I would like to open "application/hal+json" response inline in my Chrome browser. The problem is that the Chrome browser doesn't recognize the HAL response and downloads it. Before I always used the JSON view extension for Chrome for checking my JSON response. But since swapping to HAL it immediately downloads my response so I cannot review it anymore.
For Chrome:
I just ran into a nice solution myself. I hope answering here will help some other people who run into the same problem...
Installing this 'application/...+json|+xml as inline' chrome extension solved it nicely. I am now able to review my server response again as normal.
For FireFox:
Install the extension called JSONView. After install go to extensions page (default: ctrl+shift+a) find the JSONView extension and go to options. There you can add "Alternate JSON content types" that should be opened as by the extension. Simply add application/hal+json to the input field and it will work:
REST developer add-ons: Another solution can be to install a REST developer add-on. The advantage is that you can also change the http request verb (POST, GET, PATCH, PUT, DELETE) and custom set your request headers. A great REST plugin for Chrome is POSTMAN and a nice one for FireFox is RESTClient. But there are several other ones available.
This doesn't exactly answer your question, but installing the HAL Browser from your web server will convert HAL to HTML for viewing your application/hal+json responses inline. It's particularly nice because it makes the links navigable and also links to the relation documentation (if the relation name is a URI).
Oddly enough, my Chrome sends an Accept header of /;q=0.8 so it falls back to anything the server sends it. I wonder if you're running a different version of Chrome than I am. I'm on v30.0.1599.101.
Came here looking for a solution for Firefox and application/hal+json content type.
I ended up installing JSONView, which has an option in its preferences menu to add extra content types.
Related
We have a react front-end that is communicating with an ASP Core API.
Sometimes we detect there is something wrong with the front-end, including service workers, local cache, and that kind of stuff, so we want to tell the client to clean it up.
I've implemented the Clear-Site-Data (dev-moz) (w3c) as a response header, as "Clear-Site-Data": "cache", "cookies", "storage", "executionContexts"
When testing this out in Firefox, it works, and in the console I'm seeing:
Clear-Site-Data header found. Unknown value “"executionContexts"”. SignIn
Clear-Site-Data header forced the clean up of “cache” data. SignIn
Clear-Site-Data header forced the clean up of “cookies” data. SignIn
Clear-Site-Data header forced the clean up of “storage” data.
When doing the same in Chrome, it's not working, and I'm seeing the message
The request's credentials mode prohibits modifying cookies and other local data.
I'm trying to figure out what to do to fix it, but there are barely any any references. Just 7 results, mostly from browser integration test logs
All the documentation says that this should be implemented and working in Chrome... Any idea what's the problem?
Try manually reloading the page after the Clear-Site-Data has been received (so that the local data / cache is cleared and the header no longer contain Clear-Site-Data).
Both Firefox & Chrome don't appear to support executionContexts, which tells the browser to reload the original response.
If header contains executionContexts, then the browser should ignore it (as you see in Firefox console). However you can try wildcard mapping (*). (This will also add support for future properties).
Response.AppendHeader("Clear-Site-Data", "\"*\"");
Also Google reuse parts of their Chrome source code in their open source project Chromium. If you take a look at Chromium source code (https://doss-gitlab.eidos.ic.i.u-tokyo.ac.jp/sneeze/chromium/blob/9b22da4739ec7bf54fb8e730662e2ab7996532e0/content/browser/browsing_data/clear_site_data_handler.cc line 308). This implements the same exception The request's credentials mode prohibits modifying cookies. A flag LOAD_DO_NOT_SAVE_COOKIES is somehow being sent. The console error maybe an caused by an additional response header or a small chance theres a bug in Chrome.
Right now, my advice would be do not implement the Clear-Site-Data header at this time.
Despite the spec being widely available for some years, vendor support is still hit-and-miss and is now actually going in reverse.
As per the w3c github for this, there are a number of issues regarding executionContexts. The wildcard ('*') mentioned by Greg in their answer is not supported by Chrome, and Mozilla are about to remove the cache value as well.
