How can I parse HTTP headers in a Chrome extension? - parsing

I'm working on a Google Chrome extension that does some processing based on HTTP response headers using the chrome.webRequest.onHeadersReceived event. I'm able to receive the headers, but the documentation seems to indicate that the headers are just represented as simple string name-value pairs.
The values for some HTTP headers, particularly Content-Type and Content-Disposition in my case, can store multiple pieces of information, including parameters with special mechanisms to escape characters. I want to be able to semantically interpret the header values rather than just see them as strings.
However, I don't want to have to write my own HTTP header value parsing code to meet the HTTP specifications and be able to cope with real-world values; I consider this an entire project of its own, and I want to focus on developing my extension.
How can I achieve this?

Related

WAF - 200003 Multipart Request Body Strict Validation

I have an application that was doing call to Azure Application Gateway and it was failing when the following rule was enforced:
RuleId: 200003
Description: Multipart Request Body Strict Validation
The call was to a PUT endpoint, passing 2 files in the body. Disabling this rule makes the call work.
Can't find a proper description about this rule. Just wondering if someone could provide more info about it? Is it safe to disable it?
I had this issue and MS support response was this is a bug and to disable the rule. See their response below.
I went through the WAF logs, and it seems we are hitting rule 200003 matching your request.
After investigation, there is basically a bug with this rule that is a new multipart formatting body check in 3.2. (it was only added a couple weeks ago).
What our expert says about is the following:
“This rule it's looking at the stream of the file and trying to determine if the formatting of the multipart request is valid. If it thinks it's not, the body check fails and the rest of the request can't be scanned. This particular rule causes a lot of false positives and should be disabled if that is the case here.
The 200002/200003/200004 family of rules are very difficult to workaround because they are looking at the formatting of the request, however, how the request is formatted is almost impossible to predict because the streaming of a file this way get encoded into a bunch of random chars, and if those chars break the typical formatting boundaries of a multipart request these rules will trigger. But.. since you can't predict how a file will get encoded during a stream, it's almost impossible to "fix" from a code /request level. Disable the rule the profit.“

Does YouTube Data API Client Library for Java implement optimize traffic using etags or gzip?

Does the YouTube Data API Client Library for Java use Etags and/or gzip, as described at Getting started page?
Documentation is short (only find java docs) and don't say anything about it, so i guess is just a wrapper.
Based from this link, Etags are supported by youtube but it depends on what kind of data you are asking.
To use the etag, create a header request and put "If-None-Match" equal to your etag value. Note this should be a request header and not appended to the endpoint call. You can also use "If-Match".
Depending on what kind of API you are using, the way of inserting a new value to the request header may differ slightly. The ETag response-header field provides the current value of the entity tag for the requested variant.
You may also check on this related thread.

How can I give the response file of a universal HTTP request a unique name?

I've developed an HTTP API Server (intended to be called by third-party applications, not necessarily by a web browser) which has one universal call to get (download) any and all types of files by passing a name parameter in the query string for the file requested. All calls, no matter for which file, are handled in the same custom request handler of mine called Get (not to be confused with the standard HTTP get). A query string includes a property name which identifies the unique file to get.
So a request may look like:
http://MyServerURL.com/Get?Key=SomeAPIKeyForAuthentication&Name=SomeUniqueIdentifier
First of all, I know I can obviously make the server fetch a file using only the URI, for example...
http://MyServerURL.com/SomeUniqueIdentifier?Key=SomeAPIKeyForAuthentication
...but the design is specifically meant to use this one universal get command, so I need to keep this unique identifier in the query string. The actual applications which connect to this API will never need to know this filename, but there may be an event when a URL is manually provided for someone to open in their browser to download a file.
However, whenever a file is downloaded through a web browser, since the call is get, the saved filename also winds up being just get.
Is there any trick in HTTP which I can implement on my server which will force the downloaded filename to be the unique identifier, rather than just get? For example, some method such as using re-direct?
I'm using Indy 10 TIdHTTPWebBrokerBridge in Delphi XE2 as the web server. I'm looking for a way in this component (technically in its corresponding TWebModule handler) when it handles this get request, to make the response's filename whatever string I want (in this case, SomeUniqueIdentifier). I've heard the term "URL Re-writing" but that's a rather different topic, and don't think it's what I need, yet it might.
That seems to a rather long winded way of saying you want to set the filename for an HTTP download indpendently of the URL used to fetch it. In which case you simply send a Content-Dispositon header specifying the desired filename. See section 19.5.1 of rfc 2616
e.g.
Content-Disposition: attachment; filename="stackoverlow.ans"

