Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 8 of 8 total
Thread Cross Scripting Confimation
Mon, Sep 24 2012 7:02 AMPermanent Link

Chris Holland

SEC Solutions Ltd.

Avatar

Team Elevate Team Elevate

I am hosting my EWB app. and my Data Server app on the same server and
if I run my app. in IE9 it send the headers across to the Data Server as
shown below:

X-EWBUser : Test
X-EWBPassword : Fred
.......etc

and with this I can extract the X-EWBUser value that I want no problem.

However, if I run my app. using Chrome I get the following headers:

Access-Control-Request-Method : GET
Origin : http://www.cypher1.co.uk
Access-Control-Request-Headers : x-ewbpassword, origin, x-ewbuser
.......etc

Which appears to be asking for permission to perform cross site
scripting with the "Access-Control-xxxxx" fields.

I am unsure what I should send back to confirm that cross-site scripting
is allowed and also why it thinks this is cross site as they are both on
the cypher1.co.uk web server.

Any ideas anyone?

--
Chris Holland
[Team Elevate]
Mon, Sep 24 2012 8:17 AMPermanent Link

Chris Holland

SEC Solutions Ltd.

Avatar

Team Elevate Team Elevate

Okay, I have worked out that if I set the headers in my reply to:

context.Response.Headers.Add("Access-Control-Allow-Origin: "+origin);
context.Response.Headers.Add("Access-Control-Allow-Methods: "+options);
context.Response.Headers.Add("Access-Control-Allow-Headers:"+headers);

and use:

context.Response.OutputStream.Write(....)

The Chrome browser then sends a follow up request with the expected
X-EWBUser in the headers.

However, in the meantime my EWB app. had read the data coming back (i.e.
the access control headers) and thrown an error as it was not the JSON
data that it expected for my DataSet.

Is there a method that just send headers to the browser without
triggering my EWB into thinking that it is getting the expected data?

Chris Holland
[Team Elevate]

On 24/09/2012 12:02, Chris Holland wrote:
> I am hosting my EWB app. and my Data Server app on the same server and
> if I run my app. in IE9 it send the headers across to the Data Server as
> shown below:
>
> X-EWBUser : Test
> X-EWBPassword : Fred
> ......etc
>
> and with this I can extract the X-EWBUser value that I want no problem.
>
> However, if I run my app. using Chrome I get the following headers:
>
> Access-Control-Request-Method : GET
> Origin : http://www.cypher1.co.uk
> Access-Control-Request-Headers : x-ewbpassword, origin, x-ewbuser
> ......etc
>
> Which appears to be asking for permission to perform cross site
> scripting with the "Access-Control-xxxxx" fields.
>
> I am unsure what I should send back to confirm that cross-site scripting
> is allowed and also why it thinks this is cross site as they are both on
> the cypher1.co.uk web server.
>
> Any ideas anyone?
>
Mon, Sep 24 2012 9:42 AMPermanent Link

Chris Holland

SEC Solutions Ltd.

Avatar

Team Elevate Team Elevate

I have now changed my Response to be:

context.Response.StatusCode = 304;   // Header not modified
context.Response.Headers.Add("Access-Control-Allow-Origin: "+origin);
context.Response.Headers.Add("Access-Control-Allow-Methods: "+options);
context.Response.Headers.Add("Access-Control-Allow-Headers:"+headers);
context.Response.Close();

and using Fiddler it appears that it only sends the required header back
but my EWB app. still says that it is getting the incorrect data.

Chris Holland
[Team Elevate]

