Disable security in WebEngine (Allow cross-origin AJAX)
Hi all,
I'm playing around with various combinations of Javascript and JavaFX and I've run into a snag. I'd like to disable security in the WebEngine so that Javascript is able to perform cross-domain AJAX requests. I'm loading the HTML file straight from the JAR file so I don't think I can use the "Access-Control-Allow-Origin: *" header to do this the usual way.
In my searching, I've found the Cocoa's wrapper of webkit (the WebView class) allows this functionality via the WebPreferences class. A sample snippet of this:
NSString* noSecurityPreferencesId = @"noSecurity";
WebPreferences* prefs = [[WebPreferences alloc] initWithIdentifier: noSecurityPreferencesId];
[prefs setWebSecurityEnabled: false];
[webView setPreferencesIdentifier: noSecurityPreferencesId];
Is there similar functionality in JavaFX's WebEngine?
Thanks for any tips.
-Steve
I tired set values to network.http.referer.XOriginPolicy. But it was not working,,,Can you tell me the values that relate with parameter. I couldn't able to find references.
Thank u for your reply.
Similar Messages
-
I have a simple Java HttpServlet and a simple JSP page. They are both served by a WebSphere Application Server at port 80 on my local host. I have created a TCP/IP Monitor at port 8081 in
Eclipse IDE so as to create a second origin. The protocol output further down comes from this monitor. This should work equally well on a simple Tomcat server.
When I perform the cross-origin resource sharing test, I see that all of the correct TCP data is exchanged between Firefox and the web server (i.e. HTTP OPTIONS and its response followed by an HTTP POST and its response) but the data in the body of the POST response is never passed to the XMLHttpRequest javascript object's responseText or responseXML variables and I get a status equal to 0. If I click the button while pressing the keyboard control key then the test will work as it will not be performed as a cross-origin request.
Here are all of the files used in this test:
Servlet Cors.java
<pre><nowiki>--------------------------------------------------------------------------------------
package example.cors;
import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.Servlet;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
* Servlet implementation class Cors
public class Cors extends HttpServlet {
private static final long serialVersionUID = 1L;
private static final String APPLICATION_XML_VALUE = "application/xml";
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response); // do the same as on the post
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setBufferSize(1024);
response.setContentType(APPLICATION_XML_VALUE);
response.setStatus(HttpServletResponse.SC_OK);
String xml="<?xml version=\"1.0\"?>\n<hello>This is a wrapped message</hello>";
response.setContentLength(xml.length());
response.getWriter().append(xml);
response.getWriter().close();
* @see HttpServlet#doOptions(HttpServletRequest, HttpServletResponse)
@SuppressWarnings("unchecked")
protected void doOptions(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
Enumeration<String> headers=request.getHeaders("Origin");
StringBuffer sb=new StringBuffer();
while (headers.hasMoreElements()) {
String o=headers.nextElement();
if (sb.length()!=0) sb.append(", ");
System.err.println("Origin= "+o);
sb.append(o);
response.addHeader("Access-Control-Allow-Origin", sb.toString());
response.addHeader("Access-Control-Allow-Methods","POST, GET, OPTIONS");
sb=new StringBuffer();
headers=request.getHeaders("Access-Control-Request-Headers");
while (headers.hasMoreElements()) {
String o=headers.nextElement();
if (sb.length()!=0) sb.append(", ");
System.err.println("Access-Control-Request-Headers= "+o);
sb.append(o);
response.addHeader("Access-Control-Allow-Headers", sb.toString().toUpperCase());
response.addHeader("Access-Control-Max-Age", Integer.toString(60*60)); // 1 hour
response.addHeader("Content-Type","text/plain");
response.addHeader("Allow", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS");
response.getWriter().print("");
And a simple JSP page test.jsp:
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<%
String url ="http://localhost:8081/cors/ping";
String url_ctrl="http://localhost/cors/ping";
%>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Test CORS</title>
