cors websockets dealin g wit h sam e origi n polic y
play

CORS & WEBSOCKETS Dealin g wit h Sam e -Origi n Polic y - PowerPoint PPT Presentation

Feb 22, 2023 •354 likes •773 views

CS 498RK SPRING 2020 CORS & WEBSOCKETS Dealin g wit h Sam e -Origi n Polic y application lives on llama.com and you want to pull data from www.alpaca.com var xhr = new XMLHttpRequest(); xhr.open('GET',

  1. CS 498RK SPRING 2020 CORS & 
 WEBSOCKETS

  2. Dealin g wit h 
 Sam e -Origi n Polic y

  3. application lives on llama.com and you want to pull data from www.alpaca.com var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://www.alpaca.com/hello.json'); xhr.onload = function(e) { var data = JSON.parse(this.response); ... } xhr.send(); Wha t happen s ?

  4. application lives on llama.com and you want to pull data from www.alpaca.com var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://www.alpaca.com/hello.json'); xhr.onload = function(e) { var data = JSON.parse(this.response); ... } xhr.send(); origi n mismatc h erro r !

  5. SAME-ORIGIN POLICY implemented by all major browsers only web pages that have the same “origin” can access each other’s data origin = protocol, domain name, port (some browsers) does not apply to <img> and <script>

  6. SAME-ORIGIN POLICY … but applies to AJAX requests "Cross-domain" AJAX requests are forbidden by default because of their ability to perform advanced requests POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers introduce many security issues as described in cross-site scripting

  7. CROSS-ORIGIN RESOURCE SHARING html5 feature CORS allows web applications on one domain to make cross domain AJAX requests to another domain. Access-Control-Allow-Origin header in HTTP responses more freedom than purely same-origin requests, but more secure than allowing all cross-origin requests http://www.html5rocks.com/en/tutorials/file/xhr2/

  8. CORS WORKAROUND // browser sends the following request header Origin: http://llama.com // server response: give access to llama.com Access-Control-Allow-Origin: http://llama.com // give access to all domains Access-Control-Allow-Origin: *

  9. Access-Control-Allow-Origin: * useful when a page or API is intended to be accessible to everyone, including any code on any site freely-available web fonts — Google Fonts

  10. CORS IN ACTION //Allow CORS so that backend and frontend could be put on different servers var allowCrossDomain = function(req, res, next) { res.header("Access-Control-Allow-Origin", "*"); res.header("Access-Control-Allow-Headers", "X-Requested- With, X-HTTP-Method-Override, Content-Type, Accept"); next(); }; app.use(allowCrossDomain);

  11. AJAX CALLS If the server endpoint has enabled CORS, making the cross-origin request is no di ff erent than a normal XMLHttpRequest request

  12. JSONP “JSON with padding” allows a page to receive JSON data from a di ff erent domain by adding a <script> element to the page which loads a JSON response with a callback from a di ff erent domain

  13. Create callback function function processJSON (json) { // Do something with the JSON response }; schock.net/articles/2013/02/05/how-jsonp-really-works-examples/

  14. Dynamically inject <script> tag <script> function processJSON (json) { // Do something with the JSON response }; </script> <script src='http://api.flickr.com/services/feeds/photos_public.gne? jsoncallback=processJSON&tags=monkey&tagmode=any&format=json'></script> schock.net/articles/2013/02/05/how-jsonp-really-works-examples/

  15. Server Response processJSON( { "title": "Recent Uploads tagged monkey", "link": "http://www.flickr.com/photos/tags/monkey/", "description": "", "modified": "2015-02-03T21:23:22Z", "generator": "http://www.flickr.com/", "items": [ // ... Much more JSON here ... ] } ) schock.net/articles/2013/02/05/how-jsonp-really-works-examples/

  16. CORS VS JSONP Use CORS unless you need to support older browser versions Use regular XMLHttpRequest with CORS JSONP only supports GET, CORS supports other types of HTTP requests JSONP can cause cross-site scripting (XSS) issues where the external site is compromised, CORS allows websites to manually parse responses to ensure security JSONP works on legacy browsers which predate CORS support

