search

csirtgadgets / massive-octo-spice

DEPRECATED - USE v3 (bearded-avenger)
https://github.com/csirtgadgets/bearded-avenger-deploymentkit/wiki
GNU Lesser General Public License v3.0
227 stars 60 forks source link

Javascript SDK Errors #391

Closed alecdhuse closed 8 years ago

alecdhuse commented 8 years ago

I'm trying to use the Javascript SDK but I am getting an error: "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access." when using Chrome.

Other browsers give me similar errors. Is this meant to be used in-browser? Could an Access-Control-Allow-Origin be added so it can be?

Test code that I am using is as follows: Edit: Well js gets blocked so you can see it here

giovino commented 8 years ago

Alec.. my javascript-fu is lacking (e.g. can't answer this off the top of my head) and you've caught us in a travel period. It might be a few days until we get back to you.

My first thought is, cif.js is used in the Google Chrome plugin, does it's implementation provide any answers?

alecdhuse commented 8 years ago

Giovino, It's more an issue that the http server is not sending an Access-Control-Allow-Origin so Chrome security isn't following through on the request.

I guess I wanted to know if it was meant to work from an html page or not. If so then that header needs to be added on the server side code.

wesyoung commented 8 years ago

@alecdhuse i had only just split out the "sdk" from chrome, but hadn't tested much else outside chrome. i know we ran into some CORS stuff a while ago:

https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/lib/CIF/REST.pm#L97

so i'm guessing there might be more todo?

alecdhuse commented 8 years ago

Wes, yeah looks like the right headers are not being added. I believe an "Access-Control-Allow-Origin: *" and an "Access-Control-Allow-Headers: x-requested-with" header have to be added.

wesyoung commented 8 years ago

i didn't have time to check this atm, but take a look at:

https://github.com/csirtgadgets/massive-octo-spice/commit/9c9aa499ee295177012b36a904988a1f2d0bbc78

see if those changes fix what you're seeing; then just need to double check with the chrome plugin (in the chrome store)...

let us know..

wesyoung commented 8 years ago

also; reading through:

https://remysharp.com/2011/04/21/getting-cors-working

i wonder if we just need to add an options request to the cif-sdk-js itself, which might provide this info too... (haven't messed with cors stuff enough to understand all of it just yet..)