I'm playing with core-ajax element and I need to extract http status code from ajax response. I was looking for it in this.$.ajax.* but cannot find it anywhere. I believe it must be exposed somewhere, right?
Huh, it looks like it's not currently exposed as a field. I can see where having easy access to the status for the current request would be valuable, patches welcome!
You could listen for either the core-response, core-error or core-complete event depending on your use case. Each of them receives an event with an xhr field, which has the status at xhr.stats.
Related
I have about 100 different requests in a large application I'm making and I'd like to show an icon for when the application is making an request. I would like to show this animated icon when a request is made and then hide the animation when the request is received. Is there a property in Flash or AIR that tells me when a request is being made?
PS I know I can do it manually but after doing over a hundred of these with multiple requests allowed at one time I'd like to be able to just access a property and know if a request is going on or not.
PSS There is the network monitor that exists in Flash Builder. I think it adds a SWC into the application when it's added. I'm using URLLoader for all my requests.
As far as I remember, there isn't. I found the URLLoader and URLRequest classes left a lot to be desired in terms of functionality and ease-of-use, so I created a wrapper to improve it and implemented a way to track if a request is active in there.
So I have a Request class that makes it easy to add parameters to the request (manages the URLVariables object internally with an addParameter(name, value) method), cancel a request, prepare the request, send it, handle all errors, and tracks if it is active. I do this by having an isActive property that I set to true in the send method and set to false after a COMPLETE or any of the ERROR events fire. I also use that property to make sure I don't resend a request or try to do something that could cause an error if there isn't a request going. I have a public getter for checking that value externally.
I then have a Handler class that is very generic. It creates the Request object, maps a few functions to it, and focuses on setting up that Request object and handling the response in a single spot (parsing it, outputting it to a standardized return object, etc.).
No class should ever call the Request class except the Handler class and my projects generally have 1-2 dozen classes that extend my Handler class, one for each request I have to make. The code I write should only ever interact with the Handler classes, meaning I only interact with code specifically written for the request I need to make, pushing me to centralize my request code and allowing for easy things like app-wide error handling.
I am a beginner of Prettyfaces, so please forgive me if I missed something really basic.
My url-mapping contains a EL-injected path parameter. The parameter value could be changed by user through selecting a drop down list item.
My question is: since it's an ajax call, the view id didn't change, so if I bookmark the url, the value still contains the original parameter value instead of the user update one. How do I get the browser addressbar url updated based on user's action?
There are two solutions here. You can respond to the AJAX request with a 302 Temporary Redirect, e.g: response.sendRedirect("/new/location") - usually done through JSF navigation.
Or, when the AJAX response comes back, you can use the JavaScript HTML5 push-state history API (if the browser supports it) to update the address directly: Good tutorial for using HTML5 History API (Pushstate?)
In regards to this Haacked blog, I'm hesitant to implement the proposed anti-JSON GET hijacking solutions since
The recommended solutions to mitigating JSON hijacking involve non-REST-full JSON POSTs to GET data
The alternate solution (object wrapping) causes problems with 3rd party controls I don't have source-code access to.
I can't find a community-vetted implementation that implements the Alternative Solution (listed below) on how to compose the security token, or securely deliver it within the webpage. I also won't claim to be enough of an expert to roll my own implementation.
Referrer headers can't be relied upon
Background
This blog describes a CSRF issue regarding JSON Hijacking and recommends using JSON POSTs to GET data. Since using a HTTP POST to GET data isn't very REST-full, I'd looking for a more RESTfull solution that enables REST actions per session, or per page.
Another mitigation technique is to wrap JSON data in an object as described here. I'm afraid this may just delay the issue, until another technique is found.
Alternative Implementation
To me, it seems natural to extend the use ASP.NET MVC's AntiForgeryToken with jQuery HTTP GETs for my JSON.
For example if I GET some sensitive data, according to the Haacked link above, the following code is vulnerable:
$.getJSON('[url]', { [parameters] }, function(json) {
// callback function code
});
I agree that it isn't RESTfull to GET data using the recommended POST workaround. My thought is to send a validation token in the URL. That way the CSRF-style attacker won't know the complete URL. Cached, or not cached, they won't be able to get the data.
Below are two examples of how a JSON GET query could be done. I'm not sure what implementation is most effective, but may guess that the first one is safer from errant proxies caching this data, thus making it vulnerable to an attacker.
http://localhost:54607/Home/AdminBalances/ENCODEDTOKEN-TOKEN-HERE
or
http://localhost:54607/Home/AdminBalances?ENCODEDTOKEN-TOKEN-HERE
... which might as well be MVC3's AntiForgeryToken, or a variant (see swt) thereof. This token would be set as an inline value on whatever URL format is chosen above.
Sample questions that prevent me from rolling my own solution
What URL format (above) would you use to validate the JSON GET (slash, questionmark, etc) Will a proxy respond to http://localhost:54607/Home/AdminBalances with http://localhost:54607/Home/AdminBalances?ENCODEDTOKEN-TOKEN-HERE data?