  17. WebSocket s

  18. Clien t Serve r MY BLOG HTTP POST This is my first post. ADD POST API DATABASE HTTP GET MY BLOG 02/23/15 This is my first post. NEW POST

  19. Clien t Serve r MY BLOG HTTP POST This is my first post. ADD POST API DATABASE HTTP GET MY BLOG 02/23/15 This is my first post. NEW POST AJAX allows server requests to be made in the background

  20. …bu t if client s do n ’ t reques t , serve rs ca n ’ t respon d !

  21. What types of applications need servers to push data?

  22. LOW-LATENCY, REAL-TIME Multiplayer online games Chat applications Realtime updating social streams

  23. Ho w ca n serve rs pus h dat a ?

  24. POLLING ak a fakin g i t keep making requests to the server to see if there’s any new information performance problems: server has to process HUGE number of connections a second

  25. COMET no t a n acrony m ! a set of more advanced techniques hidden iframes (i.e., forever frames ) AJAX with long polling unstandardized hacks, performance issues en.wikipedia.org/wiki/Comet_%28programming%29

  26. BROWSER PLUGINS Adobe Flash, Java raw push real-time data to clients through raw TCP socket connections with servers plug-ins not guaranteed to be installed, firewall issues

  27. WebSocket s

  28. WEBSOCKETS bidirectiona l ful l -duple x communicatio n WebSocket API introduced in HTML5 (2009) persistent connection between the client and server send data back and forth without HTTP overhead en.wikipedia.org/wiki/WebSocket

  29. Clien t Reques t GET /chat HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw== Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 Origin: http://example.com en.wikipedia.org/wiki/WebSocket

  30. Serve r Respons e HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk= Sec-WebSocket-Protocol: chat en.wikipedia.org/wiki/WebSocket

  31. Ope n a WebSocke t Connectio n var connection = new WebSocket(‘ws:// html5rocks.websocket.org/echo'); www.html5rocks.com/en/tutorials/websockets/basics/

  32. A tu ac h Even t Handle rs // When the connection is open, send some data to the server connection.onopen = function () { connection.send(‘Lorenzo Llamas'); // Send the message ‘Lorenzo Llamas' to the server }; // Log messages from the server connection.onmessage = function (e) { console.log('Server: ' + e.data); }; // Log errors connection.onerror = function (error) {/*…*/}; // Close connection connection.onclose = function(){ /*…*/ } www.html5rocks.com/en/tutorials/websockets/basics/

  33. CROSS ORIGIN COMMUNICATION supports communication between clients and servers on any domain server decides which domains to allow connections from www.html5rocks.com/en/tutorials/websockets/basics/

  34. PROBLEMS Immediate security concerns (Opera 11, Safari 5) Protocol was revamped and now supported by all modern browsers Incompatibility with HTTP upgrade system and some proxy servers eve n if clien t suppo r t s i t , ca n ’ t establis h a connectio n !

  35. WEBSOCKETS TODAY use libraries that use earlier fallbacks whenever WebSocket is not available socket.io

  36. Socket.IO

  37. If at first you don’t succeed… WebSockets Adobe Flash Socket Ajax long polling Ajax multipart streaming Forever iFrame JSONP Polling

  38. “Socket.IO enables real-time bidirectional event-based communication. It works on every platform, browser or device, focusing equally on reliability and speed.” socket.io

  39. Dem o

  40. Clien t Cod e <script> var socket = io(); $('form').submit(function(){ socket.emit('chat message', $('#m').val()); $('#m').val(''); return false; }); socket.on('chat message', function(msg){ $('#messages').append($('<li>').text(msg)); }); </script> socket.io

  41. Serve r Cod e app.get('/', function(req, res){ res.sendfile('index.html'); }); io.on('connection', function(socket){ socket.on('chat message', function(msg){ io.emit('chat message', msg); }); }); http.listen(3000, function(){ console.log('listening on *:3000'); }); socket.io

