For example, a link for one of the images goes to a url https://storage.notmywebsite.com/some/path/on/website/image:Static,Small/ImageFileName?params=123456.
When degbugging webview via chrome://inspect, the kind of error that shows up is ...
Cross-Origin Read Blocking (CORB) blocked cross-origin response https://login.notmywebsite.com/login.srf?moreparams=123456&wreply=https:%2F%2Fstorage.notmywebsite.com%2Fstorageservice%2Fpassport%2Fauth.aspx%3Fsru%3Dhttps:%252f%252fstorage.notmywebsite.com%252fsome%252fpath%252fon%252fwebsite%252fimage:Static%252cSmall%252fImageFileName&otherparams=123456 with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
However, loading the same website in the Chrome web browser, those images show up... so what is going wrong? Is there any way to fix this?
I finally figured out what was wrong.
For the webview, it needs one more setting turned on in order for the cookies of the website to be used in order to access credential protected images.
So, if you want to fix it for your application, just use the following code.
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP)
CookieManager.getInstance().setAcceptThirdPartyCookies(webView, true);
else
CookieManager.getInstance().setAcceptCookie(true);
Related
I'm working with a landing page that uses cdn plyr
<script src="https://cdn.plyr.io/3.3.10/plyr.js"></script>
<script>const player = new Plyr('#player');</script>
I moved a video from local files to a server and changed the src="to new address form server", but the video stopped working and I'm getting this error:
page.html:1 Failed to load https://www.video.mp4: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://111.0.0.0:12121' is therefore not allowed access.
I tired different things, and even added another videos from other servers and it worked. except my video. The only thing that work is to add crossOrigin="anonymous" to the video tag and install Chrome extension But this wont work for other users, I need something permanent.
I also looked in to many answers:
How does Access-Control-Allow-Origin header work?
Videos not playing due to no Access Control Allow Origin
HTML5 video doesn't play with crossOrigin=“anonymous”
Please any ideas how to make this work?
This is a problem caused when you try to send request from a server that is different from the server you send request to. As in the comment was indicated, only the server you have uploaded your video to can control the header. But if it's your own server you can easily manipulate the code to allow request from different servers.
Try this for a reference on how to enable on your server W3C CORS Enabled
I have developed one application and facing issue with security stuff.
My application is running in doPost method which doesn't explicit the URL in browser. If I'm trying to change the doPost to doGet (using webdeveloper tools-->Forms), my application's URL will be displaying explicitly. So I need to throw an error/stop app response, If user tries to change the forms from doPost to doGet ?
I suppose the question here is: Why do you regard it as a security issue, that the URL might be displayed in the browser?
In case you don't want the user to have access to the URL or other request data, you probably have fundamental design problem, as the user can track the post request using the developer tools.
In case you don't want somebody else than the user to see the URL and thus think it should not be displayed in the browser, I would not worry, as the user has to actively and consciously "mess" with your application to achieve this behavior.
In general it is probably a good idea to throw errors and prevent the request from being processed if your front end does not behave as expected.
In a page in my website I have a link as below:
Go to the page.php
When I click the link, I get the following error:
406 Not Acceptable
An appropriate representation of the requested resource /page.php could not be found on this server.
This is the header information which I captured via Live HTTP headers:
EDIT:
That's really weird, because when I convert the parameter value from selectquiz to:
selectq
selectqu
...
selectquiz
it's not working, but when when I type selec it is OK!! (In all browsers)
I'm getting the same error message, but it seems to be a generic problem with mine when i try to add images to posts/pages etc, i can upload images but they just won't. I've tried re-uploading the images, installed a fresh wordpress download, tried different themes, no change.
I tried a very simple helloworld example facebook app. Basically I have a webpage, only contains one file index.php, which only contains one line: echo "helloworld". I have registered this app as an facebook app, configured the setting, canvas url to http://mydomain/..
I can load the page mydomain/index.php. However, when I load the page http://apps.facebook.com/appid, I got the following error:
The requested method POST is not allowed for the URL ...
I checked apache config, there is no or settings to prevent POST method.
Apache error log ad access log does not say anything.
Do you have any clue how to fix this?
Thanks for your kind help!
The first request a Facebook app makes is a POST request. It seems your server is not accepting them. A common problem is having something like:
http://mydomain.com/index.html
Instead of
http://mydomain.com/index.php
Either way check your HTTP logs you will probably see an error ( possibly 405 ) with more details.
I need to include some secure (BASIC authentication) application.
when I open the application URL in the browser, the browser asks me to enter your credentials ...
what I know is that:
The browser ask the server to get
some URL -- the url of the app
The server checks the request header
for the Authentication header and
didn't find it
The server sends 401 to the
browser back
The browser interpret this response
code into a message dialog that
shows to me asking me to enter the
username/password to send back to
the server in the Authentication
request header
So far... so good, I can write some page (in JSP) that send this required http request header to the request that is calling this page..
So I'll call this application through my page..
The problem here is, this application (in fact a GWT application) contains a reference to some Javascript and CSS files that is coming from the server that hosts this application. the application page that I import looks like:
<html>
<link href="http://application_host/cssfile.css" />
<link href="http://application_host/javascriptfile.js" />
.....
</html>
So, again I found the application asks me for the authentication crenditals for the css and js files!
I am thinking of many solutions but don't know the applicability of each
One solution is to ask the browser
(via Javascript) to send the request
header (Authentication) when he
asks the server for the js and css
files
please give me your opinions about that... and any other suggestions will be very welcomed.
Thanks.
I think you're running into some weirdness with how your server is configured. Authentication happens in context of a authentication realm. Your assets should either be in the same authentication realm as your page, or (more likely) should not require authentication at all. The browser should be caching credentials for the given realm, and not prompt for them again.
See the protocol example on http://en.wikipedia.org/wiki/Basic_access_authentication
Judging from your story, something tells me your problem is with the authentication method itsef. Not how to implement it. Why do you want to bother with the request header so much?
As far as i know, you can configure your container (ie Tomcat) to force http authentication for certain urls. Your container will make sure that authentication has taken place. No need to set http headers yourself whatsoever.
Perhaps you can explain a bit better what you are trying to achieve, instead of telling implementation details?
Why css & js files are kept in protected area of server? You need to place files into public area of your server. If you don't have public area, so you nead to prpvide for it. how to do it depends from serverside software architecture & configuration.