I have a chrome extension which sends ajax requests to a website to check for broken links. However when I run this extension on websites like godaddy.com, the website gets redirected to a different locale. I am not sure whether this is happening for the AJAX request or due to some other reason. Can someone suggest something to get over this issue?
Related
Via Firefox, if I do a GET text/html request to my web app, I get a 200 response back, and then Firefox sends 3 more of the same request right afterward. All return 200s. Does anyone know what would cause this?
*Some other observations about the issue:
In Firebug's network tab, only one request shows up. I can only see the extra requests using Tamper Data or another tool that sees the Http requests sent from my browser.
This issue does not happen in prior versions of my web app. When I compare the responses that get returned by the two different versions of the web app, I can't see anything that would cause this issue (but then, I really don't know what to look for). The responses are identical except for the web app's cookies, which are different.
This issue happens with JavaScript enabled or disabled.
Something similar is happening with Chrome, though it seems to be sending only 2 extra requests.
I don't see any browser redirects in the Html header.
This is only happening with text/html requests, not css requests, for example.
All 4 responses returned seem to have the complete Html page in the body, and they also have the cookie that the web app uses.
In Tamper Data, the 'Load Flags' column (whatever that is) says the following: First request is VALIDATE_ALWAYS_LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI; second and third requests are LOAD_NORMAL; fourth request is LOAD_FROM_CACHE VALIDATE_NEVER
I don't see it happening with POSTs
It does not happen when the response is a 302.
If I go into the firefox config and set network.http.max-connections-per-server to 1, then Firefox only sends one request (the issue does not occur). (I don't think I can ask all our users to do that. :-))
*Why this issue is a problem:
This site has been around a long time and wasn't designed for this behavior. It's probably not going to go well.
(edited to add new findings)
I'm working on a Facebook Canvas App, and which by definition loads the code/webpage for my app in an iFrame on the Facebook website.
During development I have got the impression that if I make an AJAX request from my App's webpage to a webservice for my app which is on exactly the same server/domain name as the webpage, that that is actually technically a cross domain request - because the page originally loaded in the (top) frame of the browser is on a different domain to my webservice.
However I now believe that, due perhaps to a bug in my code, I was mistaken, and a page in an iFrame can make requests to URLs on the same domain as it without being a cross domain requests.
Clarifying this is particularly important to me as I now believe I can actually use POST requests instead of having to use JSONP GET requests.
If someone could clarify this for me I would greatly appreciate it. I have search around and cannot find a clear statement on this scenario.
EDIT: To provide more clarification: my Facebook App page URL at https://apps.facebook.com/myapp/ loads my webpage at www.mydomain.com in an iFrame. The webpage at www.mydomain.com then makes an AJAX request to a webservice on www.mydomain.com (at eg. www.mydomain.com/webservice/). So is the request from my webpage to my webservice a Cross Domain request or not?
Cheers
Matt
Your document loaded within the iframe is still a document of it’s own, and behaves like any other document, whether it be displayed in a frame or not, when it comes to the same origin policy.
So yes, you can absolutely make AJAX requests to the domain that your document got delivered from, not matter that it is displayed inside an iframe on Facebook.com.
There is no crossing of domain boundaries involved.
I'm working on extensions for Firefox and Chrome. The data used by my extensions is mostly generated from ajax requests. The type of data being returned is private, so it needs to be secure. My server supports https and the ajax calls are being sent to an https domain. Information is being sent back and forth, and the extensions are working correctly.
My questions are:
Do the extensions actually make secure connections with the server, or is this considered the same as cross domain posting, sending a request from a http page to a https page?
Am I putting my users' information at more risk during the transfers than if the user were to access the information directly from an https web page in the browser?
Thanks in advance!
The browser absolutely makes a secure connection when you use HTTPS. Certainly, a browser would never downgrade the security of your connection without telling you: it will either complete the request as written or it throw some sort of error if it is not possible.
Extensions for both Chrome and Firefox are permitted to make cross-domain AJAX requests. In Chrome, you simply need to supply the protocol/name of the host as a permission in your manifest.json. In Firefox, I think you may need to use Components.classes to get a cross-domain requester, as described in the MDN page for Using XMLHttpRequest, but I'm not 100% sure about that. Just try doing a normal request and see if it succeeds; if not, use the Components.classes solution.
Given all the coverage FireSheep has been getting, I have been trying to work out the best practices for balancing HTTP / HTTPS usage for some sites I manage (e.g. blogging sites, magazine sites with user contributed comments).
To me, its over kill to deliver all pages over HTTPS if the user is logged in. If a page is public (e.g. a blog) there is little point encrypting the public page. All I want to do is prevent session hijacking by sniffing cookies over HTTP channels.
So, one plan is:
Login form is over HTTPS
Issue two cookies: One cookie is 'public' and identifies there user for read only aspects (e.g. 'welcome bob!'). The second cookie is private and 'HTTPS only'. This is the cookie that is verified whenever the user makes a change (e.g. adds a comment, deletes a post).
This means that all 'changing' requests must be issued over HTTPS.
We use a lot of AJAX. Indeed, many comment forms use AJAX to post the content.
Obviously, I cant use AJAX directly to post content to a HTTPS backend from a HTTP frontend.
My question is: Can I use script injection (I think this is commonly called 'JSONP'?) to access the API? So in this case there would be a HTTP public page that sends data to the private backend by injecting a script accessed via HTTPS (so that the private cookie is visible in the request).
Can you have HTTPS content inside a HTTP page? I know you get warnings the other way around, but I figure that HTTPS inside HTTP is not a security breach.
Would that work? It seems to work in chrome and FF, but its IE that would be the party pooper!
Another way is to have an iframe which points to a https page that can make all kinds (GET, POST, PUT etc) of Ajax calls to the server over https (same domain as iframe is on https too). Once the response is back inside the iframe, you can post a message back to the main window using HTML5 postMessage API.
Pseudo code:
<iframe src="https://<hostname>/sslProxy">
sslProxy:
MakeAjaxyCall('GET', 'https://<hostname>/endpoint', function (response) {
top.postMessage(response, domain);
});
This works in all modern browsers except IE <= 7 for which you'll have to either resort to JSONP or cross domain communication using Flash.
The problem with JSONP is that you can only use it for GETs.
Can you have HTTPS content inside a
HTTP page? I know you get warnings the
other way around, but I figure that
HTTPS inside HTTP is not a security
breach.breach.
Including HTTPS content inside a regular HTTP page won't raise any alerts in any browser.
However, I don't think JSONP will help you out of this one. Using GETs to post content and modify data is a very bad idea, and prone to other attacks like CSFR
When a certain machine tries to access my website, all AJAX calls fail. This happens for all browers on this machine, and no firewall or anything of the sort seems to be enabled. What could be the issue here? Opera tells me that the AJAX calls are returning a SecurityException.
What could POSSIBLY be happening to cause this one machine to fail on AJAX calls?
Do not use the full URL of your website in AJAX calls.
For example, suppose
http://example.com and http://www.example.com point to the same resource. If you give your AJAX calls the URL www.example.com/ajax.do, your calls will fail if the user browses the site from the first location.
Could it be that your site requires a login, and the AJAX Calls are not carrying over the session, for example because the browser has cookies disabled?
You may also want to post some more information about the site in question and whether that machine can access normal web pages on your site.