We Keep Coding

Bypass blocking of subresource requests whose URLs contain embedded credentials

I have been automatically authenticating users visiting our internal wiki via a link with a token in the URL like this:
href="https://user:pass#host/"
In Chrome 59, this is being prevented.
[Deprecation] Subresource requests whose URLs contain embedded credentials (e.g. https://user:pass#host/) are blocked.
I read and I bypassed it in an ajax request like this:
how to replace embedded credentials in subresource requests
========================================================================
My Question is:
Does anyone know how to do it directly in the link, or can you provide some kind of workaround? Is this even possible?

Passing the command line option '--disable-blink-features=BlockCredentialedSubresources' restores the expected behavior. If you're using Selneium, you can pass it as an args option in the Browser Capabilities to restore the expected behavior.
PHP:
'chromeOptions' => array('args' => ['--disable-blink-features=BlockCredentialedSubresources']);
Python:
capabilities['chromeOptions'] = {'args': ['--headless']}
According to the Chromium ticket (https://bugs.chromium.org/p/chromium/issues/detail?id=731618) this behavior may not be restored in future versions despite it being in 'Deprecation'. In this case, it might be best to look at ssh conduits for testing or whitelist the IP if possible to prevent the HTTP Auth interaction.
Anthony

If your page includes css, javascript or other stuff with relative ("folder/file") or base-relative ("/folder/file") locations, then the problem is that these included files would be fetched from a URL relative to the base URL of the page, which includes a user:pass component.
It is that user:pass componenent (which you possibly never meant to imply anyway...) which makes the URL of the subresources illegal, following this change to Chrome.
If that is your problem, you can fix it by adding a <base href="https://host/"> tag to your page (i.e. the same base address, but without the user:pass component). (If your page is in a subdirectory, you need to include the subdirectory in the base href as well, for fully relative URLs to work.)
To be clear, links like Link still work (as long as the user:pass URL is in a link which opens in a new page, and is not a URL for an iframe, say - that is now banned). But even when the link works, the problem I've described above applies to elements included with relative paths in the newly opened page.
UPDATE:
This has been accepted as a bug in Chrome, directly related to the new changes banning user:pass in subresource URLs. Unfortunately, following through the links in that discussion, it seems that one proposed and quite likely solution is to remove support for user:pass URLs entirely. Any informed comments added to that discussion and arguing in favour of keeping this feature would presumably help.

To handle this, we have to pass chrome options : "--disable-blink-features=BlockCredentialedSubresources");
Complete code is mentioned below :
ChromeOptions options = new ChromeOptions();
options.addArguments("--start-maximized");
options.addArguments("--disable-blink-features=BlockCredentialedSubresources");
Map<String, Object> prefs = new HashMap<String, Object>();
prefs.put("credentials_enable_service", false);
prefs.put("profile.password_manager_enabled", false);
options.setExperimentalOption("prefs", prefs);
DesiredCapabilities capabilities = DesiredCapabilities.chrome();
capabilities.setCapability(ChromeOptions.CAPABILITY, options);
driver = new ChromeDriver(capabilities);

How to use AngularJS ng-include?

I want to use AngularJS to separate my jquery mobile HTML. But it seems ng-include can't include external HTML as the parent content, parent CSS and js are not applied to it. Below is an example. Would you like to let me know how to fix it?
Below is the example.
http://plnkr.co/edit/I91t9mjGJ58ZS4H2bymL?p=preview

It's obvious you cannot directly access external file from other site due to CORS policy.
If you do want to get the template from other site with different domain name, make sure that domain provides the API for you to $http.get the html template string, and then you can inject it into your Angular controller, where your view may access from.
The basic process may be as follow:
Check the API for the third party domain, where you can get the template string.
Use $http.get (or $resource, depends on your choice) to get the template.
Wrap the $http service and your parsing login into a new Angular service. (e.g. angular.module('yourApp', []).factory();
Inject this service into the Angular controller which you bind in your directives.
In your view file, use ng-include in that controller to access the template.