<script type="text/javascript">
var invocation;
var method='POST';
var body = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><hello>Today</hello>";
var buttontest2_label="Direct AJAX call";
function callOtherDomain(event){
invocation = new XMLHttpRequest();
if(invocation) {
var resultNode = document.getElementById("buttonResultNode");
var resultMessage = document.getElementById("buttonMessageNode");
resultNode.innerHTML = "";
document.getElementById("buttontest2").value="Waiting response...";
var url
if (event.ctrlKey) url="<%=url_ctrl%>";
else url="<%=url%>";
resultMessage.innerHTML = "Sending "+method+" to URL: "+url;
invocation.open(method, url, true);
// invocation.withCredentials = "true";
invocation.setRequestHeader('X-PINGOTHER', 'pingpong');
invocation.setRequestHeader('Content-Type', 'application/xml');
invocation.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
invocation.onerror = function(errorObject) {
display_progress(resultMessage, "***** error occured=" +errorObject);
invocation.onreadystatechange = function() {
display_progress(resultMessage, "onreadystatechange="+invocation.readyState+", status="+invocation.status+", statusText="+invocation.statusText);
if(invocation.readyState == 4){
document.getElementById("buttontest2").value=buttontest2_label;
display_progress(resultMessage, "responseText="+invocation.responseText);
resultNode.innerHTML = "Response from web service='"+invocation.responseText+"'";
invocation.send(body);
function display_progress(node, message) {
node.innerHTML = node.innerHTML + "<br>" + message;
</script>
</head>
<body>
<p>The button will create a cross site request (Use the control key to disable this, i.e. no cross site request)</p>
<p><input type="button" id="buttontest2" onclick="callOtherDomain(event)" name="buttontest2" value="Waiting for page load..."></p>
<p id="buttonMessageNode"></p>
<p id="buttonResultNode"></p>
<script type="text/javascript">
document.getElementById("buttontest2").value=buttontest2_label;
</script>
</body>
</html>
When I click on the Direct AJAX call button, I get the following output on my page:
The button will create a cross site request (Use the control key to disable this, i.e. no cross site request)
Sending POST to URL: http://localhost:8081/cors/ping
onreadystatechange=2, status=0, statusText=
onreadystatechange=4, status=0, statusText=
responseText=
***** error occured=[object ProgressEvent]
Response from web service=''
Here is the HTTP traffic produced:
HTTP REQUEST
OPTIONS /cors/ping HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Origin: http://localhost
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type,x-pingother,x-requested-with
Pragma: no-cache
Cache-Control: no-cache
POST /cors/ping HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
X-PINGOTHER: pingpong
Content-Type: application/xml; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/cors/client/test.jsp
Content-Length: 75
Origin: http://localhost
Pragma: no-cache
Cache-Control: no-cache
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><hello>Today</hello>
HTTP RESPONSE
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://localhost
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: CONTENT-TYPE,X-PINGOTHER,X-REQUESTED-WITH
Access-Control-Max-Age: 3600
Content-Type: text/plain;charset=ISO-8859-1
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Content-Language: en-CA
Content-Length: 0
Date: Wed, 11 Jul 2012 17:50:10 GMT
Server: WebSphere Application Server/7.0
HTTP/1.1 200 OK
Content-Type: application/xml
Content-Length: 62
Content-Language: en-CA
Date: Wed, 11 Jul 2012 17:50:10 GMT
Server: WebSphere Application Server/7.0
<?xml version="1.0"?>
<hello>This is a wrapped message</hello>
--------------------------------------------------------------------------------------</nowiki></pre>No errors in error console. No effect using *. I tried using the dns name of my localhost both in the Firefox URL and in the javascript and I get exactly the same. I have spent a huge amount of time looking into this issue.
One thing I noticed is that if I use the examples on the internet (http://arunranga.com/examples/access-control/preflightInvocation.html or http://saltybeagle.com/cors/) they work in the same browser. These examples however, are accessed through HTTP proxies.