JSON Vs JSONP Vs CORS

Can anyone help me in understanding the differences between JSON, JSONP & CORS, from an asp.net MVC perspective?
JSON is a data format, while JSON-P and CORS are mechanisms/protocols for making cross-domain requests for data.
JSON is a format for representing data. It was first defined in JavaScript, but has grown to become a de facto way for APIs to represent data. Most languages have libraries for parsing JSON. You can learn more about this format here: http://json.org/. Here's an example JSON object:
{
"key": "value"
}
JSON-P is a mechanism for loading data in JavaScript. It bypasses the browser's same-origin policy in order to load data from another domain. It does this by embedding a JavaScript script on the page. This script calls out to the remote domain, which returns data wrapped in a JavaScript function. When this function returns to the browser, it is executed, which allows the calling code to access the data.
Note that while the name has the word "JSON", JSON-P doesn't necessarily have to work with JSON. For example, it could return a string or any other valid JavaScript data type back to the user.
Note that while JSON-P works in every browser, it is a hack to get around the browser's same-origin policy, and it has some limitations. For example, it can only issue a GET request, and the caller doesn't have access to the response headers. Since it is custom to browsers and JavaScript, JSON-P is not really appropriate for accessing data from other languages, like server-side Python.
You can learn more about JSON-P here: http://en.wikipedia.org/wiki/JSONP
CORS is a standardized mechanism for making cross-domain requests. It is supported in most modern browsers. The client uses the standard XmlHttpRequest object to make a CORS request. Upon receiving the request, the server decides whether the cross-domain request is allowed. If it is allowed, the server issues special headers that allows the response to be passed on to the client.
You can find the CORS spec here: http://www.w3.org/TR/cors/
You can learn more about how to use CORS here: http://www.html5rocks.com/en/tutorials/cors/
All these technologies are independent of ASP.NET MVC. If you'd like to use these technologies, you should first ask yourself "Do I need to access data across domains?" If the answer is "yes", you should then ask "What browsers/platforms do I need to support?" If your answer is "most modern browsers", then you should consider implementing CORS. Otherwise you should use JSON-P
CORS is a specification which has nothing to do with JSONP beyond making it obsolete in newer browsers. It enables cross-domain requests using ordinary XMLHttpRequest calls.
Here's an overview of how it works and how to use it. It can be used in Firefox 3.5+, Safari 4+, Chrome 3+, Internet Explorer 8+, and anything else using one of the same engines.
for details go on reading
http://json-p.org/

Using NSURLConnection with URL's with illegal characters

I have to call a third party webservice that expects and only accepts illegal characters (according to the RFC) in it's param string, like the below.
http://example.com?param1={foo=bar}
In this example the braces are the illegal characters, and should be encoded, however this webservice will not accept the parameters if these characters have been encoded.
NSURL correctly doesn't allow me to create a NSURL object with the URLWithString method, return nil using a string like the example.
The webservice is provided by a large corporate entity, so changing it would require submitting a bug report to them, which may or may not be actioned soon, if at all, especially considering that the API works as is.
My question is what are some possible solutions to this problem, that i can implement, without changing the Webservice.
Current ideas (downsides)
Using CFStream to craft custom HTTP requests (Horrifically large amount of work)
Using a webbased proxy that could send the request on my application's behalf (Additional external dependency)
Thanks
What you are trying to do is impossible. You need to URL-encode these characters and the server will then automatically decode them.
If you could somehow hack NSURL there would be still many parts of the whole process that would choke on a malformed URL.

Resources