:581
InjectedScript._evaluateAndWrap VM3770:540
InjectedScript.evaluate VM3770:459
XMLHttpRequest cannot load https://reader.japanzai.com/search/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'chrome-extension://nhjloagockgobfpopemejpgjjechcpfd' is therefore not allowed access. lab.html:1
As you can see, it says that the request header is not present, which is true following the http request:
Request URL:https://reader.japanzai.com/search/
Request Method:OPTIONS
Status Code:200 OK
Request Headersview parsed
OPTIONS https://reader.japanzai.com/search/ HTTP/1.1
origin: chrome-extension://nhjloagockgobfpopemejpgjjechcpfd
access-control-request-method: POST
dnt: 1
accept-encoding: gzip,deflate,sdch
host: reader.japanzai.com
accept-language: es,en-US;q=0.8,en;q=0.6
method: OPTIONS
user-agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
accept: */*
url: /search/
scheme: https
version: HTTP/1.1
access-control-request-headers: access-control-allow-origin, accept, content-type
Response:
HTTP/1.1 200 OK
cache-control: post-check=0, pre-check=0, max-age=0
content-encoding: gzip
content-type: text/html
date: Thu, 13 Feb 2014 22:58:03 GMT
expires: Sat, 01 Jan 2000 00:00:01 GMT
last-modified: Thu, 13 Feb 2014 22:58:03 GMT
pragma: no-cache
server: nginx/1.5.8
set-cookie: ci_session=U3Q14aq8Q7W4KVifDyLi7%2B3lppr%2FS4BNmW1kD9t60H7dz73M5KMs1jgBo8ZrilKoswn63PvCl1sOldPs1RCl6NdiP1VZeekoMTISyQenQZU0F8yUC0odw6WuMUE5I%2FY%2Bfvddv2YH06b2pxyyNBDZnNn%2BLnLzPrRYBXHuAjFbTyucX%2FMLUUM2cwKLzaK3ILKPhxy8FXW%2FI%2F9EPPbwo%2B8nmbPwOeqDfpDdu61F5yzUU8KjfUo7MwwFIXyGWtqbjbF3PCKNZrY%2F3Cj77DgCpcCbTTKZ%2BVzrdw16oGVDg1dP8lQgSof89rLNqUlQSj60tCVzZ27oPNh9OvvTNJ92tYkTHDukG4dyv21yM4M3PACZ%2FKVNP0i2UWHbBujADPSsrGJhJxPzBsuRDLcPtDcBtuaXA4LLMoGoYW6SxYk%2BseltMvk%3D; expires=Fri, 14-Feb-2014 00:58:03 GMT; path=/
set-cookie: ci_session=tQT8qmNRnMRN2Oj3moCdZg9VNEEsPxi3t88g2SpYQxahFr%2FpiEpQFzsO2mLTp1bPlsGLmqQGnMUiuwFpLYNIneNHtU%2BoKkVOcnR8ZKxPd0FDrkW%2BqT0N2IIsV%2BC%2FXQX%2BZUkLg1E4iP6u%2F0%2Fjk1t%2BAwcwhoC0M3zODuEKv1l9JMFo%2B1g4%2BhIOp%2FHTzBnlMvE2KjanXJR55F3DOHdyi4MvQb1vzgWEZTTAfhZ3bkQPkKe41ZCJYQTw%2FrDfry8n2h43UKPc1IF4tWp%2BKh0yhux%2FsBn84meT3xR%2Bpba9ffeZObrQyVomKlmJg9oRkKvlhR4MlNsiIeIZEvtP52ns0X1uF%2B7Pg6RpcMihe1u2S0%2Fbz5wm75vQ6tyykmFp5qfnoDgXB6J7RmbBQy4GTOFEA2zqN3V6QXT71cSn%2B1ARd9GtNMA%3D; expires=Fri, 14-Feb-2014 00:58:03 GMT; path=/
status: 200 OK
strict-transport-security: max-age=31536000
vary: Accept-Encoding
version: HTTP/1.1
x-powered-by: PHP/5.4.4-14+deb7u7
So, I'm missing something obvious here or there's just no way to do this?
I followed abraham advice and added the site to the permissions field in the manifest. It worked, the only bad thing is that if another site decides to move to https I need to release a new version, so this is what I ended doing:
"permissions" : [
"tabs",
"*://*/*",
"https://ssl10.ovh.net/*",
"unlimited_storage",
"clipboardWrite",
The important part here is "*://*/*" which includes anything from http and https.
