Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » Elevate Web Builder Technical Support » Support Forums » Elevate Web Builder General » View Thread |
Messages 1 to 8 of 8 total |
Cross Scripting Confimation |
Mon, Sep 24 2012 7:02 AM | Permanent Link |
Chris Holland SEC Solutions Ltd. Team Elevate | I am hosting my EWB app. and my Data Server app on the same server and
if I run my app. in IE9 it send the headers across to the Data Server as shown below: X-EWBUser : Test X-EWBPassword : Fred .......etc and with this I can extract the X-EWBUser value that I want no problem. However, if I run my app. using Chrome I get the following headers: Access-Control-Request-Method : GET Origin : http://www.cypher1.co.uk Access-Control-Request-Headers : x-ewbpassword, origin, x-ewbuser .......etc Which appears to be asking for permission to perform cross site scripting with the "Access-Control-xxxxx" fields. I am unsure what I should send back to confirm that cross-site scripting is allowed and also why it thinks this is cross site as they are both on the cypher1.co.uk web server. Any ideas anyone? -- Chris Holland [Team Elevate] |
Mon, Sep 24 2012 8:17 AM | Permanent Link |
Chris Holland SEC Solutions Ltd. Team Elevate | Okay, I have worked out that if I set the headers in my reply to:
context.Response.Headers.Add("Access-Control-Allow-Origin: "+origin); context.Response.Headers.Add("Access-Control-Allow-Methods: "+options); context.Response.Headers.Add("Access-Control-Allow-Headers:"+headers); and use: context.Response.OutputStream.Write(....) The Chrome browser then sends a follow up request with the expected X-EWBUser in the headers. However, in the meantime my EWB app. had read the data coming back (i.e. the access control headers) and thrown an error as it was not the JSON data that it expected for my DataSet. Is there a method that just send headers to the browser without triggering my EWB into thinking that it is getting the expected data? Chris Holland [Team Elevate] On 24/09/2012 12:02, Chris Holland wrote: > I am hosting my EWB app. and my Data Server app on the same server and > if I run my app. in IE9 it send the headers across to the Data Server as > shown below: > > X-EWBUser : Test > X-EWBPassword : Fred > ......etc > > and with this I can extract the X-EWBUser value that I want no problem. > > However, if I run my app. using Chrome I get the following headers: > > Access-Control-Request-Method : GET > Origin : http://www.cypher1.co.uk > Access-Control-Request-Headers : x-ewbpassword, origin, x-ewbuser > ......etc > > Which appears to be asking for permission to perform cross site > scripting with the "Access-Control-xxxxx" fields. > > I am unsure what I should send back to confirm that cross-site scripting > is allowed and also why it thinks this is cross site as they are both on > the cypher1.co.uk web server. > > Any ideas anyone? > |
Mon, Sep 24 2012 9:42 AM | Permanent Link |
Chris Holland SEC Solutions Ltd. Team Elevate | I have now changed my Response to be:
context.Response.StatusCode = 304; // Header not modified context.Response.Headers.Add("Access-Control-Allow-Origin: "+origin); context.Response.Headers.Add("Access-Control-Allow-Methods: "+options); context.Response.Headers.Add("Access-Control-Allow-Headers:"+headers); context.Response.Close(); and using Fiddler it appears that it only sends the required header back but my EWB app. still says that it is getting the incorrect data. Chris Holland [Team Elevate] On 24/09/2012 13:17, Chris Holland wrote: > Okay, I have worked out that if I set the headers in my reply to: > > context.Response.Headers.Add("Access-Control-Allow-Origin: "+origin); > context.Response.Headers.Add("Access-Control-Allow-Methods: "+options); > context.Response.Headers.Add("Access-Control-Allow-Headers:"+headers); > > and use: > > context.Response.OutputStream.Write(....) > > The Chrome browser then sends a follow up request with the expected > X-EWBUser in the headers. > > However, in the meantime my EWB app. had read the data coming back (i.e. > the access control headers) and thrown an error as it was not the JSON > data that it expected for my DataSet. > > Is there a method that just send headers to the browser without > triggering my EWB into thinking that it is getting the expected data? > > Chris Holland > [Team Elevate] > > On 24/09/2012 12:02, Chris Holland wrote: >> I am hosting my EWB app. and my Data Server app on the same server and >> if I run my app. in IE9 it send the headers across to the Data Server as >> shown