On 24/09/2012 13:17, Chris Holland wrote:
> Okay, I have worked out that if I set the headers in my reply to:
>
> context.Response.Headers.Add("Access-Control-Allow-Origin: "+origin);
> context.Response.Headers.Add("Access-Control-Allow-Methods: "+options);
> context.Response.Headers.Add("Access-Control-Allow-Headers:"+headers);
>
> and use:
>
> context.Response.OutputStream.Write(....)
>
> The Chrome browser then sends a follow up request with the expected
> X-EWBUser in the headers.
>
> However, in the meantime my EWB app. had read the data coming back (i.e.
> the access control headers) and thrown an error as it was not the JSON
> data that it expected for my DataSet.
>
> Is there a method that just send headers to the browser without
> triggering my EWB into thinking that it is getting the expected data?
>
> Chris Holland
> [Team Elevate]
>
> On 24/09/2012 12:02, Chris Holland wrote:
>> I am hosting my EWB app. and my Data Server app on the same server and
>> if I run my app. in IE9 it send the headers across to the Data Server as
>> shown below:
>>
>> X-EWBUser : Test
>> X-EWBPassword : Fred
>> ......etc
>>
>> and with this I can extract the X-EWBUser value that I want no problem.
>>
>> However, if I run my app. using Chrome I get the following headers:
>>
>> Access-Control-Request-Method : GET
>> Origin : http://www.cypher1.co.uk
>> Access-Control-Request-Headers : x-ewbpassword, origin, x-ewbuser
>> ......etc
>>
>> Which appears to be asking for permission to perform cross site
>> scripting with the "Access-Control-xxxxx" fields.
>>
>> I am unsure what I should send back to confirm that cross-site scripting
>> is allowed and also why it thinks this is cross site as they are both on
>> the cypher1.co.uk web server.
>>
>> Any ideas anyone?
>>
Mon, Sep 24 2012 1:07 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Chris,

<< and using Fiddler it appears that it only sends the required header back
but my EWB app. still says that it is getting the incorrect data. >>

EWB expects a JSON response (with content) to any JSON request, so if it's
not getting that, it will have an issue.

If you have any other questions, please let me know.

Tim Young
Elevate Software
www.elevatesoft.com
Mon, Sep 24 2012 1:08 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Chris,

<< I am unsure what I should send back to confirm that cross-site scripting
is allowed and also why it thinks this is cross site as they are both on the
cypher1.co.uk web server. >>

What URL are you using with the dataset (I assume) load request ?  Are you
using the Database.Load method ?

Thanks,

Tim Young
Elevate Software
www.elevatesoft.com


Mon, Sep 24 2012 3:20 PMPermanent Link

Chris Holland

SEC Solutions Ltd.

Avatar

Team Elevate Team Elevate

Hi Tim,

Yes I am using the Database.Load method.

I have written a data server that runs on the same address as my EWB
app. which is www.cypher1.co.uk

Everything works as I want when I use IE but when I try it with Chrome
it was sending Access-Control-xxxx headers. I then sent the correct
response back to confirm that cross site scripting was okay. Which then
causes the normal Database.Load request headers to come in to the data
server complete with the X-EWBUser variable so that I can return my JSON
data.

I think that the problem is when I send the Access-Control-xxxx
confirmation headers some data appears to be coming back into the EWB app.

Do you have any idea how I send just http headers with no data back to
the browser?

Chris Holland
[Team Elevate]

On 24/09/2012 18:08, Tim Young [Elevate Software] wrote:
> Chris,
>
> << I am unsure what I should send back to confirm that cross-site
> scripting is allowed and also why it thinks this is cross site as they
> are both on the cypher1.co.uk web server. >>
>
> What URL are you using with the dataset (I assume) load request ?  Are
> you using the Database.Load method ?
>
> Thanks,
>
> Tim Young
> Elevate Software
> www.elevatesoft.com
>
>
>
Wed, Sep 26 2012 3:43 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Chris,

<< I have written a data server that runs on the same address as my EWB app.
which is www.cypher1.co.uk

Everything works as I want when I use IE but when I try it with Chrome it
was sending Access-Control-xxxx headers. I then sent the correct response
back to confirm that cross site scripting was okay. Which then causes the
normal Database.Load request headers to come in to the data server complete
with the X-EWBUser variable so that I can return my JSON
data. >>

The issue that I'm having trouble with is why Chrome thinks that you're
performing a cross-scripting action.  If the http vs. https/URL/port all
match, then it should be considered a "same-source" request.

<< I think that the problem is when I send the Access-Control-xxxx
confirmation headers some data appears to be coming back into the EWB app.
>>

The problem is more likely that the browser is simply passing on the
response to EWB, and EWB doesn't know what to do with it because there's no
JSON content.

If you can send me the URL, etc. that I need to try it out here in FireFox,
I'll take a look and see what's going on with EWB.  Please make sure that
the EWB application is *not* compressed, so that I can do some debugging.

Thanks,

Tim Young
Elevate Software
www.elevatesoft.com
Thu, Sep 27 2012 3:47 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Chris,

Via email - the issue was the use of port 12009 for the dataset requests.

Tim Young
Elevate Software
www.elevatesoft.com
Image