I am trying to execute a javascript as part of my testing.
Below is my chrome driver settings
DesiredCapabilities capabilities = DesiredCapabilities.chrome();
ChromeOptions options = new ChromeOptions();
options.addArguments("test-type");
options.addArguments("headless");
options.addArguments("--disable-web-security");
options.addArguments("--allow-running-insecure-content");
options.addArguments("--allow-insecure-localhost");
options.addArguments("--reduce-security-for-testing");
capabilities.setCapability(ChromeOptions.CAPABILITY, options);
driver = new ChromeDriver(capabilities);
driver.manage().timeouts().setScriptTimeout(5, TimeUnit.SECONDS);
driver.get("https://samplesite.com/");
And I am trying to execute a script on the site using Javascript executor.
JavascriptExecutor executor = (JavascriptExecutor) driver;
executor.executeScript(code);
This is not working due to the below error.
The page at 'https://samplesite.com/' was loaded over HTTPS,
but requested an insecure XMLHttpRequest endpoint 'http://localhost:8080/myapi'.
This request has been blocked; the content must be served over HTTPS.
But the same is working when I remove the headless option and execute as a visible browser with a Warning message in the console.
could someone guide me on this.
Looking at the error stack trace says it all :
The page at 'https://samplesite.com/' was loaded over HTTPS,
but requested an insecure XMLHttpRequest endpoint 'http://localhost:8080/myapi'.
This request has been blocked; the content must be served over HTTPS.
The URL https://samplesite.com/ was loaded with HTTPS but the jquery post script is trying to call a a webpage over HTTP
On an https webpage you can only make Jquery/AJAX Request to https webpage only
It would be interesting to know if you are specifying http or https in the Jquery Request.
You also need to ensure that as the data which you are requesting is not in the same domain, the domain providing the data must allow it with CORS or JSONP.
Related
I am testing a backend SOAP API with Ionic and I am getting CORS problems.
The app is launched with ionic serve that has http://localhost:8100 origin
I enabled the MOESIF CORS and ORIGIN extension with this configuration:
When I do a GET request to
http://host/WebService1.asmx?WSDL
It works fine but when I do a POST request to
http://host/WebService1.asmx
With a xml body it returns this error.
Access to XMLHttpRequest at 'http://host/WebService1.asmx' from origin
'http://localhost:8100' has been blocked by CORS policy: Response to
preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource.
I have tried whith Safari with the security disabled and works all fine but I need to work with Chrome
What would be doing wrong?
I'm trying to figure out how to get web torrent to play a video, but I'm getting some weird errors. Here is a pastebin: https://pastebin.com/raw/3wp5F8Fh
And here is a live version: https://41182065-e8d9-40b1-8dd9-9433b402bce9.htmlpasta.com/
When we go to the chrome console, we get this:
Mixed Content: The page at 'https://41182065-e8d9-40b1-8dd9-9433b402bce9.htmlpasta.com/' was loaded over HTTPS, but requested an insecure script 'http://momentjs.com/downloads/moment.min.js'. This request has been blocked; the content must be served over HTTPS.
/favicon.ico:1 Failed to load resource: the server responded with a status of 404 ()
(index):1 Access to XMLHttpRequest at 'https://nyaa.si/download/941788.torrent' from origin 'https://41182065-e8d9-40b1-8dd9-9433b402bce9.htmlpasta.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
webtorrent.min.js:4 Uncaught Error: Error downloading torrent: XHR error
at webtorrent.min.js:5
at t.exports.<anonymous> (webtorrent.min.js:7)
at t.exports.t (webtorrent.min.js:5)
at t.exports.r.emit (webtorrent.min.js:4)
at XMLHttpRequest.c.onerror (webtorrent.min.js:7)
The explanation is in the error message, but in short: your browser has blocked the request because you're using AJAX to communicate with a remote server and that server isn't sending the appropriate 'Access-Control-Allow-Origin' header.
The reason such requests are blocked is to protect you from malicious scripts - if you're logged in to website A and have access to some private data, then website B shouldn't be able to trigger an AJAX request to access that data unless A trusts B.