Restfullyii prepending <link> tag to the json response

Hi I'm new to restfulyii
I'm having a problem with the json response a tag is being prepended
Refer to the code below
(just assume that there are '<>' for the link tag)
<link rel="stylesheet" type="text/css" href="/assets/e5ba1689/srbac.css" />{"success":true,"message":"Record(s) Found","data":{"totalCount":1,"share":[{"id":"0","elementid":"1","type":"video","suid":"1","duid":"5","permissions":"superuser"}]}}
this coming from api/ under GET method and same with other rest verbs
I can't parse my JSON data because of the prepended line.
Please help..
reference:
localhost/api/ - method: GET/POST/PUT/DELETE
Everything is working fine with restful yii except that json response format...
Thanks in advance!
Ohmel Paguirigan

The problem seams to be that YII is not recognizing that your request is an actual Ajax request.
Search in srbac/components/Helper.php for:
if (!Yii::app()->request->isAjaxRequest){
Yii::app()->clientScript->registerCssFile($cssFile);
}
You will notice that SRBAC is checking if your request is an actual Ajax request.
Yoshi on the Yii Forms says that:
yii checks if there is a X-Requested-With HTTP header set (which
should result in an $_SERVER['HTTP_X_REQUESTED_WITH'] server variable)
and whether it contains the string 'XMLHttpRequest'. But this is a
custom header set by most javascript libraries (and so does jQuery).
There are e.g. some proxies which drop these custom headers (mainly
for security reasons) and therefore your application can't recognize
whether it's an ajax request or not. It's not 100% reliable.
Therefore, you must make sure that your javascript library is injecting this Header.
To do this in Javascript, in your app.run
add the following:
$http.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
Then, all of y our http requests in angular will send the header yii needs to discern that an AjaxRequest is being sent!
Hope this helps!

Using history.pushState in Angular results in "10 $digest() iterations reached. Aborting!" error

I'm trying to change the url in my app from "http://www.test.com/foo" to "http://www.test.com/bar+someVariable" (somevariable is a string that I recieve from an http request inside bar's controller) using history.pushState() . In my routes I enabled html5mode and everything works fine. I'm also using location.path() to switch between views and controllers as instructed in the docs. Now once the app switches view and controller I added history.pushState(null,null,"/bar"+somevariable) to "/bar"'s controller. Everything works and the url is updated but in the console I receive the "10 $digest() iterations reached. Aborting!" error. I suspect that activating the history.pushState function is somehow interfering with angular's $location or $route service.
What is the correct way to use history.pushState() within angular without receiving the $digest error?
By the way I'm using angular 1.0.3
Thanks ahead,
Gidon

Change the path with
$location.path('/newValue')
See: http://docs.angularjs.org/guide/dev_guide.services.$location

It is hard to know for sure without seeing the relevant source, but this is a common issue in older versions of IE (8 and 9 mostly I think). The solution that worked for me a few weeks ago when I encountered this (and may work for you if you're using IE) was changing my anchor tags in my navigation.
I had:
what fixed it:

Unable to find web elements, using selenium::remote::driver perl bindings, whenever base URI changes from default website url

I am writing test scripts for a website using selenium webdriver's perl bindings. The problem I am facing is mentioned below:
I am not able to find some of the web elements (tried every approach: xpath, id, css, etc.) which exist on the web page, although I can click on them as a user.
After debugging through firebug I found that there is a property called base URI. And this has a different value from one web element to another. So whenever BASE URI = URL, I am able find elements and work on them.
But if BASE URI IS NOT EQUAL TO URL I am unable to find web elements.
Here is a sample code for successfull case:
#!/usr/bin/perl -w
use strict;
use warnings;
use Time::HiRes qw(sleep);
use Test::More "no_plan";
use Test::Exception;
use TAP::Harness;
use Data::Dumper;
use Selenium::Remote::Driver;
use Selenium::Remote::WDKeys;
my $url = 'https://www.xyz.com/';
my $sel = new Selenium::Remote::Driver('browser_name' => 'firefox',
'platform' => 'VISTA');
ok(defined $sel, 'Object loaded fine...');
ok($sel->isa('Selenium::Remote::Driver'), '...and of right type');
$sel->get("$url");
is ($sel->get_title(), 'xyz','Got the right title');
my $elem = $sel->find_element('html/body/div[1]/div/header/div[1]/div/center/div/ul/li[1]/a');
ok(defined $elem, 'packageLink web element defined');
$elem->click();
In this case the DOM structure shows that base uri is the same as url.
Now for unsuccessful the case, the DOM shows the base URI as https://www.xyz.com/epg.php
In the above mentioned code, if I use the $sel->navigate(https://www.xyz.com/epg.php) command just before the find element command then the script will be able to find the elements. But it will be just a static page click and will give no response.
I am a first time user of HTML related tasks. I would appreciate any kind of help.
Thanks,
Abhishek