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Programming WebSockets Sean Sullivan OSCON July 22, 2010 About me Web application developers

Programming WebSockets Sean Sullivan OSCON July 22, 2010 About me Web application developers

Programming WebSockets Sean Sullivan OSCON July 22, 2010 About me Web application developers HTML 5! improved JavaScript implementations! WebSockets! WebSockets? WebSockets a technology that enables bidirectional communication between

789 views • 57 slides
STUN, TURN, ICE, SDP, SIP, WebSockets ... STUN, TURN, ICE, SDP, SIP, WebSockets ... This Talk

STUN, TURN, ICE, SDP, SIP, WebSockets ... STUN, TURN, ICE, SDP, SIP, WebSockets ... This Talk

STUN, TURN, ICE, SDP, SIP, WebSockets ... STUN, TURN, ICE, SDP, SIP, WebSockets ... This Talk AGENDA CONGESTION CONTROL 101 BULK DATA vs MEDIA FLOWS TRANSPORT Bulk data Media flows TCP for reliability

546 views • 28 slides
Practical Applications using KYCORS Danielle Kelly, State Height Mod Coordinator Dan Farrell,

Practical Applications using KYCORS Danielle Kelly, State Height Mod Coordinator Dan Farrell,

Practical Applications using KYCORS Danielle Kelly, State Height Mod Coordinator Dan Farrell, State Survey Coordinator Division of Highway Design National CORS Network CORS 1466 National CORS August 3, 2010 Why CORS? Need for

615 views • 18 slides
1 Basic Polic ie s for Small Gove r nme nts E xample for r e que sting vac ation time :

1 Basic Polic ie s for Small Gove r nme nts E xample for r e que sting vac ation time :

Basic Polic ie s for Small Gove r nme nts Basic Polic ie s for Small Gove r nme nts What is a polic y? Diffe re nc e b e twe e n a po lic y a nd pro c e dure Po lic ie s: Co mmunic a te a n o rg a niza tio n s c ulture ,

585 views • 5 slides
REFERENCE STATION(CORS) SURVNET UGANDA NETWORK CORS STATIONS STATION LOCATION STATUS 1.KAMPALA

REFERENCE STATION(CORS) SURVNET UGANDA NETWORK CORS STATIONS STATION LOCATION STATUS 1.KAMPALA

GLOBAL NAVIGATION SATELLITE SYSTEM(GNSS) CONTINUOUS OPERATING REFERENCE STATION(CORS) SURVNET UGANDA NETWORK CORS STATIONS STATION LOCATION STATUS 1.KAMPALA ACTIVE/RUNNING 2.JINJA ACTIVE/RUNNING 3.LUWERO ACTIVE/RUNNING 4.MUBENDE

2.02k views • 22 slides
Mean, median &amp; mode imputations DEALIN G W ITH MIS S IN G DATA IN P YTH ON Suraj Donthi

Mean, median &amp; mode imputations DEALIN G W ITH MIS S IN G DATA IN P YTH ON Suraj Donthi

Mean, median &amp; mode imputations DEALIN G W ITH MIS S IN G DATA IN P YTH ON Suraj Donthi Deep Learning &amp; Computer Vision Consultant Basic imputation techniques constant (e.g. 0) mean median mode or most frequent DEALING WITH

821 views • 40 slides
Mashing up JavaScript Advanced techniques for modern web applications Bastian Hofmann VZnet

Mashing up JavaScript Advanced techniques for modern web applications Bastian Hofmann VZnet

Mashing up JavaScript Advanced techniques for modern web applications Bastian Hofmann VZnet Netzwerke Ltd. Wtf? JavaScript Apps CORS and OAuth2 Local Storage OEmbed and Caja WebSockets, ActivityStrea.ms and PubsubHubbub

1.16k views • 97 slides
Is the data missing at random? DEALIN G W ITH MIS S IN G DATA IN P YTH ON Suraj Donthi Deep