I used a network sniffer and examined all the requests going out from Firefox when going to http://html5demos.com/geo. According to my Firefox, the geolocation service according to geo.wifi.uri entry is https://www.google.com/loc/json. However I don't see this url in any of the requests.
What am I missing?
I see it in LiveHTTPHeaders:
https://www.google.com/loc/json
POST /loc/json HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0b12pre) Gecko/20110220 Firefox/4.0b12pre
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Length: 42
Content-Type: text/plain; charset=UTF-8
Pragma: no-cache
Cache-Control: no-cache
{"version":"1.1.0","request_address":true}
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Encoding: gzip
Date: Mon, 21 Feb 2011 13:34:05 GMT
Expires: Mon, 21 Feb 2011 13:34:05 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 238
Server: GSE
If your wifi interface is enabled, Firefox sends to Google all the wifi signal strength around you in order to locate you (signals strength,mac addresses and locations of all private and public hotspots were captured by Google with their Street View's cars I guess).
Here is the full POST request captured with TcpCatcher (and its SSL mode)
POST /loc/json HTTP/1.1
Host: www.google.com
Content-Length: 4233
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.119 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
{"access_token":"2:fHl0jGoQDeLFKfUn:sn0HJO00jOQV2334","host":"html5demos.com","radio_type":"unknown","request_address":false,"version":"1.1.0","wifi_towers":[{"age":0,"mac_address":"00-13-10-27-ec-ba","signal_strength":-82,"ssid":"linksys"},{"age":0,"mac_address":"00-14-bf-e2-b6-a3","signal_strength":-101,"ssid":"grepre2"},{"age":0,"mac_address":"00-17-33-9e-4d-a8","signal_strength":-94,"ssid":"NEUF_4DA4"},{"age":0,"mac_address":"00-17-33-cc-b5-10","signal_strength":-69,"ssid":"NEUF_B50C"},{"age":0,"mac_address":"00-17-33-cc-b5-11","signal_strength":-66,"ssid":"Neuf WiFi"},{"age":0,"mac_address":"00-17-33-cc-b5-12","signal_strength":-69,"ssid":"SFR WiFi Public"},{"age":0,"mac_address":"00-1a-2b-0e-66-74","signal_strength":-86,"ssid":"NUMERICABLE-AB1B"},{"age":0,"mac_address":"00-1f-33-47-c0-50","signal_strength":-80,"ssid":"SUPERMAN"},{"age":0,"mac_address":"00-1f-33-e0-1e-1f","signal_strength":-80,"ssid":"NUMERICABLE-5866"},{"age":0,"mac_address":"00-1f-9f-f4-1f-17","signal_strength":-90,"ssid":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000"},{"age":0,"mac_address":"02-81-31-a2-c4-98","signal_strength":-71,"ssid":"wifi"},{"age":0,"mac_address":"02-81-31-a2-c4-99","signal_strength":-69},{"age":0,"mac_address":"02-81-31-a2-c4-9a","signal_strength":-68,"ssid":"FreeWifi"},{"age":0,"mac_address":"02-81-31-a2-c4-9b","signal_strength":-69,"ssid":"freephonie"},{"age":0,"mac_address":"06-20-9f-00-3d-24","signal_strength":-82,"ssid":"damiconexion"},{"age":0,"mac_address":"06-20-9f-00-3d-25","signal_strength":-82},{"age":0,"mac_address":"06-20-9f-00-3d-26","signal_strength":-81,"ssid":"FreeWifi"},{"age":0,"mac_address":"06-20-9f-00-3d-27","signal_strength":-82,"ssid":"freephonie"},{"age":0,"mac_address":"26-b7-bb-70-e1-d8","signal_strength":-93,"ssid":"DC_baby"},{"age":0,"mac_address":"26-b7-bb-70-e1-d9","signal_strength":-91},{"age":0,"mac_address":"26-b7-bb-70-e1-da","signal_strength":-89,"ssid":"FreeWifi"},{"age":0,"mac_address":"26-b7-bb-70-e1-db","signal_strength":-94,"ssid":"freephonie"},{"age":0,"mac