Completely working Banno simple-plugin-example using one AWS Linux server with NodeJS copied to be transitioned to work under a Microsoft IIS server with NodeJS and URL Rewrites and all that entails basically worked out; but fails when it gets to actual process of OATH apparently as getting a "Cannot GET /v0/oidc/auth" response. Tried a number of ideas; but looking for some ideas to try.
I'm unable to reproduce the behavior that you saw, which makes me wonder if you ran into a temporary blip.
Assuming that we're talking about the latest version (commit c8775db2e3d9ecb4ce9ca708475d81d5936adf0e) of the Simple Plugin Example, then there are a few things to check and/or try.
It'll be good to check that the environment value in your config.js is correct. The config-EXAMPLE.js in the repo uses https://digital.garden-fi.com which matches up with the Garden demo financial institution. However, if you're not running this with a Client ID and Client Secret that's from Garden (i.e. this is with a different financial institution) then you'll have to change that environment value as appropriate for your financial institution.
It'll be good to double-check that the Client ID and Client Secret match up with your External Application which is configured for your plugin.
If you're running the Simple Plugin Example locally, then you can try navigating to the http://localhost:8080/dynamic URL which is expected by the plugin when the code is run locally. This is a good way to figure out if the sample code itself is running as expected.
Assuming the above is fine, it'll be good to double-check the "URL Rewrites" which you mentioned...it's unclear what those URL rewrites are doing, but it's possible that you have some code which is interfering with what the sample code is expecting.
I'm getting this chrome flag when trying to post and then get a simple form.
The problem is that the Developer Console shows nothing about this and I cannot find the source of the problem by myself.
Is there any option for looking this at more detail?
View the piece of code triggering the error for fixing it...
The simple way for bypass this error in developing is send header to browser
Put the header before send data to browser.
In php you can send this header for bypass this error ,send header reference:
header('X-XSS-Protection:0');
In the ASP.net you can send this header and send header reference:
HttpContext.Response.AddHeader("X-XSS-Protection","0");
or
HttpContext.Current.Response.AddHeader("X-XSS-Protection","0");
In the nodejs send header, send header reference :
res.writeHead(200, {'X-XSS-Protection':0 });
// or express js
res.set('X-XSS-Protection', 0);
Chrome v58 might or might not fix your issue... It really depends to what you're actually POSTing. For example, if you're trying to POST some raw HTML/XML data whithin an input/select/textarea element, your request might still be blocked from the auditor.
In the past few days I hit this issue in two different scenarios: a WYSIWYG client-side editor and an interactive upload form featuring some kind of content preview. I managed to fix them both by base64-encoding the raw HTML before POSTing it, then decoding it on the receiving PHP page. This will most likely fix the issue and, most importantly, increase the developer's awareness level regarding the data coming from POST requests, hopefully pushing him into adopting effective data encoding/decoding strategies and strengthen their web application from XSS-type attacks.
To base64-encode your content on the client side you can either use the native btoa() function, which is supported by most browsers nowadays, or a third-party alternative such as a jQuery plugin (I ended up using this, which worked ok).
To base64-decode the POST data you can then use PHP's base64_decode(str) function, ASP.NET's Convert.FromBase64String(str) or anything else (depending on your server-side scenario).
For further info, check out this blog post that I wrote on the topic.
In this case, being a first-time contributor at the Creative forums, (some kind of vBulletin construct) and reduced to posting a PM to the moderators before forum access it is easy for one to encapsulate the nature of the issue from the more popular answers above.
The command was
http://forums.creative.com/private.php?do=insertpm&pmid=
And as described above the actual data was "raw HTML/XML data within an input/select/textarea element".
The general requirement for handling such a bug (or feature) at the user end is some kind of quick fixit tweak or twiddle. This post discusses the option of clearing cache, resetting Chrome settings, creating a new_user or retrying the operation with a new beta release.
It was also suggested that one launches a new instance with the following:
google-chrome-stable --disable-xss-auditor
The launch actually worked in this W10 1703 Chrome 061 edition after this modified version:
chrome --disable-xss-auditor
However, on logging back in to the site and attempting the post again, the same error was generated. Perhaps the syntax wants refining or something else is awry.
