I am trying to create a chrome extension that calls my rails app's api. currently the api returns json and it works fine, however when I try to build it into a chrome extension, it says :
Refused to load script from 'http://mysite.com/demo?q=hello?callback=jQuery16409466155741829425_1342489669670&_=1342489677171' because of Content-Security-Policy.
I looked up the document http://code.google.com/chrome/extensions/contentSecurityPolicy.html and it sounds like I can't do this unless I implement my site into a https version. (under "Relaxing the default policy" section) I am not sure if I understood correctly and it feels ridiculous to make such a big change just because of this. Am I misunderstood? Or is there a workaround to this? Thank you.
In a Chrome extension, cross-site XMLHttpRequests are allowed, provided that you define the source in the manifest file - see http://code.google.com/chrome/extensions/xhr.html.
A JSONP implementation loads an external script using the <script> tag, and inserts it in the document. Unless the source is whitelisted through the "content_security_policy" entry, JSONP cannot be used when manifest version 2 is active (do not use manifest v1 to overcome this, because it's deprecated, and a suitable alternative already exist).
When you're unable to receive a JSON response instead of JSONP, use an ordinary request to fetch the data, cut off the callback, then parse it. Eg:
// response is the response from the server
// Received through `XMLHttpRequest`, jQuery.ajax, or whatever you used
// cuts of jQuery....( and the trailing )
response = response.replace(/^[^(]*\(/, '').replace(/\);?$/, '');
By default browsers do not allow this because of the same origin policy.
However you can get around this by making a jsonp request.
As you using jquery this super easy with getJSON method
Related
I have an IIS 10.0 server, and I'm seeing that some disallowed headers [Pragma, Expires] are still getting added, but they are only being added to API endpoints, not when static content is getting retrieved. These headers are not being set in the code. I've followed the recommended approach to remove the headers from IIS (adding the remove element to configuration\system.webServer\httpProtocol\customHeaders), and when debugging, I do not see these headers in the HTTP response before it gets sent back to the caller. I would like to remove these headers from the response, but have no idea how to figure out where they are being set. Any pointers?
To extend the comment above.
The key to troubleshoot such issues is to know the source of such headers, so enabling Failed Request Tracing is the quickest way.
If you find that the headers (such as ASP.NET and so on) are set by IIS default modules, you know that you should refer to IIS documentation to locate the settings and turn them off.
In your case, FRT reveals the headers come from a third party module, so you will need to check what settings the vendor provides in documentation.
Note that even if you cannot find vendor settings to turn them off, you might still be able to remove them in several ways such as removing such headers in URL Rewrite outbound rules.
Hello I want to make a request to a xml file for a value I want on Code by Zapier, but I get the error XMLHttpRequest is not defined. I also tried var XMLHttpRequest = require("xmlhttprequest").XMLHttpRequest; but it says Error: Cannot find module 'xmlhttprequest'.
While the XMLHttpRequest is available in most browsers, it is not distributed in Node, which is what the Code action is using. Specifically, the Javascript code action is running a Node v10.x.x environment. You can see all of the commands and methods supported by that environment here:
https://node.green/
The JS environment does support the Fetch library for making requests. Perhaps you can look into making this work?
https://github.com/node-fetch/node-fetch
I have code that looks something like this (_http is the angular Http object)
var httpFuture = _http.post('/api/items', {
'ids': JSON.encode(new List.from(nonLoadedIds))
});
httpFuture.catchError((e) {
Logger.root.severe('Unable to load items!', e);
});
It is making a post request to load a bunch of things. Potentially more ids than the http get header can handle.
The nice development experience would be if I could fire up the dart editor, mock up some fake response data, run my app, and see the data in the end. I would also accept being able to start up a separate web app and somehow proxy my post requests to that web app.
What I don't want to do is change my '/api/items' into something like 'http://localhost:8084/api/items' mostly because I don't want to have to remember to replace these before deploying (I know I'll forget) and while doable, I don't want to on my server implement CORS just to have to remember to disable it when I deploy to production.
But really, I would accept just about any workflow if it is recommended. I just would like to eliminate any manual code transformations pre production deploy.
The suggested attempt is to use a simple proxy server which forwards to pub serve.
See for example https://code.google.com/p/dart/issues/detail?id=18039
This issue contains the source code for a simple custom proxy server example https://code.google.com/p/dart/issues/detail?id=15731
see also
Dart: How to use different settings in debug and production mode?
How to achieve precompiler directive like functionality
Is there a compiler preprocessor in Dart?
I am going through the process of updating a Google Chrome extension from Manifest v1 to Manifest v2. I won't say that things have been going swimmingly, largely due to outdated documentation at Google's own Chrome Extensions website.
Here is the latest:
Google's documentation for using OAuth from within an extension tells me to include the following three files in my manifest:
chrome_ex_oauth.html
chrome_ex_oauth.js
chrome_ex_oauthsimple.js
The first of these files, chrome_ex_oauth.html, is basically the redirect page that is opened when an extension first uses OAuth to get an initial request token. In the updated version of this very spare webpage, the head section lists three javascript files to load: the two listed above, and one called:
onload.js
When chrome_ex_oauth.html is opened by my extension, I get no indication of errors beyond a failure to load the non-existent 'onload.js' file. Clearly, I am missing something here. The OAuth sequence never succeeds in completing, and indeed there is no indication that it is ever initiated.
Does anybody know what I'm doing wrong?
After posting this question, I compared the old and new versions of chrome_ex_oauth.html. I saw that in the former, while there was no mention of the onload.js script, there was the following in the head:
<script type="text/javascript">
function onLoad() {
ChromeExOAuth.initCallbackPage();
};
</script>
This function was called inline:
<body onload="onload();">
...
As of Manifest v2, it is my understanding that inline javascript is strictly prohibited, so this couldn't fly. A call to load onload.js was added to the document head instead. It looks as if a link to the actual file in Google's documentation was overlooked. It's easy enough to write, but here is what I put in onload.js:
window.onload = function() { ChromeExOAuth.initCallbackPage(); };
After that, the redirect worked just fine and I was able to complete the OAuth process.
Let me know if it doesn't work for you.
Some users of an app of mine are reporting links dont open in the browser. I always launch them with shellexecute(0, 'open', 'http://...
what could I check for an incorrect(?) setting in the http link associations?
You're assuming that the browser registered the open verb. It may not have done so.
Just pass nil as the second parameter and omit the open, and let the OS determine what the default action is for the http:// protocol, and you should be fine.
Sounds like the default browser is not functioning quite right. I guess the first thing I would try is to have them enter an (any) url into start->run and see if that pops up.
You could also have them register what the settings on the URL below are:
http://russenreaktor.wordpress.com/2010/07/01/solved-fix-default-protocol-http-association-in-windows/
Or use the ftype utility on the cmdline:
C:\Users\marco>ftype http
http="C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
These operate on registry keys under HKEY_CLASSES_ROOT/protocolname with protocolname=http/ftp etc.
Making a simple app to dump these keys might help finding out what the pattern here is.
FYI, this failure can be dynamic -- i.e., the old MS PhotoEditor would block opening URLS using ShellExecute. (C.f., http://code.activestate.com/recipes/334665/ ). Fix is as noted in the recipe: write out an .HTML file and shellexecute that.