My understanding of preflight requests is that they are just that - a request before the main request.
Often in the Chrome DevTools Network tab I see the preflight OPTIONS request appear after the main one.
Why is that?
Related
I am new to OWASP ZAP. I ran a automated scan in Standard Mode on my own website hosted on localhost (http://127.0.0.1:8000) with both traditional and AJAX spiders.
There are some external public URLs in the localhost website which are not under http://127.0.0.1:8000 like CDN's etc. Yet ZAP's Information Window shows them:
The Spider tab shows the external URLs Flagged as Out of Scope.
The AJAX Spider tab shows some external URLs returned 403 Forbidden.
The Active Scan tab shows content-signature-2.cdn.mozilla.net at the bottom.
Did ZAP actually "scanned" those external URLs? If yes, then how to prevent this from happening? Can this cause some kind of legal issue?
Thanks.
The AJAX Spider is not hitting those URLs - the requests are made from the browsers which ZAP launches and ZAP is returning the 403s.
ZAP will permit requests for JavaScript files (and I think CSS ones too from memory) as blocking these breaks many apps. However these are just standard requests that any browser would make - ZAP does NOT attack URLs that are out of scope.
I'm trying to use the chrome-remote-interface package to register URL's requested by a page, through the Chrome DevTools Protocol.
It works fine until the page loads. After the page loads, I can't get the requests. For example: Ajax, Google Analytics Requests, ...
Is it possible to have the requested URLs after page load with Chrome DevTools Protocol?
Some of the requests are not done with classic HTTP requests (which are the ones handled by the Network domain. However, youtube's Ajax "navigation" for example, could be tracked by the Page.frameRequestedNavigation event, so it might also work for Google Analytics.
How not to display requests to devtools by domain?
For example, I don’t want to display requests by domain mc.yandex.ru in chrome.
We've noticed that when we try to logon to our application, using an iPhone with either Chrome or Safari, we get an authentication error.
Is there something special about making POST requests in Angular under these situations?
[UPDATE]: We can see that both the OPTIONS and POST are returned as being successful from our API, however, the UI continues to reject the response as being successful.
Thanks to hint from #kai, it was, indeed, an issue that LocalStorage is not supported in Incognito mode. Need to have a fallback...
I see a serious design issue with how chrome apps are closed and how JSession or other http cookies are maintained.
In our current Chrome App, we are hitting a Restful site (Site B) to fetch some information after authentication. Site B returns the Http only JSESSIONID cookie in the response.
Now there is no way that I can simple logout or reload or close=>open the Chrome App and use a different authentication to access Site B, because Chrome App sends the same JSESSIONID again which is received during previous authentication.
More worse even if I pass authentication header with wrong userid/password, that is also allowed because as per the Java Spec JSessionId is given the preference over the authentication header.
There is no way in Chrome App that I can delete this Http only JSessionID or restrict the Ajax call (XHR request) to avoid sending the JSession Id. Even if you pass a wrong JSESSIONID with the URL, that does not work because as per the Java Spec, the JSESSIONID from the cookie is given precedence over the one in the URL.
Even If I considered all the above behaviour is per the Java Specs, then at least one would expect that the session cookies are automatically deleted when the Chrome App is close or reloaded. But it seems that the session cookies are not deleted because the corresponding chrome.exe instance is still running in the background. Once you close all the chrome browser instances and/or manually kill all the chrome instances from the Task Manager and reload the app, only then it works because now the session cookies are removed.
Can someone help me find out the chrome app APIs or settings which
1) remove the session cookies when the Chrome app is closed and reloaded.
2) kill the chrome.exe instance when the Chrome app is closed.
I am not looking for any kind of manual process.
Thanks in advance.
Kanchan
I'm afraid you're hitting something that's known to be missing from Chrome Apps platform.
Namely, there are no methods for managing cookies for XHRs originating from a Chrome App. Here's a related issue, see comment #11 specifically.
As mentioned in the issue, it's extremely clumsy but you could try and use a <webview> tag and make requests from within it. The cookies in it do not persist and can be manually cleared.