The general term for this kind of access is 'Cross Origin Resource Sharing' or 'CORS' - for more information, Mozilla have a nice summary here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
If you have control of the remote server then responding with the appropriate header will allow the request to go through (although note that some browsers such as Safari will still block cookies from the remote server because this technique can be used for tracking).
I have a simple html file saved in my desktop. This html file needs to send the link to a json file(stored in azure blob) to the app included in this webpage.
Script part of the webpage
<script>
var zbc = "https://blobtempdemo.blob.core.windows.net/path/to_required_file.json";
require(['scripts/SampleApp/App'], function(App)
{
App.start(abc);
});
The json file is stored in microsoft azure blob. When i run the webpage in Mozilla Firefox, it gives a warning saying
Warning
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://blobtempdemo.blob.core.windows.net/path/to_required_file.json. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
The app/ web page works perfectly when all the files are saved in my desktop.
When i paste the url in the firefox, it can get the file and ask me if i want to download it. But it does not work when the file is in the blob and i open this webpage.
Any Help?
Just allow CORS from all the domains (just to test) in the target storage account. That should do it. Use * as the value for allowed domains.
Reference:
https://learn.microsoft.com/en-us/rest/api/storageservices/fileservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services
With the default configuration, I am unable to make XHRs in my Mithril app if I run its Sails server in localhost. All I get is:
XMLHttpRequest cannot load http://localhost:1337/json/test-realms.json. The 'Access-Control-Allow-Origin' header contains the invalid value ''. Origin 'null' is therefore not allowed access.
If I enable CORS with allRoutes: true, origin: '*' that problem goes away, and instead I get:
DOMException: Failed to execute 'replaceState' on 'History': A history state object with URL 'http://localhost:1337/#!/' cannot be created in a document with origin 'null'.
What exactly is the issue here?
Updates:
I am using sails lift as server.
The web app is loaded via http://test.pink. The domain is set to a LAN IP via the HOSTS file.
No resources are loaded via file:/// or localhost.
Turns out the problem was related to Content Security Policy. I had set sandbox 'allow-scripts' 'allow-forms', which as per this and this would treat the page as an iframe with an unique origin.
Disabling the sandbox policy or adding allow-same-origin suffices to fix it.
I am using GlassFish Server 4.1/Java EE 7. In my web.xml file, I mentioned the following security constraints.
<security-constraint>
<display-name>UserConstraint</display-name>
<web-resource-collection>
<web-resource-name>Provide a Name</web-resource-name>
<description/>
<url-pattern>/admin_side/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ROLE_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
And the same for other authorities.
Since transport-guarantee is set to CONFIDENTIAL, web pages that match the specified URL pattern /admin_side/* run over a secure channel (HTTPS).
While using WebSockets as follows (JavaScript),
var ws = new WebSocket("ws://localhost:8181/Context/Push");
it fails to establish an initial handshake. The browser shows the following warning on the browser console.
[blocked] The page at 'https://localhost:8181/Context/admin_side/Category' was loaded over HTTPS, but ran insecure content from 'ws://localhost:8080/Context/Push': this content should also be loaded over HTTPS.
Uncaught SecurityError: Failed to construct 'WebSocket': An insecure WebSocket connection may not be initiated from a page loaded over HTTPS.
When the <user-data-constraint> section from web.xml is removed in its entirely, web pages run on HTTP. After that, changing,
var ws = new WebSocket("ws://localhost:8181/Context/Push");
to
var ws = new WebSocket("ws://localhost:8080/Context/Push");
works fine.
What might be done to make WebSockets work over a secure channel?
Try with wss://, that indicates you want a secure websocket connection. The browser will prevent you from creating unsecure connections from secure pages, because it understands that since you requested the page with https://, there is a transport security requirement.
If you have your WebSocket server running with yout Web server, it will probably use the same security certificate and you do not need to do anything. If it does not work, please check your WebSocket server documentation about how to add certificates and enabling wss://.