javascript - How to read cross domain GET response? -


i know has been discussed lot on site , others still unable read response cross domain request.

i testing website responds csrf token when request https://domain/csrf-token/ sent site. site has has comprehensive csp policy , responds token following request:

<html> <body> <script> var httpclient = function() {     this.get = function(aurl, acallback) {         var anhttprequest = new xmlhttprequest();         anhttprequest.onreadystatechange = function() {              if (anhttprequest.readystate == 4 && anhttprequest.status == 200)                 acallback(anhttprequest.responsetext);         }          anhttprequest.open( "get", aurl, true );                     anhttprequest.send( null );     } }  var client = new httpclient(); client.get('https://domain/csrf-token/', function(response) {     alert(response); }); </script> </body> </html>

even though request successful script unable read response contents. believe because of limited understanding of csp policy directives. site testing has comprehensive csp policy , based on research following directives relevant scenario:

  1. default-src 'self' cdn.example.com (the default-src default policy loading content such javascript, images, css, fonts, ajax requests, frames, html5 media.

  2. script-src 'self' js.example.com (defines valid sources of javascript.)

  3. connect-src 'self' (applies xmlhttprequest (ajax), websocket or eventsource.)

however, not sure directive applicable cross-domain request generated via javascript. can please me understand?

i have uploaded above code in test.html file on aws cloudfront csp states: connect-src 'self' 'self' *.cloudfront.net

http request:

get /csrf-token/ http/1.1 host: domain.com user-agent: mozilla/5.0 (windows nt 10.0; wow64; rv:55.0) gecko/20100101 firefox/55.0 accept: */* accept-language: en-us,en;q=0.5 referer: https://*.amazonaws.com/test.html origin: https://*.amazonaws.com connection: close

http response:

http/1.1 200 ok server: ***** date: mon, 21 aug 2017 05:20:24 gmt content-type: application/octet-stream connection: close x-frame-options: sameorigin x-xss-protection: 1; mode=block x-csrf-token: 1******825-01-rddohp****csrf-token set-cookie: ****************************** cookie x-xcustomheader-xxx: xxx-frontend strict-transport-security: max-age=604800 x-content-type-options: nosniff strict-transport-security: max-age=2592000 x-frame-options: sameorigin cache-control: max-age=0 content-length: 57  1******825-01-rddohp****csrf-token

please note no headers sent server block cross-domain requests:

appreciate patience considering beginner on cross-domain requests. also, provide links may me understand concepts better.


Comments

Post a Comment

Popular posts from this blog

ubuntu - PHP script to find files of certain extensions in a directory, returns populated array when run in browser, but empty array when run from terminal -

i running os ububtu 16.04. ultimate goal able run php script cron job every minute. here php script located @ /var/www/html/tests/test/index.php : <?php $directorypath = $_server['document_root']."/tests/test/data/"; echo "directorypath: $directorypath<br><br>";//check $imagefilepathsarray = glob($directorypath . "*.{png,gif}", glob_brace); echo "<br><br>imagefilepathsarray: "; print_r($imagefilepathsarray);//check ?> when open php script in browser visiting url my-ip-address/tests/test/index.php , get: directorypath: /var/www/html/tests/test/data/ imagefilepathsarray:array( [0] => /var/www/html/tests/test/data/pic.png [1] => /var/www/html/tests/test/data/pic.gif ) before writing cron job in crontab file, need check if can run anywhere using terminal . opened ubuntu terminal @ /home/ location, , executed in terminal: sudo php /var/www/html/tests/test/index.php i got following out...
Read more

php - How can i create a user dashboard -

today have questions you, want create user dashboard site, include (obviously), users data, example -email -username -and others stuff how can information, , print them in html page? if can, how can these information via php sessions? shuld use session? example, if user login, , start new session ( session_start() ), how can data print in dashboard? should use php "project"? in advice, have day , thank time!
Read more

javascript - How to detect toggling of the fullscreen-toolbar in jQuery Mobile? -

i have jquery mobile page fixed full-screen toolbar, data-tap-toggle enabled. straight under toolbar have positioned banner should slide upwards when toolbar hiding , slide downward when toolbar showing. jquery mobile toggles toolbar applying , removing ui-fixed-hidden class - sadly, can't find in documentation of toolbar widget toggle , hide or show event that. how can detect when toolbar toggled, reposition banner? .banner { position: fixed; background-color: darkseagreen; top: 46px; min-height: 48px; width: 100%; text-align: center; line-height: 48px; } <!doctype html> <html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <link rel="stylesheet" href="https://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.css"> <script src="https://code.jquery.com/jquery-1....
Read more