It then seemed reasonable to launched Edge and repost from there, which turned out to be no problem at all.
This may help in some circumstances. Modify Apache httpd.conf file and add
ResponseHeader set X-XSS-Protection 0
It may have been fixed in Version 58.0.3029.110 (64-bit).
I've noticed that if there is an apostrophe ' in the text Chrome will block it.
When I update href from javascript:void(0) to # in the page of POST request, it works.
For example:
login
Change to:
login
I solved the problem!
In my case when I make the submmit, I send the HTML to the action and in the model I had a property that accept the HTML with "AllowHTML".
The solution consist in remove this "AllowHTML" property and everything go OK!
Obviously I no longer send the HTML to the action because in my case I do not need it
It is a Chrome bug. The only remedy is to use FireFox until they fix this Chrome bug. XSS auditor trashing a page, that has worked fine for 20 years, seems to be a symptom, not a cause.
I am using nginx proxy to server my web-page. For login user need to provide his 2 factor authentication code and his password, to let users know that they need to enter their password+2 factor code to login, I send them a message "Login required, username, password+VIP token"'
And this what I get now
This has stopped working from Chrome version 49. I am on 49.0.2623.110.
Any work around to fix this? It works perfectly on firefox.
This was indeed answered in Change Basic HTTP Authentication realm and login dialog message.
Short explanation: You were actually defining realms with auth_basic directives of Nginx on the server side. But "whether to prompt this message or not" is basically a design choice made by specific client programs. And Chrome just chose to hide it, for reasons you may find in the first link.
In fact, as of my decade (2022), Firefox seems to hide the message too.
Why I necromance this very old post: I was reading this documentation of Nginx. At the end of the article, there is a screenshot similar to the Firefox one in the OP. Unsurprisingly, my browser didn't behave like that even I followed all the instructions therein. Then I started Googling and this is the first hit relevant to my question. After I learned something about HTTP basic authentication, realm etc and finally came across the first link, I think I should post something here.
Apparently, Nginx documentation is using kinda modern UI to host kinda outdated contents. Hope this answer will help anyone who is confused by that screenshot too ;)
Im trying to make connections 4.5 working with content manager. I guess im quite far away from start finally but there are many things i need to fix.
Sometimes my widgets just doesnt load. It says cannot load widgets-config.xml
when i restart deployment and appsrv everything looks good.
My biggest problem is to add library to community. Because i want to see how workflow works and the id like to create linked library of this. This is what i get when i try to add library widget to the community (linked library widget works well)
CLFWZ0004E: Event 'widget.added' sent to remote lifecycle handler at https://conserv.egroup.local/dm/atom/communities/feed returned bad response: 403 - Forbidden
I guess there is som problem with https access. Can anybody of you guys ever faced this problem? Some hints?
UPDATE-1
After accessing that page from it gives me this :
<td:error>
<td:errorCode>UnsupportedOperation</td:errorCode>
<td:errorMessage>CQL5602: The attempted operation, GET, is not allowed on the resource /communities/feed.
Contact your administrator and provide the incident ID: 1381320497551.
The administrator should forward this information to the application owner.
</td:errorMessage>
</td:error>
So i guess maybe there can be som problem with proxy policies. I tried to make some changes with changes default policy url to *. But still no progress..
Hints?
From the google site, I cam across a code that lets me display the recaptcha box. Although I must admit I have only started html today and hence, have no basics at all. The site does not have a verify code in html although it does in jsp and I dont know how to link it all since data from the html went to the servlet.
https://developers.google.com/recaptcha/docs/verify
specifis a list of parameters to be 'posted'
I am using Tomcat 7 and no Spring.
My doubts:
Can I have multiple forms in an html file
How do i send parameters from the precious form to the second form?
How do I link a jsp file that will verify it to be run through the java class invoked by the html file
How do I get the user (accessing my app through a local server) remote IP address?
Got sorted out. Since I did not understand the problem in that, I proceeded to simple captcha itself. I must admit I feel like a fool saying I din't know html/jsp. The second day it was all so clear. I must have been positively psyched. Unwilling to see the not working code again, I started fresh.
Answers :
I can have multiple forms in a html
as set and get parameter as a session and request functions respectively.
through a form itself or response.sendredirect("")
Remote address class and methods.