All this points to a flawed standard which is likely to be removed at some point in the future.
I'm getting this chrome flag when trying to post and then get a simple form.
The problem is that the Developer Console shows nothing about this and I cannot find the source of the problem by myself.
Is there any option for looking this at more detail?
View the piece of code triggering the error for fixing it...
The simple way for bypass this error in developing is send header to browser
Put the header before send data to browser.
In php you can send this header for bypass this error ,send header reference:
header('X-XSS-Protection:0');
In the ASP.net you can send this header and send header reference:
HttpContext.Response.AddHeader("X-XSS-Protection","0");
or
HttpContext.Current.Response.AddHeader("X-XSS-Protection","0");
In the nodejs send header, send header reference :
res.writeHead(200, {'X-XSS-Protection':0 });
// or express js
res.set('X-XSS-Protection', 0);
Chrome v58 might or might not fix your issue... It really depends to what you're actually POSTing. For example, if you're trying to POST some raw HTML/XML data whithin an input/select/textarea element, your request might still be blocked from the auditor.
In the past few days I hit this issue in two different scenarios: a WYSIWYG client-side editor and an interactive upload form featuring some kind of content preview. I managed to fix them both by base64-encoding the raw HTML before POSTing it, then decoding it on the receiving PHP page. This will most likely fix the issue and, most importantly, increase the developer's awareness level regarding the data coming from POST requests, hopefully pushing him into adopting effective data encoding/decoding strategies and strengthen their web application from XSS-type attacks.
To base64-encode your content on the client side you can either use the native btoa() function, which is supported by most browsers nowadays, or a third-party alternative such as a jQuery plugin (I ended up using this, which worked ok).
To base64-decode the POST data you can then use PHP's base64_decode(str) function, ASP.NET's Convert.FromBase64String(str) or anything else (depending on your server-side scenario).
For further info, check out this blog post that I wrote on the topic.
In this case, being a first-time contributor at the Creative forums, (some kind of vBulletin construct) and reduced to posting a PM to the moderators before forum access it is easy for one to encapsulate the nature of the issue from the more popular answers above.
The command was
http://forums.creative.com/private.php?do=insertpm&pmid=
And as described above the actual data was "raw HTML/XML data within an input/select/textarea element".
The general requirement for handling such a bug (or feature) at the user end is some kind of quick fixit tweak or twiddle. This post discusses the option of clearing cache, resetting Chrome settings, creating a new_user or retrying the operation with a new beta release.
It was also suggested that one launches a new instance with the following:
google-chrome-stable --disable-xss-auditor
The launch actually worked in this W10 1703 Chrome 061 edition after this modified version:
chrome --disable-xss-auditor
However, on logging back in to the site and attempting the post again, the same error was generated. Perhaps the syntax wants refining or something else is awry.
It then seemed reasonable to launched Edge and repost from there, which turned out to be no problem at all.
This may help in some circumstances. Modify Apache httpd.conf file and add
ResponseHeader set X-XSS-Protection 0
It may have been fixed in Version 58.0.3029.110 (64-bit).
I've noticed that if there is an apostrophe ' in the text Chrome will block it.
When I update href from javascript:void(0) to # in the page of POST request, it works.
For example:
login
Change to:
login
I solved the problem!
In my case when I make the submmit, I send the HTML to the action and in the model I had a property that accept the HTML with "AllowHTML".
The solution consist in remove this "AllowHTML" property and everything go OK!
Obviously I no longer send the HTML to the action because in my case I do not need it
It is a Chrome bug. The only remedy is to use FireFox until they fix this Chrome bug. XSS auditor trashing a page, that has worked fine for 20 years, seems to be a symptom, not a cause.
I have finished an extension for my company and I want to put it on the company wiki so that in order to get it on everyone's machine all I have to do is go around and click the link.