_address":"26-f8-5c-ec-bc-a4","signal_strength":-80},{"age":0,"mac_address":"26-f8-5c-ec-bc-a5","signal_strength":-80},{"age":0,"mac_address":"26-f8-5c-ec-bc-a6","signal_strength":-81,"ssid":"FreeWifi"},{"age":0,"mac_address":"26-f8-5c-ec-bc-a7","signal_strength":-80,"ssid":"freephonie"},{"age":0,"mac_address":"30-46-9a-43-fc-e5","signal_strength":-84,"ssid":"DartyBox_98DE"},{"age":0,"mac_address":"32-46-9a-43-fc-e6","signal_strength":-84,"ssid":"DartyBox_98DE_WEP"},{"age":0,"mac_address":"4e-0a-94-3d-d6-38","signal_strength":-82,"ssid":"neko"},{"age":0,"mac_address":"4e-0a-94-3d-d6-39","signal_strength":-82},{"age":0,"mac_address":"4e-0a-94-3d-d6-3a","signal_strength":-80,"ssid":"FreeWifi"},{"age":0,"mac_address":"4e-0a-94-3d-d6-3b","signal_strength":-82},{"age":0,"mac_address":"5c-33-8e-eb-6c-c0","signal_strength":-87,"ssid":"Livebox-0510"},{"age":0,"mac_address":"72-f5-aa-cd-b7-e4","signal_strength":-86,"ssid":"Kermazeguen"},{"age":0,"mac_address":"72-f5-aa-cd-b7-e5","signal_strength":-87},{"age":0,"mac_address":"72-f5-aa-cd-b7-e6","signal_strength":-87,"ssid":"FreeWifi"},{"age":0,"mac_address":"72-f5-aa-cd-b7-e7","signal_strength":-88,"ssid":"freephonie"},{"age":0,"mac_address":"76-a6-a6-5a-90-c8","signal_strength":-78,"ssid":"pipiou_wifi"},{"age":0,"mac_address":"76-a6-a6-5a-90-c9","signal_strength":-79},{"age":0,"mac_address":"76-a6-a6-5a-90-ca","signal_strength":-77,"ssid":"FreeWifi"},{"age":0,"mac_address":"76-a6-a6-5a-90-cb","signal_strength":-78},{"age":0,"mac_address":"86-9c-8f-a0-ac-e4","signal_strength":-78,"ssid":"touhere"},{"age":0,"mac_address":"86-9c-8f-a0-ac-e5","signal_strength":-82},{"age":0,"mac_address":"86-9c-8f-a0-ac-e6","signal_strength":-83,"ssid":"FreeWifi"},{"age":0,"mac_address":"86-9c-8f-a0-ac-e7","signal_strength":-82,"ssid":"freephonie"},{"age":0,"mac_address":"c0-3f-0e-b6-9a-37","signal_strength":-64,"ssid":"NUMERICABLE-825A"},{"age":0,"mac_address":"da-0f-67-af-23-10","signal_strength":-71,"ssid":"freeboxtomseb"},{"age":0,"mac_address":"da-0f-67-af-23-11","signal_strength":-70},{"age":0,"mac_address":"da-0f-67-af-23-12","signal_strength":-71,"ssid":"FreeWifi"},{"age":0,"mac_address":"da-0f-67-af-23-13","signal_strength":-71}]}
google json has stop service.
you can call [minigps]: http://www.minigps.net/map.html "click to query" could use google json api, only change the ip to: http://www.minigps.net/minigps/map/google/location
fllow is the http bytes:
URL:http://www.minigps.net/minigps/map/google/location
Request Method:POST
Status Code:200 OK
Request Headersview source
Accept:application/json, text/javascript, */*; q=0.01
Accept-Charset:GBK,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:zh-CN,zh;q=0.8
Connection:keep-alive
Content-Length:191
Content-Type:application/json; charset=UTF-8
Cookie:bdshare_firstime=1356366713546; JSESSIONID=68243935CD3355089CF07A3A22AAB372
Host:www.minigps.net
Origin:http://www.minigps.net
Referer:http://www.minigps.net/map.html
User-Agent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
X-Requested-With:XMLHttpRequest
Request Payload
{"version":"1.1.0","host":"maps.google.com","cell_towers": [{"cell_id":"3721","location_area_code":"9779","mobile_country_code":"460","mobile_network_c ode":"0","age":0,"signal_strength":-65}]}
Response Headersview source
Content-Type:application/json
Date:Sat, 12 Jan 2013 06:03:15 GMT
Server:Apache-Coyote/1.1
Transfer-Encoding:chunked
Note: I'm affiliated with minigps.net.