below: >> >> X-EWBUser : Test >> X-EWBPassword : Fred >> ......etc >> >> and with this I can extract the X-EWBUser value that I want no problem. >> >> However, if I run my app. using Chrome I get the following headers: >> >> Access-Control-Request-Method : GET >> Origin : http://www.cypher1.co.uk >> Access-Control-Request-Headers : x-ewbpassword, origin, x-ewbuser >> ......etc >> >> Which appears to be asking for permission to perform cross site >> scripting with the "Access-Control-xxxxx" fields. >> >> I am unsure what I should send back to confirm that cross-site scripting >> is allowed and also why it thinks this is cross site as they are both on >> the cypher1.co.uk web server. >> >> Any ideas anyone? >> |
Mon, Sep 24 2012 1:07 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Chris,
<< and using Fiddler it appears that it only sends the required header back but my EWB app. still says that it is getting the incorrect data. >> EWB expects a JSON response (with content) to any JSON request, so if it's not getting that, it will have an issue. If you have any other questions, please let me know. Tim Young Elevate Software www.elevatesoft.com |
Mon, Sep 24 2012 1:08 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Chris,
<< I am unsure what I should send back to confirm that cross-site scripting is allowed and also why it thinks this is cross site as they are both on the cypher1.co.uk web server. >> What URL are you using with the dataset (I assume) load request ? Are you using the Database.Load method ? Thanks, Tim Young Elevate Software www.elevatesoft.com |
Mon, Sep 24 2012 3:20 PM | Permanent Link |
Chris Holland SEC Solutions Ltd. Team Elevate | Hi Tim,
Yes I am using the Database.Load method. I have written a data server that runs on the same address as my EWB app. which is www.cypher1.co.uk Everything works as I want when I use IE but when I try it with Chrome it was sending Access-Control-xxxx headers. I then sent the correct response back to confirm that cross site scripting was okay. Which then causes the normal Database.Load request headers to come in to the data server complete with the X-EWBUser variable so that I can return my JSON data. I think that the problem is when I send the Access-Control-xxxx confirmation headers some data appears to be coming back into the EWB app. Do you have any idea how I send just http headers with no data back to the browser? Chris Holland [Team Elevate] On 24/09/2012 18:08, Tim Young [Elevate Software] wrote: > Chris, > > << I am unsure what I should send back to confirm that cross-site > scripting is allowed and also why it thinks this is cross site as they > are both on the cypher1.co.uk web server. >> > > What URL are you using with the dataset (I assume) load request ? Are > you using the Database.Load method ? > > Thanks, > > Tim Young > Elevate Software > www.elevatesoft.com > > > |
Wed, Sep 26 2012 3:43 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Chris,
<< I have written a data server that runs on the same address as my EWB app. which is www.cypher1.co.uk Everything works as I want when I use IE but when I try it with Chrome it was sending Access-Control-xxxx headers. I then sent the correct response back to confirm that cross site scripting was okay. Which then causes the normal Database.Load request headers to come in to the data server complete with the X-EWBUser variable so that I can return my JSON data. >> The issue that I'm having trouble with is why Chrome thinks that you're performing a cross-scripting action. If the http vs. https/URL/port all match, then it should be considered a "same-source" request. << I think that the problem is when I send the Access-Control-xxxx confirmation headers some data appears to be coming back into the EWB app. >> The problem is more likely that the browser is simply passing on the response to EWB, and EWB doesn't know what to do with it because there's no JSON content. If you can send me the URL, etc. that I need to try it out here in FireFox, I'll take a look and see what's going on with EWB. Please make sure that the EWB application is *not* compressed, so that I can do some debugging. Thanks, Tim Young Elevate Software www.elevatesoft.com |
Thu, Sep 27 2012 3:47 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Chris,
Via email - the issue was the use of port 12009 for the dataset requests. Tim Young Elevate Software www.elevatesoft.com |
This web page was last updated on Friday, December 6, 2024 at 05:39 PM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |