Ideally, I would like to remove/override the HTTP response referer header. My code looks something like:
Response.AddHeader("Referer", "");
Response.Redirect(url);
I am doing this because I am not running in pipelined mode, so I can't access the header directly.
This doesn't appear to do anything though.
When you use a Response.Redirect, you are sending an http 302 or location changed response to the client.
The client then makes a new request for the location specified in the 302 response.
The referer header will be set by the client. You can't change it that way.
Related
I'm using Restangular. I would like to get full response so I set
Restangular.setFullResponse(true);
but then I discovered that my custom headers does not work. Documentation for setFullResponse() method says:
in order for Restangular to access custom HTTP headers, your server must respond having the Access-Control-Expose-Headers: set.
I would like to send my custom headers but I don't want to change server settings. Is it possible?
If I leave default settings i.e.setFullResponse(false) there is no issue with custom headers. Is there another solution except changing server settings?
The sentence you cite from the setFullResponse() docs is about what headers from the response your Restangular app will be able to access. And what that is saying is, it’s not possible to access most of the headers from the response unless the server’s already configured to send the right response-header names in the Access-Control-Expose-Headers header.
Without the server setting any value for that header, the only response headers that browsers will let you access from client-side JavaScript in your web app are the Cache-Control,
Content-Language,
Content-Type,
Expires,
Last-Modified
&
Pragma response headers.
See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name for the spec on that.
I would like to send my custom headers but I don't want to change server settings. Is it possible?
If you mean you want to send custom headers in a request from your client-side Restangular code to the server, please provide more details about exactly which custom headers you want to send.
There too though, there’s another CORS header your server must send in the response: the Access-Control-Allow-Headers response header. If the server isn’t configured to send that with the right header names listed, then your request will fail. The reason in that case is, you will hit https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests.
I have looked at all the headers. As far as I know my application code should be sending it out for Ajax calls but I cannot see any header in Fiddler saying anything like "Access-Control-Allow-Origin".
Is there a way for me to check this with Fiddler and if so where should I be looking?
Access-Control-Allow-Origin is a response header.
Have you been looking at the response headers in Fiddler?
I'm very confused by this.. My web application uses Spring Security which relies upon a JSESSIONID cookie to maintain a users session.
One of my pages does a 302 redirect to another page on the same domain, still http, not switching to https or anything fancy. For some reason the browser (Chrome in this case) does not pass the cookie with the second request and the user looses his session.
Is this the expected http behavior? I'm probably missing something..
Just to be clear, the cookie is already set before the redirect, I'm not setting the cookie in the same response as the redirect.
It could be a bug in Chrome. See Chromium bug #696204. In my case the workaround was changing SameSite=Strict to Lax.
302 doesn't delete any cookie, so I think you are changing the host/port or the server expires the cookie. Look at this 3 requests (before 302, 302, after 302) and search something related to Set-Cookie header with a expires value.
It could be you have a problem with the cookie path, if you set the cookie path to a something different to '/', it will be not accessible to all paths.
Answering my own question. Turns out that one has to use a 303 (see other) response when redirecting from a post request.
From RFC 2616
10.3.4 303 See Other
The response to the request can be found under a different URI and
SHOULD be retrieved using a GET method on that resource. This method
exists primarily to allow the output of a POST-activated script to
redirect the user agent to a selected resource. The new URI is not a
substitute reference for the originally requested resource. The 303
response MUST NOT be cached, but the response to the second
(redirected) request might be cacheable.
How does HTTP 302 work? I would like to know the internals
You mean how do browsers handle it? The server sends a 302 code along with a Location header, and the browser requests the new URI specified by the Location header instead.
Unlike 301 (Moved Permanently), the browser continues to use the original URI to do requests, in case the 302 code goes away
The server returns an HTTP response with the code 302, indicating a temporary redirection, and includes a Location: header indicating the new URI, e.g.
HTTP/1.1 302 Found
Location: http://some-other-url
And potentially other headers at the server's discretion.
The browser normally takes this as a directive to automatically make a new, separate request for the other URI specified by the location header. The client (browser) isn't forced to do this (it could, in theory, just display a message to the user, or do whatever else it wants), but that's how HTTP clients usually behave.
Note that since the 302 is a temporary redirection, a well-behaved client will continue to use the old URL in the future, rather than going directly to the new one (301 is a permanent redirection).
From:
http://www.ietf.org/rfc/rfc2616.txt
and
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
10.3.3 302 Found
The requested resource resides temporarily under a different URI.
Since the redirection might be altered on occasion, the client SHOULD
continue to use the Request-URI for future requests. This response
is only cacheable if indicated by a Cache-Control or Expires header
field.
The temporary URI SHOULD be given by the Location field in the
response. Unless the request method was HEAD, the entity of the
response SHOULD contain a short hypertext note with a hyperlink to
the new URI(s).
If the 302 status code is received in response to a request other
than GET or HEAD, the user agent MUST NOT automatically redirect the
request unless it can be confirmed by the user, since this might
change the conditions under which the request was issued.
Note: RFC 1945 and RFC 2068 specify that the client is not allowed
to change the method on the redirected request. However, most
existing user agent implementations treat 302 as if it were a 303
response, performing a GET on the Location field-value regardless
of the original request method. The status codes 303 and 307 have
been added for servers that wish to make unambiguously clear which
kind of reaction is expected of the client.
The internals of what? 302 is a return code the server gives the client, what the client does is upto it. The RFCs give guidance on what the client should do, but in the real world 301, 302, 303 and 307 are all handled the same way by the mainstream browsers.
Just an Addon-
Importantly, it is for stop client to hit same server url with same request consecutively/frequently.
302 Found:
Indicates that the resource requested has been temporarily moved to the URL given by the location header.
A browser redirects to this page but search engines don't update their links to the resource.
It is recommended to set the 302 code only as a response for GET or HEAD methods.
In cases where you want the method used to be changed to GET, use 303.
In AS2, I need to get a URL. In the header of the HTTP response, a cookie is set. Is it possible to read the header of the HTTP response and get the cookie's data?
This is a bit tricky. What you might have to do, is use a serverside script to get the HTTP request header, then call that script from flash.