How can I find out what part of my Firefox installation modifies my HTTP headers?
Using a tool that displays my headers for the corresponding request I can see my headers contain the following string:
Accept-Language: de,ar-SA;q=0.8,en-US;q=0.5,en;q=0.3
I want to find out how ar-SA got in there.
I don't know how you'd go about seeing what changed your HTTP headers specifically, but I do know where you set your preferred languages. In Preferences, go to the Language section:
And then click on "Choose..." to see them:
I added "Dutch [nl]" to mine to see if my headers would change and sure enough they did:
Accept-Language: nl,en-GB;q=0.7,en;q=0.3
Related
In Firefox extension I need to open a specific webpage in new tab and I need to send POST data to it. I have full control over target webpage (my server).
What I've tried so far is..
This is actually sending GET with no data (but works in Chrome. Possibly a CSP limitation..)
Chrome Extension Development - POST to new tab
Instead of using generated FORM on the webpage, i tried XmlHttpRequest. I can successfully send the post request and get the answer, but I only get the response as plain text and can't open it in current window (I only get static content without working scripts upon inserting it to the page's BODY)
I played with the XHR response a bit and tried:
document.open();
document.write(xhr.responseText);
but I get "Loading of source self ("script-src") was blocked due to CSP".
So I tried to find the answer how to set CSP and headers and I inserted a header:
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
on both local and the remote page. It did not help, though.
Does anyone know a solution please?
When you add "script-src 'self' you are allowing script files to be accessed within the same domain, but inline-scripts (as in <script> ... </script>) will still be disallowed.
To allow inline scripts, you can add the 'unsafe-inline' part after 'self'. But this is not recommended, because it defeats a large part of what CSP is trying to do (prevent XSS attacks). You should add a base64 sha256 hash of each inline script instead (assuming it is a static unchanging script) with the sha256 prefix. e.g. 'sha256-xxxxORCihnocralsomehashgoeshere').
However, if you aren't using inline scripts, maybe the browser is smart enough to know that the script you're running came from a different domain and is blocking it. If so, try adding the specific domain in the request on your requesting page. For instance, if you are posting to 'example.com', your CSP will look like this:
content="script-src 'self' 'example.com'"
Finally, You should know that the preferred CSP mechanism is by HTTP Header, and some browsers may not support it. It also has additional restrictions in that it can't be used in frame-ancestors and can't hook up to report-uri.
I have used this URL for the web API compression but when I see the out put in the fiddler header is not zip. there are multiple Zip option are available example GZIP, BZIP2 DEFLATE not sure which one to use kindly help here
I have tried with the below solution and both of them are not working :
http://benfoster.io/blog/aspnet-web-api-compression
there are multiple Zip option are available example GZIP, BZIP2 DEFLATE not sure which one to use kindly help here
This list will be sent to the server and let it know about the client side preferences about compression. It means "I first prefer GZIP. If GZIP not supported by the server side then fallback to BZIP2 DEFLATE compression. If BZIP2 DEFLATE not supported then the server will not do any compression."
There is someone who already create a nuget package that use that implementation you just put in your question. The package name is Microsoft.AspNet.WebApi.MessageHandlers.Compression which install the following two packages :
Microsoft.AspNet.WebApi.Extensions.Compression.Server
System.Net.Http.Extensions.Compression.Client
If you don't need the client side library then just just the server side package in your Web API project.
To use it you need to modify to add the following line at the end of your Application_Start method in Gloabl.asax.cs:
GlobalConfiguration.Configuration.MessageHandlers.Insert(0, new ServerCompressionHandler(new GZipCompressor(), new DeflateCompressor()));
To learn more about this package check this link.
On IE when i try to browse the rest apis, i am getting a application/json response instead of api (text/html) response (Returns html response on firefox). I am using django restframework 2.2.5 for this purpose.
I read through the documnets and understood that in order to overcome the problem of broken headers for IE we need to use TemplateHTMLRenderer explicitly in the view, so i have added the following to the class definition of my view but still i am getting a json response. Am i not doing it correctly or i am missing something else?
class CustomReports(generics.GenericAPIView):
`renderer_classes = (renderers.TemplateHTMLRenderer)`
Can you please help in fix the problem so that i get html response in case of IE as well?
Which version of IE are you using? I believe newer versions of IE should send correct Accept headers.
I probably wouldn't bother trying to fix things up to work around IE's broken behavior, but instead just make sure that you're including format suffixes in your urls. Then you can simply use the .api suffix to see the browseable API, or the .json suffix to see the plain json.
Eg instead of http://127.0.0.1:8000/api-root/, use http://127.0.0.1:8000/api-root/.api.