I am wondering if the issue has to do with using the same hostname just with different ports. -
Restrict cross CO area postings and allow cross company code postings
" There are two Controlling areas CA01 and CA02, for the controlling area CA02 the field CO code validation is inactive to allow cross company code postings ie., (Cost center created in one company code can be used as cost object in other company code ) Also this allows any WBS element created in controlling area CA01 as cost object in any of the company codes assigned in controlling area CA02,
Due to usage of WBS element which is created in CA01 controlling area as cost object in company code belongs to controlling area CA02, business is facing problem while doing the settlement run with error message " Document data for list of origins does not exist"
So, I have activated the field Co code validation in the controlling area CA02, which stopped the usage of WBS element between controlling areas. Also this had restricted usage of cost object between company codes with in controlling area CA02.
Now is there anyway to allow cost object usage between company codes assigned in one controlling area (CA02) and restrict usage of WBS element created in controlling area CA01 in any company code assigned in controlling area CA02.Hi,
As you have already activated the Co Code validation you cant restrict that only to WBS. But you can have another option
Use the validation process to restrict these errors
This may help
Regards
Shantanu -
I am trying to access Morningstar through my Hennepin County Library Account. When I do so, I get this message:
Sorry, we were not able to authenticate you for access to this resource. Please adjust your Internet Security software to allow referring URLs.
How do I do this?Hello,
'''Try Firefox Safe Mode''' to see if the problem goes away. Safe Mode is a troubleshooting mode, which disables most add-ons.
''(If you're not using it, switch to the Default theme.)''
* You can open Firefox 4.0+ in Safe Mode by holding the '''Shift''' key when you open the Firefox desktop or Start menu shortcut.
* Or open the Help menu and click on the '''Restart with Add-ons Disabled...''' menu item while Firefox is running.
''Once you get the pop-up, just select "'Start in Safe Mode"''
'''''If the issue is not present in Firefox Safe Mode''''', your problem is probably caused by an extension, and you need to figure out which one. Please follow the [[Troubleshooting extensions and themes]] article for that.
''To exit the Firefox Safe Mode, just close Firefox and wait a few seconds before opening Firefox for normal use again.''
''When you figure out what's causing your issues, please let us know. It might help other users who have the same problem.''
Thank you. -
So what is up with this error message in Muse?
MuseJSAssert: Error calling slector function:SecurityError: Failed to read the ‘contentDocument’ property from ‘HTMLIFrameElement’: Blocked a frame with orign “null” from accessing a cross-origin frame.This is a genuine security error generated by the browser when viewing a page with iFrame content locally.
Please refer to Zak's reply in the following thread: https://forums.adobe.com/message/6496180#6496180
Cheers,
Vikas -
Hi,
I have VS2013 update 4 and IE11 installed. When I try to sign in through VS I get the following error.
SP324081: Check that your Internet Explorer security settings will allow JavaScript and cookies. If enabled, please contact support.
I have checked and JAVASCRIPT and cookies are enabled.
Any help is appreciated.Hi Sath12,
If possible, I suggest you reset IE settings.
Please lower the security level. Then I added the site like https://*.visualstudio.com/ to the trusted zones. Test it again.
I have met this issue before which was related to the IE settings or the account issue.
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/290948f6-b4ca-41e3-9888-91fbbc71cdeb/cannot-register-sign-in-from-vs-express-2013?forum=visualstudiogeneral
A connect report still shared some information about it:
https://connect.microsoft.com/VisualStudio/feedback/details/811860/vs-express-2013-for-web-browser-is-security-restricted-or-javascript-is-disabled
Best Regards,
Jack
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Just installed CS6 and trying to update, Windows 8.1 tried disabling security still not updating. Version 13.0 any suggestions ? Thank you
Once in awhile, they do have bug fixes for CS6. The only thing I can think of that was an upgrade for CS6 was a newer version of camera raw. For now they are allowing CS6 to have the latest version of camera raw, but when they are done with supporting CS6, I imagine that will be the last of the upgrades. I don't know of any dates, but I heard it wasn't for a long time if at all. So I guess we will all have to wait and see.
As for getting updates, I think you will like the manager. It makes it much easier. Frankly I didn't know the manager worked on the perpetual license. I knew it worked on the subscription. So it is good to know that it works for you as well. -
We have lots of form field validations in our newScale instance, for which we rely upon external applications.
