When visiting my website that is protected w/ HTTP basic authentication in either Chrome or Brave the browser will re-prompt upon each page reload. Visiting the same page in either Firefox or Safari only prompts the first time then the credentials are "remembered" for the remainder of the session.
In my response I'm sending back the following header:
WWW-Authenticate: Basic realm="website"
How can I get Chrome / Brave to "remember" the HTTP basic auth credentials for the duration of a session?
Related
I have a local web server set up at 192.168.1.39 with domain www.server.local. DNS has been configured to resolve this properly on my router.
Everything worked just fine until recently. My browser started to report the following error if I access page like www.server.local/page.html that references external resources.
Access to CSS stylesheet at 'https://cdn.jsdelivr.net/npm/reveal.js#4.1.0/dist/reset.css' from origin 'http://www.server.local' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`.
However, if http://192.168.1.39/page.html is used, the page opens properly.
But the error message really confuses me, because it suggests the css hosted at jsdelivr is in a private address space! Seriously?! Or did I miss something?
My Browser: Microsoft Edge 94.0.992.31 (Official build) (x86_64)
You can try this solution:
Open Edge and navigate to edge://flags/#block-insecure-private-network-requests
Disable the highlighted option Block insecure private network requests.
Restart Edge and test again.
For more details, you could refer to this blog: https://developer.chrome.com/blog/private-network-access-update/
I am testing a backend SOAP API with Ionic and I am getting CORS problems.
The app is launched with ionic serve that has http://localhost:8100 origin
I enabled the MOESIF CORS and ORIGIN extension with this configuration:
When I do a GET request to
http://host/WebService1.asmx?WSDL
It works fine but when I do a POST request to
http://host/WebService1.asmx
With a xml body it returns this error.
Access to XMLHttpRequest at 'http://host/WebService1.asmx' from origin
'http://localhost:8100' has been blocked by CORS policy: Response to
preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource.
I have tried whith Safari with the security disabled and works all fine but I need to work with Chrome
What would be doing wrong?
I am trying to execute a javascript as part of my testing.
Below is my chrome driver settings
DesiredCapabilities capabilities = DesiredCapabilities.chrome();
ChromeOptions options = new ChromeOptions();
options.addArguments("test-type");
options.addArguments("headless");
options.addArguments("--disable-web-security");
options.addArguments("--allow-running-insecure-content");
options.addArguments("--allow-insecure-localhost");
options.addArguments("--reduce-security-for-testing");
capabilities.setCapability(ChromeOptions.CAPABILITY, options);
driver = new ChromeDriver(capabilities);
driver.manage().timeouts().setScriptTimeout(5, TimeUnit.SECONDS);
driver.get("https://samplesite.com/");
And I am trying to execute a script on the site using Javascript executor.
JavascriptExecutor executor = (JavascriptExecutor) driver;
executor.executeScript(code);
This is not working due to the below error.
The page at 'https://samplesite.com/' was loaded over HTTPS,
but requested an insecure XMLHttpRequest endpoint 'http://localhost:8080/myapi'.
This request has been blocked; the content must be served over HTTPS.
But the same is working when I remove the headless option and execute as a visible browser with a Warning message in the console.
could someone guide me on this.
Looking at the error stack trace says it all :
The page at 'https://samplesite.com/' was loaded over HTTPS,
but requested an insecure XMLHttpRequest endpoint 'http://localhost:8080/myapi'.
This request has been blocked; the content must be served over HTTPS.
The URL https://samplesite.com/ was loaded with HTTPS but the jquery post script is trying to call a a webpage over HTTP
On an https webpage you can only make Jquery/AJAX Request to https webpage only
It would be interesting to know if you are specifying http or https in the Jquery Request.
You also need to ensure that as the data which you are requesting is not in the same domain, the domain providing the data must allow it with CORS or JSONP.
I am using The Chrome App for Postman and I am setting up my Access Tokens using OAUTH2. When I fill out the form, I am using the following:
Auth Url: https://[MY_API_URL]/api/authorize
Access Token URL: https://[MY_API_URL]/api/request/token
Client ID: xxxxxxxxxxx
Client Secret: xxxxxxxxxx
Scope: blank
Grant Type: Authorization Code
The callback url in my outh server is set to "https://www.getpostman.com/oauth2/callback"
When I click Request Token, I am taken to the proper Authentication page. When I submit my credentials, a new Chrome tab opens up with a blank page with the url https://app.getpostman.com/oauth2/callback?code=xxxxxxxxxx
I expect that this is supposed to redirect to the app so it can perform the access token request. from the access token url, but nothing is happening. Is this not the right callback uri?
This is an old question and things have changed since.
Google deprecated Chrome Apps, so Postman had to deprecate their old Chrome App client too, and so the old redirection URL (https://www.postman.com/oauth2/callback) no longer works.
According to this, with the more recent versions of Postman, the new redirection URL is https://oauth.pstmn.io/v1/callback.
You have change your permission type. Use Client Credentials instead of Authorization
I also faced same problem.
Just change Grant Type: Authorization Code to Grant Type: Client Credentials.
It worked for me.
Certainly as mentioned in other comments, for client_credentials it would work but for the Implicit or Authorization Code, I used "https://app.getpostman.com/oauth2/callback" as the callback url and it worked. Also it need to be configured in the application settings in oauth provider.
I've been using this callback url:
https://getpostman.com/oauth2/callbackurl
I am currently doing some debugging on my website which involves calling the facebook API. I've installed dnsmasq to work with my mac os X to redirect all request to facebook.com to 127.0.0.1
This is my entry in dnsmasq.conf:
address=/facebook.com/127.0.0.1
I also have /etc/resolver/com with nameserver 127.0.0.1
When I turn dnsmasq on, visiting facebook.com will result in a PAGE NOT FOUND error in chrome. This shows that my dnsmasq is working.
However, I noticed that chrome will redirect http://www.facebook.com to https://www.facebook.com due to HSTS. I went on to chrome://net-internals#hsts to delete facebook.com's entry.
The strange thing is, when I am debugging, I see that facebook.com is indeed returning 307 redirects for http://www.facebook.com (See image)
This is very strange because the domain facebook.com is currently resolved to be 127.0.0.1 on my computer! Furthermore, when I dig more into the request, I do see that the request is valid:
Where is this 307 redirect coming from if facebook.com is unresolvable?
307 is an internal browser based redirect for HTTP Strict Transport Security (HSTS). It does not come from the server - it's a fake response created by the browser.