As some of you may already know, there are some caching issues in Firefox/Chrome for requests that are initiated by XmlHttpRequest object. These issues mean that browser does not strictly follow the rules and does not go to server for the new XSLT file (for example). Response does not have Expires header (for performance reasons we can't use it).
Firefox has additional parameter in the XHR object "channel" to which you put value Components.interfaces.nsIRequest.LOAD_BYPASS_CACHE to go to server explicitly.
Does something like that exist for Chrome?
Let me immediatelly stop everyone who would recommend adding timestamp as a value of GET parameter or random integer - I don't want server to get different URL requests. I want it to get the original URL. Reason is that I want to protect server from getting too many different requests for simple static files and sending too much data to clients when it is not needed.
If you hit static file with generated GET parameter (like '?forcenew=12314') would render 200 response each first time and 304 for every following request for that value of random integer. I want to make requests that will always return 304 if the target static file is identical to client version. This is BTW how web browsers should work out-of-the-box but XHR objects tend to not go to server at all to ask is file changed or not.
In my main project at work I had the same exact problem. My solution was not to append random strings or timestamps to GET requests, but to append a specific string to GET requests.
If you have a revision number e.g. subversion revision or likewise from git/mer or whatever you are using, append that. Static files will get 304 responses until the moment a new revision is released. When the new release happens a single 200 response is granted and it is back to happily generating 304 responses. :-)
This has the added bonus of being browser independent.
Should you be unlucky and not have a revision number, then make one up and increment it each time you make a release.
You should look into Etags, etags are keys that can be generated from the contents of the file therefore once the file on the server changes the system will be a new etag. Obviously this will be a service-side change which is something that you will need to do given that you want a 200 and then subsequent 304's. Chrome and FF should respect these etags so you shouldn't need to do any crazy client-side hacks.
Chrome now supports Cache-Control: max-age=0 request HTTP header. You can set it after you open an XMLHttpRequest instance:
xhr.setRequestHeader( "Cache-Control", "max-age=0" );
This will instruct Chrome to not use cached response without revalidation.
For more information check The State of Browser Caching, Revisited by Mark Nottingham and RFC 7234 Hypertext Transfer Protocol (HTTP/1.1): Caching.
I know this question has been answered before, but the answer given is not the complete story:
I went into Firefox's Options->Content and removed all languages except German/Germany, and navigator.language hasn't changed - it's still en-GB (I'm in the UK).
I'm told if I get the German Firefox INSTALL it will work, but I shouldn't need to do that, right?
The useragent string still contains en-GB, too; but the accept-language on HTTP headers IS set correctly. So this seems to be a bug in Firefox, I spent a bit of time wading through their bugzilla, but I can't see this exact bug logged, though to me it seems a pretty huge oversight?
Both navigator.language and the HTTP User-Agent header use the value of the preference "general.useragent.locale", which is hard-coded in intl.properties to the locale of the Firefox build you downloaded:
http://mxr.mozilla.org/mozilla-central/source/toolkit/locales/en-US/chrome/global/intl.properties#8
Or for your en-GB build:
http://hg.mozilla.org/l10n-central/en-GB/file/88dd673c01f1/toolkit/chrome/global/intl.properties#l8
If you'd like to change it for your build, just load about:config, find general.useragent.locale, double-click it, and change the value.
I would recommend to use a Firefox Add-on for this task. Simple Locale Switcher, Locale Switcher or Quick Locale Switcher etc. (* Caution some of this Add-ons may contain ad ware or may not work if you've just updated firefox).
*Another solution is to download a different old firefox version using the language/locale. (Caution) You need and install it in a different folder so you won't overwrite your existing version. Download here I'm using firefox 28 in Spanish. I disabled updates and I rejected using it as my default browser. Only one firefox version should be running at the same time if you do this.
I would assume that navigator.language returns it's interface language (I assume is GB English), not one that it wants documents in. User-agent string too report which version of firefox was downloaded.
Accept-language is what destination server should check.
I consider this behavior of his quite correct (assuming that it's interface (menus and such) are really in GB english).
in firefore, about:config, modify the value of "intl.accept_languages", to your required locale, let's say de-DE will do.
If you want the Accept-Language value, you can't retrieve if using client-side JavaScript. You'll have to get it from your server.
If you really want this value in client-side JavaScript, then read it on the server and write it back to the client:
<script type="text/javascript">
// setting the accept language HTTP header value
// in client-side JavaScript from PHP
var acceptLanguage = '<?php echo $_SERVER["HTTP_ACCEPT_LANGUAGE"]; ?>';
</script>