Is the data missing at random? DEALIN G W ITH MIS S IN G DATA IN P YTH ON Suraj Donthi Deep

Is the data missing at random? DEALIN G W ITH MIS S IN G DATA IN P YTH ON Suraj Donthi Deep Learning &amp; Computer Vision Consultant Possible reasons for missing data Note (variable data eld or column in a DataFrame) Values

650 views • 44 slides
Imputing using fancyimpute DEALIN G W ITH MIS S IN G DATA IN P YTH ON Suraj Donthi Deep

Imputing using fancyimpute DEALIN G W ITH MIS S IN G DATA IN P YTH ON Suraj Donthi Deep

Imputing using fancyimpute DEALIN G W ITH MIS S IN G DATA IN P YTH ON Suraj Donthi Deep Learning &amp; Computer Vision Consultant fancyimpute package Package contains advanced techniques Uses machine learning algorithms to impute missing

379 views • 37 slides
Carolyn Black Artist Producer Th The origi ginal visi sion fo for Th The Story of f Ob

Carolyn Black Artist Producer Th The origi ginal visi sion fo for Th The Story of f Ob

Carolyn Black Artist Producer Th The origi ginal visi sion fo for Th The Story of f Ob Object ects in n 2014 2014 Objects store and possess, take in and breath out the emotions with which they have been associated (Daniel

177 views • 16 slides
The Federal Circuit month at DISCLAIMED CLAIMS NOT PART OF ORIGI- PATENTEES GAMBLE PAYS

The Federal Circuit month at DISCLAIMED CLAIMS NOT PART OF ORIGI- PATENTEES GAMBLE PAYS

JA N U A RY 1 9 9 9 Last The Federal Circuit month at DISCLAIMED CLAIMS NOT PART OF ORIGI- PATENTEES GAMBLE PAYS OFF ON M ont h at a Glance NAL PATENT FOR REISSUE PURPOSES GAMBLING MACHINE PATENT In case of first

537 views • 8 slides
Better WebSockets - Server-Sent Events, a carefree alternative EuroPython - 12/07/2019 -

Better WebSockets - Server-Sent Events, a carefree alternative EuroPython - 12/07/2019 -

Better WebSockets - Server-Sent Events, a carefree alternative EuroPython - 12/07/2019 - Andrei Neagu @weetHK About me (can you guess the city?) W ork as an IT Technical Consultant I like to travel and explore Also known as typo

279 views • 27 slides
Web Sockets WebSockets Last time we say how to establish a WebSocket connection Today,

Web Sockets WebSockets Last time we say how to establish a WebSocket connection Today,

Web Sockets WebSockets Last time we say how to establish a WebSocket connection Today, we'll parse and send messages over the socket WebSocket Frame https://tools.ietf.org/html/rfc6455#section-5.2 Protocols Sidenote Many of the

469 views • 27 slides
Websockets Bring Light at the End of the Tunnel Presented by JOEL LORD THINK. CODE.

Websockets Bring Light at the End of the Tunnel Presented by JOEL LORD THINK. CODE.

Websockets Bring Light at the End of the Tunnel Presented by JOEL LORD THINK. CODE. COLLABORATE. Node PDX June 20 th , 2016 spiria.com Aboot me, eh? JOEL LORD - Javascript junkie - Tinkerer - Technology enthusiast @joel__lord

540 views • 22 slides
Give a Push to Your Qt Application with Qt Cloud Services and WebSockets About me Lauri

Give a Push to Your Qt Application with Qt Cloud Services and WebSockets About me Lauri

Give a Push to Your Qt Application with Qt Cloud Services and WebSockets About me Lauri Nevala nevalau nevalla nevalla Working in Qt Cloud Services team at The Qt Company Over ten years of experience in creating web and mobile

882 views • 67 slides
A Gentle Introduction to IoT Protocols: MQTT, CoAP, HTTP &amp; WebSockets Antonio Almeida and

