I can see that when I issue an xhr from my chrome app that it sends some cookies, and these cookies are kept track of in the app. Servers sending set-cookie headers are updating them correctly. I need to read a cookie though, and I tried using the "cookies" permission but chrome yelled at me... Is there another api I can use?
edit: I am using the new packaged apps.
Cookies is apparently a dark area of Chrome Packaged Apps.
With Extensions, the extension shares the cookie jar with normal browsing activities. For Packaged Apps, each app has a separate jar.
The current behaviour seems to be that XHR requests to sites specified in the manifest in the permissions section do set cookies in this jar but there is no way how to get rid of them, except reinstalling the app. There is no API for Packaged Apps to manage cookies and their cookies do not show in Developer tools or about://settings/cookies page.
the crbugs include
https://code.google.com/p/chromium/issues/detail?id=70391
https://code.google.com/p/chromium/issues/detail?id=152758
https://code.google.com/p/chromium/issues/detail?id=157474
and these two issues filled in response to this SO question
https://code.google.com/p/chromium/issues/detail?id=236585
https://code.google.com/p/chromium/issues/detail?id=335934
I had a similar issue where security restrictions on XHR in a packaged app with chrome.socket api permission seemed overbearing. See Setting "unsafe" headers in packaged app XHR
I ended up creating a "shim" xhr object for my use case, though it doesn't handle e.g. chunked encoding. You might find it useful: https://github.com/kzahel/jstorrent/blob/fresh/js/chromesocketxhr.js
I ended up filing a bug on crbug: https://code.google.com/p/chromium/issues/detail?id=335934
Related
My app can interact with Drupal API in the browser but not in the simulator and device. (Currently testing in iOS).
How can I fix it?
Everything is working fine in the browser but in the simulator/device, I get 403 forbidden access.
The problem that might cause it
I think the issue is with cookies? In Drupal, I have ini_set(‘session.cookie_samesite’, ‘none’); and it works. If I removed that, I get 403 forbidden access in the browser, simulator & device.
If I add that, it works on the browser but not in simulator/device.
How can I fix this?
Can I use https://ionicframework.com/docs/native/http/ instead of angular http service? Does it support withCredentials?
Thanks
I think you should use a different authentication method if you want to access the site from different devices. By default, Drupal has "Samesite" to "Strict" I think. Setting the samesite to "None" means that other domains or devices can access the same cookies from your website.
I am using IdentityServer4 version 3.1.4 with .NET Core 3.1 hosted on Internet Information Service 10.
Everything worked fine until the latest update for Edge, Chrome, and other browsers.
Now IdentityServer4 only redirects to client page after user login when I am using Firefox. Edge, Chrome, or others, return 302 code and go back to the IdentityServer4 user login page.
I read that it was due to the new cookie policy that Edge and Chrome enforce in their latest update.
I tried many solutions without success:
Set level of security headers
Enable Cors ...
Has anyone had the same problem? Did you manage to fix it?
Any idea is welcome
Please excuse my poor English
Do make sure you have set the SameSite cookie attributes to the correct values. Otherwise the cookies might be lost in the interaction between the client and IdentityServer. They should usually be set correctly in the code.
Do use a tool like Fiddler and inspect the requests to see if you loose any of the cookies on the way.
see this link about samesite
So, I have this grade project where I have to do a mashup and deploy it on AppEngine. So, everything is fine, and I even got it working some months ago, but when I deployed the project again after doing some changes and updating the facebook api, it no longer works.
Thing is, it does works on localhost. The error only occurs when deployed. It's only a normal publish post POST.
So, here's the error:
The URL was blocked: Redirection has failed because the URI is not incluided in the list of OAuth authorised of the application client. Check that the OAuth access of both client and web are active and add all the domains of your apps as OAuth redirection URI
This was translated from spanish so it might not be totally accurate.
So, it seems easy, but I don't really know if the proble is that I have to do something in the configuration of appengine control panel (most likely), in the configuration of the facebook api control panel or if it's something in the project code. I've checked everywhere and have the faint memory of solving this several months ago, but I can't anymore.
Thanks!
For Facebook login, you need to tell Facebook the URI of the page that the login will start from. If you change the URI, then the login process will break. You can set the URI from this page:
https://developers.facebook.com/apps/1234567890/fb-login/
Except that you need your app id in there instead of 1234567890. You can get there from here:
https://developers.facebook.com/apps
I see a serious design issue with how chrome apps are closed and how JSession or other http cookies are maintained.
In our current Chrome App, we are hitting a Restful site (Site B) to fetch some information after authentication. Site B returns the Http only JSESSIONID cookie in the response.
Now there is no way that I can simple logout or reload or close=>open the Chrome App and use a different authentication to access Site B, because Chrome App sends the same JSESSIONID again which is received during previous authentication.
More worse even if I pass authentication header with wrong userid/password, that is also allowed because as per the Java Spec JSessionId is given the preference over the authentication header.
There is no way in Chrome App that I can delete this Http only JSessionID or restrict the Ajax call (XHR request) to avoid sending the JSession Id. Even if you pass a wrong JSESSIONID with the URL, that does not work because as per the Java Spec, the JSESSIONID from the cookie is given precedence over the one in the URL.
Even If I considered all the above behaviour is per the Java Specs, then at least one would expect that the session cookies are automatically deleted when the Chrome App is close or reloaded. But it seems that the session cookies are not deleted because the corresponding chrome.exe instance is still running in the background. Once you close all the chrome browser instances and/or manually kill all the chrome instances from the Task Manager and reload the app, only then it works because now the session cookies are removed.
Can someone help me find out the chrome app APIs or settings which
1) remove the session cookies when the Chrome app is closed and reloaded.
2) kill the chrome.exe instance when the Chrome app is closed.
I am not looking for any kind of manual process.
Thanks in advance.
Kanchan
I'm afraid you're hitting something that's known to be missing from Chrome Apps platform.
Namely, there are no methods for managing cookies for XHRs originating from a Chrome App. Here's a related issue, see comment #11 specifically.
As mentioned in the issue, it's extremely clumsy but you could try and use a <webview> tag and make requests from within it. The cookies in it do not persist and can be manually cleared.
I'm working on an iframe style app that pulls the facebook optimized page available at http://store.starrco.com/?store_mode=facebook. I've done other, admittedly much simpler, iframe apps before without issue but though I've configured this one more or less the same when I try to view the canvas url it remains blank.
My settings can be seen here: http://www.abstraktmg.com/clients/starrco/starrcofbsettings.jpg
I've tried a few different permutations of this with the same results, this is the most complete setup though and most closely matches the settings template I was given.
This page is being generated by Webasyst's shop-script, which is specifically supposed to support this. The obvious answer then is to contact their support which I did, but after assuring them that my app settings matched their template, they said I needed to contact Facebook support and this is as close as I could find to any proper support system.
I checked both http and https versions of store.starrco.com/?store_mode=facebook and both worked outside of facebook.
However, there may be some framebusting code which might prevent the site from being loaded in an iframe. And I see that your settings appear to be missing the app domain entry.
I ran into the same problem, especially in Chrome and Firefox. The problem is, when the user is surfing with https on Facebook, the https Version of the iframe is called. But the browser do not show invalid certificate problems until you to right click page information.
You need to have a signed SSL cert by a CA trusted in the browser.
If the user has accepted it without the iframe - outside of Facebook, it works.