I am using http://ajax.googleapis.com/ajax/libs/dojo/1.6.0/dojo/dojo.xd.js for making cross domain ajax.
Now there are multiple issues that I am facing & need a better approach -
1. This works great in IE 8 & 9 but pops up a security warning which is kind of annoying to the end user.
2. Never works on Firefox.
Has someone faced a similar issue or have a better solution w.r.t newScale environment, please share the details.
Thanks,
AbhishekHi vmishr11,
When you use SP.RequestExecutor, it will execute asynchronously to get data from host web. It will use like below:
var executor = new SP.RequestExecutor(appweburl);
executor.executeAsync(
url:
appweburl +
"/_api/web/lists/getbytitle('Announcements')/items",
method: "GET",
headers: { "Accept": "application/json; odata=verbose" },
success: successHandler,
error: errorHandler
For SP.AppContextSite, it will execute in order to get data.
Here is a detailed article for your reference:
How to: Access SharePoint 2013 data from apps using the cross-domain library
Best Regards
Zhengyu Guo
TechNet Community Support -
SharePoint Online cross-origin framing, changing page in autohosted MVC app
Hi
I have created SharePoint Autohosted app on MVC5 template. I have created a controller and the Index view associated with it. The view is responsible for showing the user a list of announcements, taken from database and passed to the view through the model.
In the layout page for this view I have the link for Create Announcement view which is in the same Announcements folder, and the same controller is responsible for showing it. When I include the app in the page using Client Web Part the Index view is showing
correctly, and I can see the hyperlinks to Create Announcement page. When I click the link I am presented with blank page within the webpart container and in Firebug I can see:
Load denied by X-Frame-Options: https://GUID.o365apps.net/Announcements/Create?SPHostUrl=site_collection_address does not permit cross-origin framing.
Why? This is the same domain, right?
I have already tried <webpartpages:allowframing runat="server" /> and httpmodules. Those do not work. BTW Why?
I am really frustrated, please give me some advice what to do.
Thanks in advanceAlright, this is freaking riddiculous. I have found the issue after 8 hours of digging in this mud. This little jebaka was in the Create view markup:
@Html.AntiForgeryToken()
And this also has to be thrown out as far as possible:
[ValidateAntiForgeryToken]
from every method which is decorated with it (ie. all POST methods)
I know, I know, security blah blah blah.
If the app is not working at all, there is no need for security.
I still hope for a word of explanation from someone from M$. I would really be pleased to know how should it be done in the right way. -
Hello. I added custom http response headers to my SP site web config file as follows:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Methods" value="POST,GET,OPTIONS" />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type,Authorization" />
</customHeaders>
</httpProtocol>
When I try to call any web service, i get these headers two times each:
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Transfer-Encoding: chunked
Content-Type: application/atom+xml;type=entry;charset=utf-8
Expires: Sat, 01 Mar 2014 19:11:37 GMT
Last-Modified: Sun, 16 Mar 2014 19:11:37 GMT
ETag: "3"
X-SharePointHealthScore: 0
SPClientServiceRequestDuration: 20
SPRequestGuid: b4e77d9c-bfc3-a050-493a-ca5d251d1a72
request-id: b4e77d9c-bfc3-a050-493a-ca5d251d1a72
X-FRAME-OPTIONS: SAMEORIGIN
Persistent-Auth: true
Access-Control-Allow-Methods: POST,GET,OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type,Authorization
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Methods: POST,GET,OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type,Authorization
MicrosoftSharePointTeamServices: 15.0.0.4569
Date: Sun, 16 Mar 2014 19:11:37 GMT
and that gives me error from ajax: The 'Access-Control-Allow-Origin'
header contains multiple values '*, *', but only one is allowed. Origin 'null' is therefore not allowed access.
The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.
Origin 'null' is therefore not allowed access.
Any idea???Hi Ann,
Please check whether there are duplicate custom headers in your code.
