I'm using the standard VB6 internet transfer control (Inet).
A great feature of it is that it uses IE cookies, so it is possible to authenticate into a website using IE. I can then use my app to download authenticated pages.
However, is it possible to do the opposite, to get the control to ignore any IE cookies?
Not to my knowledge, however you could use a different HTTP stack altogether.
All windows platforms currently in support have the WinHTTP component installed. This component is designed for lightweight server use and as a result does not use the local cache or cookie store. IOW if you receive a Set-Cookie in a response you would need to add that cookie manually to subsequent requests if you need it otherwise the cookie is simply lost.
Open references on your VB6 project and reference "Microsoft WinHTTP Services, version 5.1".
Related
This is the first time I`m toying with PhoneGap, so I actually never needed Cross Origin Resource Sharing (CORS) before.
It is by default blocked, and the options I found in the web are either hacks or insecure.
My question is: What is the best or proper way to accomplish server integration using PhoneGap?
Bear in mind:
I need session control serverside to keep the user logged in
The request is coming from a file in PhoneGap's webview so origin = null
I'm using PHP serverside and have full control over it
<access origin="*" /> is already added to config.xml (it enables me to reach out for the server, but doesn't guarantee it will respond to a cross-origin request)
A long search on the web lead me to:
Access-Control-Allow-Origin *
Access-Control-Allow-Credentials true
But I understood they're rather unsafe, specially combined.
I could save the user session ID locally, but that seems hacky and unsafe.
There's also JSONP to the rescue, but that also seems hacky, unsafe and won't persist my session ID.
I could use a proxy server, but that seems far from optimal and as I understand it'll be hard to prevent an attacker to not use this same proxy server to perform the same operations.
Hi you can disable security to browser and use it.
Please find the link for disabling security for chrome.
[Disable same origin policy in Chrome
I'm working on extensions for Firefox and Chrome. The data used by my extensions is mostly generated from ajax requests. The type of data being returned is private, so it needs to be secure. My server supports https and the ajax calls are being sent to an https domain. Information is being sent back and forth, and the extensions are working correctly.
My questions are:
Do the extensions actually make secure connections with the server, or is this considered the same as cross domain posting, sending a request from a http page to a https page?
Am I putting my users' information at more risk during the transfers than if the user were to access the information directly from an https web page in the browser?
Thanks in advance!
The browser absolutely makes a secure connection when you use HTTPS. Certainly, a browser would never downgrade the security of your connection without telling you: it will either complete the request as written or it throw some sort of error if it is not possible.
Extensions for both Chrome and Firefox are permitted to make cross-domain AJAX requests. In Chrome, you simply need to supply the protocol/name of the host as a permission in your manifest.json. In Firefox, I think you may need to use Components.classes to get a cross-domain requester, as described in the MDN page for Using XMLHttpRequest, but I'm not 100% sure about that. Just try doing a normal request and see if it succeeds; if not, use the Components.classes solution.
We have a need to consume an external REST Api and dynamically update content on our website and have ran into the age old problem of cross site scripting and Ajax.
I've read up on JSONP however I don't want to go down that route in a million years as it seems like really a rather dirty hack.
As a solution to this issue is it "right" and "proper" to have a local service that acts as a proxy for any requests to an external Api? So on the client there would be an Ajax call to ../RestProxy/MakeRequest passing it the details of the request it needs to make to the external api, it performs the request and returns anything passed back.
Any thoughts would be appreciated.
There are three ways to do this:
1. JSONP
This is accepted by many popular APIs and frameworks. JQuery makes it easy. I would recommend this.
2. Proxy
Works pretty much as you described. Adds an extra step and server code and server load for you. However, it does allow you to filter or otherwise manipulate the results before sending them to the client.
3. Rely Access-Control-Allow-Origin
This is a header that the server can set to allow you to read json directly from their server even though you aren't on the same domain. This eliminates the need for the jsonp hack, but it requires the the server be setup to support it and it requires a web browser that supports it.
Access-Control-Allow-Origin is supported in:
IE8+
Firefox 3.6+
Safari 4.0+
Chrome 6+
iOS Safari 3.2+
Android browser 2.1+
If you need to support IE7, then this option isn't for you.
I want to modify all http responses (http pages): add some js into server responses before it will appears in browser.
For example "Ad muncher" is doing it. It add js that removes ad from all pages.
How can I do it?
I known only 1 solution:
WFP (Windows Filtering Platform), but it is available only from windows vista.
P.S: I don't want to use proxy server for this purpose. Because I want the cross-browser solution, I don't want to let user change any browser settings. Also user could work througth some other proxy...
Thanks for any help.
Take a look at Komodia's Redirector1. It uses Winsock LSP. And it has WFP module for Windows 7 and 8.
I am testing a messaging application that uses single sign-on(SSO). I need to simulate a user connecting to WAM using SSO, then I need to get the cookie from the server and store it for further communication events. Is anyone familiar with how this might be done using Ruby?
Mechanize does that automatically. There are also other HTTP client gems that may support cookies, e.g. this httparty example.
If your intention or need is to do this more 'organically' as it were, then you could use Watir to drive a browser, and retrieve the cookie (assuming it's stored on disk and not a session cookie) from wherever the browser stores it using normal file I/O functions. If it's a session cookie that's a bit tricker but you can usually see them with developer tools like firebug.
If you want something operating at the HTTP level that is simulating a browser, then See the other answer provided by MichaelW