First, I HAVE READ all the documentation from http://developer.chrome.com/extensions/hosting.html about hosting and autoupdating and all that. Part of it confuses me and I can't find any more information about this:
Google Chrome considers a file to be installable if either of the following is true:
The file has the content type application/x-chrome-extension
The file suffix is .crx and both of the following are true:
The file is not served with the HTTP header X-Content-Type-Options: nosniff
The file is served with one of the following content types:
empty string
"text/plain"
"application/octet-stream"
"unknown/unknown"
"application/unknown"
"*/*"
This looks like it wants a MIME style setup? but I have never done anything with this. I have the ability to change what I want to the Locally hosted Wiki, all I need is to understand what need to change to make the link installable. I will keep looking for examples.
Note: The reason it is not going on the app store is that there is really no reason to. It is branded for our company, and communication with our specific servers is hard-coded into it.
In version 21 (or so), Chrome disabled the ability to do a simple link-click install of off-store extensions. There is a discussion of the change in this bug report:
You are no longer supposed to be able to install extensions off-store in Chrome... In order to install off-store extensions, the user must download them to a directory and drag them onto chrome://extensions/.
There is, therefore, no longer any way to install an extension simply by clicking a link, except by hosting it in the Web Store. You will need to download the file and then drop it into chrome://extensions.
The documentation you reference looks out of date (that's Google's fault, not yours). It definitely fails to mention the new drag-and-drop requirement. It also talks about the file's "content type" and the X-Content-Type-Options HTTP header required to make the CRX installable; however, when you install an extension by dropping it into chrome://extensions, I doubt very much that Chrome remembers what HTTP headers were set when you first downloaded the file.
EDIT: You can also use the --enable-easy-off-store-extension-install command line flag to restore the old instalation behavior.
You can do an "inline install" of an app hosted on the web store. The new changes are forcing people to move our extensions to the web store, but the inline installation should allow your users to not need to leave your page to install.
I am trying to serve a PHP file output with HTTP Headers configured so the content will NOT be served from cache in Chrome.
If I go to Dev tools (in Chrome), and mark the "Disable cache" option, then it works.
But I don't want to depend on that, I hope I can setup HTTP headers in a way I can force Chrome to reload the page everytime.
Here's a screenshot of my current attempt, please note the red marks.
Could you please provide good documentation or which headers I must declare for this ?
Thanks in advance.
Edit
So I found this other reply too: Chrome caching like a mad browser, but since I recall being told that Chrome needs special headers for Cache-Control, I will keep this question.
Web browsers can cache AJAX requests with the same request parameters. In order to work around this problem, use a query string that changes. One example would be to use the date in seconds as a query parameter.
I have got two simple questions
How can I tell what server is a website on? I remember I used to read the HTTP Host Header to identify the type of server. Is there any tool to do it?
2a. A lot of the website have the page extension .html and you just know they are not html. How can I tell what programming language is behind them?
2b. For ASPX, I think IIS can map the extension, so it will show HTML instead of ASPX, right?
Cheers
1.
Yes, you can check the http header tag "SERVER". Example of responses:
-Microsoft-IIS/6.0
-GFE/1.3
-Server Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.2 with Suhosin-Patch
You can also check "X-Powered-By" on some servers, example:
-PHP/5.2.6-3ubuntu4.2
-ASP.NET
You can do this in firefox/firebug for example. Go to NET pick a request, select headers and check under response headers. You could do this is Fiddler to or any other http sniffer.
2a)
See my first answer
2b)
Yes you can map .html or anything as a "asp.net" extension, meaning that the extension will be handled by the web application. Common use is that you have a httphandler that catches that extension in web.config.
Not sure what your endgoal of these questions are.. or rather to what purpose, maybe we could answer better then.
Look at the HTTP headers. This works as long as the Server admin hasn't disabled them (which he usually doesn't).
Try http://kalender-365.de/ip/get-http-header.php
2a. This actually works with all servers and all extensions. Some Interpreters - such as e.g. PHP - send a special created-by HTTP header (which can be disabled, however).