Similar issue for your reference:
http://social.msdn.microsoft.com/Forums/office/en-US/b79b75f4-b46b-46ae-ae29-17a352b6b90b/custom-http-response-headers-for-sp-2013-shown-2-times?forum=sharepointdevelopment
Regards,
Rebecca Tu
TechNet Community Support -
Disable security rule and remove assignment in GL
Hi
Need to know urgently as user is stuck in Journal entry
There is an issue of overlapping two restrictions while entering department in accounting flexfield and the security rules needs to be disabled.
Rule 1 Name : Department Security
Message : Department Security: Department is restricted to 110 thru 130
Include is 000 to zzz
Exclude is 000 to 109
Exculde is 131 to zzz
Rule 2 Name : Single Department
Single Department: Department is restricted to ONLY department 110
Include is 000 to zzz
Exclude is 000 to 109
Exculde is 111 to zzz
Need help to disable the rules and allow all departments now for user entry
Thanks
Shanks
Edited by: user8364817 on Dec 3, 2008 10:10 PMHi
Thank you for your reply.
I also tried replacing all by "include" and it worked !!!
Hope this will not have any issues further.
The user is able to make entries using all departments now
Thanks
Shanks -
What is the best online storage for photos. Specifically one that allows the original image quality to be downloaded should your hard storage goes belly up
I'd put them on an external hard drive(s) and burn them to a DVD as well (at least 2 - 3 copies on different drives/media); I prefer having control and a local solution instead of relying on a server and the possibility of someone (who shouldn't be) downloading my work.
-
I downloaded a widget from apple and was unable to open it because a window appeared telling me that the developer was unidentified. How do I change the security preferences that allow me to only install apps from the Mac App Store?
go to system preferences - security and privacy - under allow applications downloaded from - click on anywhere.
-
Java has updated again today,
i use a java plug in to run my virtual software to access my work from home,
today i have an error message saying that security will not allow access to my website
i use to log in to work from, this is a JREdetection error,
my system runs off java and citrix, i tried chrome,firefox and safari - same issue, if my system cannot detect java it wont run, it runs on plug ins.
How to i change my sec settings to allow access to this website, as i can only see that i can add apps not web addresses?If you get an error that says can't backup, try moving the existing backup file to a safe location and thry again. again. You can find the location of the backup file here:
iPhone and iPod touch: About backups -
STO - UB document is allowed cross company purchase order
Hi Experts,
We are facing problem in stock transfer order , UB.
We observed that UB document is allowed cross company purchase order.
It means Purchase Order is created for two different co.code....
can you pls. guide where is the problem?
KumarHi
UB document type is allowed for cross company also. Read the below link it will help you to understand STO process in details. So that you can map your requirement.
http://help.sap.com/saphelp_erp60_sp/helpdata/en/4d/4b9036dfe4b703e10000009b38f889/frameset.htm
Regards
Antony
Maybe you are looking for
-
Nokia 6233 v05.10 odd behaviour
Hello! After thoroughly searching not only this board but the entire Internet, I found no answer to my question so I decided to register and ASK. I need to know if any of you owners of a Nokia 6233 observed this odd behaviour of your phone - so pleas
-
Font and font color are getting changed for SAP R/3 report in portal
Hai, We are using ITS 6.2 patch 26 and EP 6.0. When i run a SAP R/3 4.6C report in ITS 6.2, the report content are shown in Courier New font with blue color. When i run the same report from portal, the report content are shown in Arial font with blac
-
Hi, I am using a UDF to take substring of my value from source (source value is of format abcd/xyz). Now I want to check if there exists any value before "/" i.e. I want to check if there is any value before "/" . I tried using the .length function,
-
In IDOC_INPUT_DELVRY - At Wht point DELIEVRY UPDATION completed??
Hi Experts, Am using IDOC_INPUT_DELVRY. I put my code in the CUSTOMER-EXIT003 for to get CONFIRM the Transfer Orders via IDOCs, fine, working. but, if mean time, if the DELIVERY is changing for some reason at the same point, IDOC is failing. So, requ
-
I've reset Safari and completely messed it up!
I've been plagued by the spinning ball on Safari for a few days. Took some online advice and reset Safari hoping it would cure the problem. Unfortunately My problems are now tenfold. None of my websites are showing correctly. Is it possible to rever