A Gentle Introduction to IoT Protocols: MQTT, CoAP, HTTP &amp; WebSockets Antonio Almeida and

A Gentle Introduction to IoT Protocols: MQTT, CoAP, HTTP &amp; WebSockets Antonio Almeida and Jaime Gonzlez-Arintero June 14, 2017 Warning: we'll go fast! Visionaries &gt;_ On-line Man-Computer Communication, 1962 Visionaries &gt;_ The

665 views • 65 slides
Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo sharing, Facebook, etc. Which gets permanently stored And displayed Attack based on uploading a script Other users inadvertently download

428 views • 14 slides
!&quot;##&quot;$%&amp;'(&amp;)*'+,-&amp;#.*&quot;,-/,0 ' @;#/?*. ' A' !&quot;#$%&amp;

!&quot;##&quot;$%&amp;'(&amp;)*'+,-&amp;#.*&quot;,-/,0 ' @;#/?*. ' A' !&quot;#$%&amp;

!&quot;##&quot;$%&amp;'(&amp;)*'+,-&amp;#.*&quot;,-/,0 ' @;#/?*. ' A' !&quot;#$%&amp; '/.'&quot;'.*&amp;#&amp;4*=?/;&quot;5'.&amp;BC&amp;,;&amp;'4D'&amp;%&amp;,*.'&quot;..4;/&quot;*&amp;-'

583 views • 9 slides
To show some of the basic components of shell scripting, we are going to take a common task,

To show some of the basic components of shell scripting, we are going to take a common task,

To show some of the basic components of shell scripting, we are going to take a common task, creating a new user, and design a script to help automate this process. Original Script Display commands to manually creating an account #!/bin/bash #

255 views • 13 slides
secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing: limiting the privileges of a process Two motivations - Running untrusted code in a restricted environment - Dropping privileges in trusted code so as to

1.09k views • 58 slides
DTrace Topics: /* print main headers */ OPT_dump ? printf(&quot;%s %s %s % DTraceToolkit

DTrace Topics: /* print main headers */ OPT_dump ? printf(&quot;%s %s %s % DTraceToolkit

#pragma D option quiet #pragma D option switchrate=10hz /* * Print header */ dtrace:::BEGIN { /* print optional headers */ OPT_time ? printf(&quot;%-14s &quot;, &quot; OPT_timestr ? printf(&quot;%-20s &quot;, &quot; OPT_zone ?

451 views • 31 slides
Cutting MapReduce Cost with Spot Market Huan Liu Accenture Technology Labs Why spot market? 2

Cutting MapReduce Cost with Spot Market Huan Liu Accenture Technology Labs Why spot market? 2

Cutting MapReduce Cost with Spot Market Huan Liu Accenture Technology Labs Why spot market? 2 Challenge with Spot Market 3 Cloud MapReduce Hadoop Our prior work MapReduce App MapReduce App Cloud MapReduce Hadoop Cloud OS Amazon

185 views • 7 slides
Shell Scripting Dalhousie University Winter 2019 Reading Glass and Ables, Chapter 8: bash Your

Shell Scripting Dalhousie University Winter 2019 Reading Glass and Ables, Chapter 8: bash Your

CSCI 2132: Software Development Norbert Zeh Faculty of Computer Science Shell Scripting Dalhousie University Winter 2019 Reading Glass and Ables, Chapter 8: bash Your Shell vs Your File Manager File manager Easy and intuitive to use

267 views • 25 slides
NLU lecture 6: Compositional character representations Adam Lopez alopez@inf.ed.ac.uk Credits:

NLU lecture 6: Compositional character representations Adam Lopez alopez@inf.ed.ac.uk Credits:

NLU lecture 6: Compositional character representations Adam Lopez alopez@inf.ed.ac.uk Credits: Clara Vania 2 Feb 2018 Lets revisit an assumption in language modeling (&amp; word2vec) When does this assumption make sense for language

801 views • 66 slides

More recommend