How would you deliver that encoded token to the webpage? Inline, or as a page variable?
How would you compose the token? Built in AntiforgeryToken, or by some other means?
The AntiForgeryToken uses a cookie. Would a backing cookie be used/needed in this case? HTTP Only? What about SSL in conjunction with HTTP Only?
How would you set your cache headers? Anything special for the Google Web Accelerator (for example)
What are the implications of just making the JSON request SSL?
Should the returned JSON array still be wrapped in an object just for safety's sake?
How will this solution interop with Microsoft's proposed templating and databinding features
The questions above are the reasons I'm not forging ahead and doing this myself. Not to mention there likely more questions I haven't thought of, and yet are a risk.
The Asp.net MVC AntiForgeryToken won't work through HTTP GET, because it relies on cookies which rely on HTTP POST (it uses the "Double Submit Cookies" technique described in the OWASP XSRF Prevention Cheat Sheet). You can also additionally protect the cookies sent to the client by setting the as httponly, so they cannot be spoofed via a script.
In this document you can find various techniques that can be used to prevent XSRF. It seems the you described would fall into the Approach 1. But we have a problem on how to retrieve the session on the server when using Ajax HTTP GET request since the cookies are not sent with the request. So you would also have to add a session identifier to you action's URL (aka. cookieless sessions, which are easier to hijack). So in order to perform an attack the attacker would only need to know the correct URL to perform the GET request.
Perhaps a good solution would be to store the session data using some key from the users SSL certificate (for example the certs thumb-print). This way only the owner of the SSL certificate could access his session. This way you don't need to use cookies and you don't need to send session identifiers via query string parameters.
Anyway, you will need to roll out your own XSRF protection if you don't want to use HTTP POST in Asp.net MVC.
I came to this problem and the solution was not so trivial however there is a fantastic blog to get you started this can be used with get and post ajax.
http://johan.driessen.se/posts/Updated-Anti-XSRF-Validation-for-ASP.NET-MVC-4-RC
If you place the following in the global name space all your post/gets can take advantage having an anti forgery token and you don't have to modify your ajax calls. Create an input element in a common page.
<form id="__AjaxAntiForgeryForm" action="#" method="post">#Html.AntiForgeryToken()</form>
The following javascript will read the anti forgery tokken and add it to the request header.
// Wire up the global jQuery ajaxSend event handler.
$(document).ajaxSend(namespace.ajax.globalSendHandler);
// <summary>
// Global handler for all ajax send events.
// </summary>
namespace.ajax.globalSendHandler = function (event, xhr, ajaxOptions) {
// Add the anti forgery token
xhr.setRequestHeader('__RequestVerificationToken', $("#__AjaxAntiForgeryForm input[name=__RequestVerificationToken]").val());
};
I think it is legitimate to use AntiforgeryToken (AFT) within an ajax http GET request provided that it is embedded in a form that already provides the AFT and associated cookie. The ajax handler can then do the validate on the server just how it would in a normal form post.
I have an embedable widget. For each impression, I would like to track the referrer (the page where the widget is embedded onto). Right now I am using ExternalInterface to use javascript to check window.location.href when its available, however, I am finding that most of the time I am unable to set the referrer.
Is there a better way to do this? Or perhaps am I not using javascript correctly to get the referrer?
Thanks!
I don't think you can directly get it in this way. There are a couple options I can think of:
Get the referrer from your web server HTTP logs. Apache for example logs referrer info by default.
Have people include some referral code in their widget request, that you can use to identify where it came from.
Make a request from your widget back to your server...I think this request will contain the HTTP Referrer field pointing at where it is embedded
Use something like [swfmill][1] to embed the referrer into the actual SWF itself when it is requested from your server...but this might have too much performance overhead.
When I make an HTTP request with the method HttpSendRequest of the WinINet API, and the response sends "302: Moved Temporarily", the WinINet API automatically follows the redirection instruction and makes a new request.
So, How to prevent HttpSendRequest to follow redirects (30x Status Codes)?
I don't want't to make two requests... I wan't to get the the first response it got with the status code 302 in it's header.
I found a flag INTERNET_FLAG_NO_AUTO_REDIRECT that I must pass to HttpOpenRequest.
But, it isn't working....
Redirection can be prevented if you are able to use WinHTTP instead (link).
Try using INTERNET_FLAG_NO_AUTO_REDIRECT in the call to HttpSendRequest. Sounds like you're trying to use it from HttpOpenRequest.
I use this flag with InternetOpenUrl, and it works properly in that call.
Seems like WinInet behavior largely depends of lpszAgent specified in the InternetOpen function call. When you pass "Mozilla/5.0 (compatible)" all redirects are ignored and you will get RAW HTML result when reading response with InternetReadFile.
On the other hand, if you need "redirected" output, you must specify your application name in the Agent argument, for example "ConEmu Update".