I am developing my app using Angularjs for front end and php mysql for backend. in php i am using slim framework. Things went smoothly while i was developing on my local machine and testing on localhost. However when I uploaded the code to a free shared hosting, all my rest calls stopped workng and started getting the following error.
XMLHttpRequest cannot load http://error404.myhostingprovider.com/?. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://myfreehosingdomain.com' is therefore not allowed access.
Can anybody please tell me what is going on.
In short, websites have to be careful about including content from other websites, because that content may be undesired / evil or changed en-route. Websites are generally responsible for whitelisting cross-domain requests they are expecting to make for the sake of the client's security.
I would suggest that you read up on a Browser Content Security Policy: https://en.wikipedia.org/wiki/Content_Security_Policy.
Then take a look at how to handle this case in the slim framework. This might be a good starting point:
http://help.slimframework.com/discussions/problems/810-no-subject
In my case this was because I was being redirected to an erro404 page outside my domain. The actual error was due to other factors (no mysql native driver in my case).
Related
It's pleasure to be here; hoping a good support from all.
I am developing this application using personal FrameWork (CITS: construesol.com/our-solutions/cits-framework.html)
Facing the following issue, and not sure if this is due to some server or issue in my framework.
This Works: wrosc.commbuss.com/index.php
This gives Page not found error:
wrosc.commbuss.com/index.php?login__ga=GA1.2.1438238513.1446927241&
login_ck_login_id_20=1&
login_ck_login_language_20=en_us&
login_default_horde_view=auto&
login_PHPSESSID=evnvh60rcd8j37b64ajbb02vi7&
login_feacc482788c1ab9a7c03bcd5b19c90e=CookieEnabledClient
These are the additional paramaters passed from my machine; may be due to some tools I am using with my browser; like FireBug
&login__ga=GA1.2.1438238513.1446927241&
login_ck_login_id_20=1&
login_ck_login_language_20=en_us&
login_default_horde_view=auto&
login_PHPSESSID=evnvh60rcd8j37b64ajbb02vi7&
login_feacc482788c1ab9a7c03bcd5b19c90e=CookieEnabledClient
I am running a loop for $_REQUEST to check if some parameters are passed to redirect user to proper module (Parameters received: This is the feature of the framework).
The problem is only with this machine (and all developer) and not on "Non-Developer" machines; As we think this is due to some tools we are using with browser (e.g. FireBug)
NOTE: **** "login_" in front of each parameter is performed by the framework
Resolved the bug: Issue was with Framework, handled using urlencode
***But still those parameters are passed.
We have a unified portal which links multiple services through a jQuery tab based interface making use of iframes to display content from different services. Our portal runs on a secure server with HTTPS/SSL. While most of our external services are HTTPS, two of them aren't. Obviously we are aware of the issues with mixed content and we didn't like the idea of having non-https sites within the portal, but we didn't have a choice. Everything was ok until a few days ago when Google updated chrome to version 30, which now silently blocks mixed content.This has created a great number of problems for us. We contacted the external services and asked them if they could upgrade their services to HTTPS and one of them has come back saying they have no plans to do so for the next 2 years.
Obviously this is a problem. We tried getting around the problem by getting this service to open into a new browser window, but this is a rather inelegant workaround which I would like to get rid of, if at all possible. Is there any way that I can use AJAX or PHP to prefetch the page in question and then display it within the portal iframe without Chrome blocking it?
I would be very grateful for any advice at all. I do understand how bad an idea it is to mix secure content with non secure content, but I have no choice in the matter as my manager is adamant that the service have to be a part of the portal.
Thanks in advance.
Regards
Alex
A somewhat simple solution would be to use a reverse proxy. You can configure Apache quite easily to take an HTTPS connection, fetch the requested content from another URL and return it. See mod_proxy. The problem is that the browser will necessarily see a different URL/domain on its part (your reverse proxy), which may or may not cause problems with cookies or hardcoded links.
I have looked around and it seems that there is no way whatsoever to load external/remote URLs like http://google.com through the client browser using Javascript without using a proxy be it a PHP file in the server side or YQL which essentially uses the Yahoo API as a proxy. This is due to the same-origin policy.
I am not versed in Flash and I think that it might hold an answer because even though some people are agressively phasing it out, it has a lot of power.
My question: is there something I missed when searching? Free hosts have some restrictions on the amount of requests and the load on the server per unit time and I wouldn't like to get kicked out. Also my site scrapes some remote site's data so I wouldn't like to get blocked which I would get if I used a PHP proxy. So is there a simple Flash solution or Javascript solution I did not see?
No, this is not possible due to the Same origin policy: http://en.wikipedia.org/wiki/Same_origin_policy
I have a server in which I have a REST API together with a front end that interact with that API.
As long as the front end is on the same server as the REST API, the application works, but when i move the front end to a different server , it stops working!!
The whole application interact with the REST API for all operations.
Is there a mean to make the front end interact with the REST API provided both are on different domain??
When the front-end that interact with the REST API is on the same domain, the front-end works, but when it is on a different domain, it doesn't!!
Browser will block requests to a different site to prevent XSS attacks. Your rest server should tell the browser requests from which sites requests are allowed to get around this. There are two ways of doing this, through a crossdomain.xml file and through the Access-Control-Allow-Origin HTTP header.
Unfortunately browser support for those solutions is lacking in older browsers, so you should check which browsers you want to support.
I have already heard about the curl library, and that I get interest about...
and as i read that there are many uses for it, can you provide me with some
Are there any security problems with it?
one of the many useful features of curl is to interact with web pages, which means that you can send and receive http request and manipulate the data. which means you can login to web sites and actually send commands as if you where interacting from your web browser.
i found a very good web page titled 10 awesome things to do with curl. it's at http://www.catswhocode.com/blog/10-awesome-things-to-do-with-curl
One of it's big use cases is for automating activities such as getting content from another websites by the application. It can also be used to post data to another website and download files via FTP or HTTP. In other words it allows your application or script to act as a user accessing a website as they would do browsing manually.
There are no inherent security problems with it but it should be used appropriately, e.g. use https where required.
cURL Features
It's for spamming comment forms. ;)
cURL is great for working with APIs, especially when you need to POST data. I've heard that it's quicker to use file_get_contents() for basic GET requests (e.g. grabbing an RSS feed that doesn't require authentication), but I haven't tried myself.
If you're using it in a publicly distributed script, such as a WordPress plugin, be sure to check for it with function_exists('curl_open'), as some hosts don't install it...
In addition to the uses suggested in the other answers, I find it quite useful for testing web-service calls. Especially on *nix servers where I can't install other tools and want to test the connection to a 3rd party webservice (ensuring network connectivity / firewall rules etc.) in advance of installing the actual application that will be communicating with the web-services. That way if there are problems, the usual response of 'something must be wrong with your application' can be avoided and I can focus on diagnosing the network / other issues that are preventing the connection from being made.
It certainly can simplify simple programs you need to write that require higher level protocols for communication.
I do recall a contractor, however, attempting to use it with a high load Apache web server module and it was simply too heavy-weight for that particular application.