Using a browser REST client to POST to the activity stream at e.g.
https://connectionsww.demos.ibm.com/connections/opensocial/basic/rest/activitystreams/#me/#all
...with the settings prescribed in IBM Connections OpenSocial API > POSTing new events
...results in the following response:
<error xmlns="http://www.ibm.com/xmlns/prod/sn">
<code>403</code>
<message>You are not authorized to perform the requested action.</message>
<trace></trace>
</error>
What am I missing?
This same approach works nicely on IBM Connections 4.0.
Which setting needs 'switching on'?
Try a URL like this... https://sbtdev.swg.usma.ibm.com:444/connections/opensocial/basic/rest/activitystreams/#me/#all
I added the Basic/Rest component, and it worked for me.
1 - Added URL https://sbtdev.swg.usma.ibm.com:444/connections/opensocial/basic/rest/activitystreams/#me/#all
2 - Changed Method to Post
3 - Added Content-Type: application/json
4 - Authentication -> Basic
5 - Logged IN
6 - Posted
Same thing here: 403 when I make an AJAX call to an IBM Connections 6.0 REST API url. Same error in Chrome, Firefox and IE11. When I open the same URL in a separate browser tab, everything works fine.
Comparing the http headers of both calls, and fiddling with Postman, the diference is the presence and value of the atribute Origin.
Seems that Connections allows calls from its own server. For example, when: Origin: connections.mycompany.com.
It also allows calls when Origin is not defined, which happens when the url is called from a separate browser tab.
There is a doc at IBMs Support site that confirms this - http://www-01.ibm.com/support/docview.wss?uid=swg21999210. It also suggests a workaround that did the job for me: unsetting the Origin attribute in the IBM HTTP Server that is in front of your Connections instance. Add the lines below to the httpd.conf file:
Header unset Origin
RequestHeader unset Origin
Related
In my application all the utterances from Bixby are redirected to an action which makes an api call. This api call returns the response to Bixby for the user utterance. Recently I observed that if the user says the following: -
user says: - Add xyz to my cart
api response: - Would you like 2 of those?
user says: - Yes
api response: - Would you like to checkout?
user says: - Yes
Ideally now the request should come to my api and the user should be shown the checkout result page, but instead Bixby shows the user cached response and is shown the below response again: -
api response: - Would you like to checkout?
and the loop continues indefinitely. I wanted to know if this behaviour is expected? Is there a way we can skip the caching and send the request to the api endpoint to respond?
Yes, requests are cached on the server. You can disable the cache if you wish.
For example,
let options = {
cacheTime: 0
};
let response = http.getUrl('https://my-capsule.com/api/search/', options);
See https://bixbydevelopers.com/dev/docs/reference/JavaScriptAPI/http#http-options for more options. No pun intended. :)
In addition to cacheTime provided by the client, the Server can sometimes provide additional directives (max-age and no-store or no-cache) in the Cache-Control header. When this occurs, this is what Bixby does:
no-cache or no-store: Bixby will not cache anything. This will override the cacheTime variable provided by client.
time of response + max-age < current time: Remove response from cache (even if client requested a longer cacheTime)
time of response + cacheTime < current time: Remove response from cache (even if response provided a longer max-age)
I've hosted to IIS in Azure a WCF. I need to do a post CORS client side (I'm using dojo js).
I expect this scenario
POST REQUEST -> OPTIONS PRE-FLIGHT -> POST RESPONSE
but if I see the chrome dev tools network I get:
POST Request -> OPTIONS PRE-FLIGHT -> AUTOMATICALLY GET REQUEST -> METHOD NOT ALLOWED (my WCF method only accept POST method)
There also a strange thing, if i see the GET response, it has status code 302 found and in the response header LOCATION : /rest/(X(1)S(xnrhdgei0ecua5s550yxqiv1))/login/ but I don't know what (X(1)S(xnrhdgei0ecua5s550yxqiv1)) is.
How can I solve this problem?
Thank you!
I solved adding <sessionState mode="InProc" cookieless="false"/> into the web.config. See my previous comment for additional details
I am using Videogular2 for azure content playback. The contents hosted on azure without DRM works perfectly. When I implement DRM protected content having token authentication gives CORS error. The error is thrown while fetching license from license server.
Following is my code
stream = {
source: 'http://xxxxx.streaming.mediaservices.windows.net/xxxxxxx/abc512kb.ism/manifest(format=mpd-time-csf)',
licenseServers: {
'com.widevine.alpha': {
serverURL: 'https://xxxxxx.keydelivery.westindia.media.azure.net/Widevine/?KID=xxxxx-ef40-87ed-b348-xxxxxx'
}
},
token: 'Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
}
<video #media
[vgMedia]="media"
[vgDash]="stream.source"
[vgDRMLicenseServer]="stream.licenseServers"
[vgDRMToken]="stream.token"
id="singleVideo"
preload="auto" crossorigin
>
</video>
I got following error while fetching license from license server.
Response to preflight request doesn't pass access control check: The
value of the 'Access-Control-Allow-Origin' header in the response must
not be the wildcard '*' when the request's credentials mode is
'include'. Origin 'http://localhost:4300' is therefore not allowed
access. The credentials mode of requests initiated by the
XMLHttpRequest is controlled by the withCredentials attribute.
If I run it with disable-web-security of chrome then I call works perfectly.
Did any one face such issue while playing content from Azure Media.
Mandar -- Azure Media Services (AMS) origin sets the value of the 'Access-Control-Allow-Origin' header in preflight response as the wildcard ''. This works well with most players including our Azure Media Player, Roku and JW, and others. From the error, it seems Videogular2 does not work with AMS origin URL since, with credentials mode set to “include”, XMLHttpRequest in their dashjs does NOT allow wildcard “” as the value of “'Access-Control-Allow-Origin”.
Are you running the player from a single domain? If you are, we can set the request to include your incoming origin domain instead of the wildcard. Reach out to me at dwgeo at microsoft dot com and we can enable the feature on your account. Thanks.
I'm faced the same problem. Here is the Videogular2 source https://github.com/videogular/videogular2/blob/master/src/streaming/vg-dash/vg-dash.ts#L70
It work fine on same domain, but for different domain withCredentials=true is missing. after creating player on 70th line
this.dash = dashjs.MediaPlayer().create();
Should go this
this.dash.setXHRWithCredentials(true);
I hope it might help
I posted a request to payu server via form submit using angularjs now once payment is completed payu will return a response with hash.But when it hits my success page i get "HTTP Error 405.0 - Method Not Allowed".I found many solutions online but none of that solved my issue.What i understood is that static html do not allow post by default.But my staticFile in IIS is like below
Request Path : *
Module : StaticFileModule
Name : staticFile
Request Restriction >Verb > All Verbs & Access > Script & Invoke > Files and folders
My question now in how to allow POST method for html page.I am using angular and if i change my success url to other than mine it works fine.I think there is some changes to be made to the web config but i tried my best but failed.Any help would be much appreciated.Also lets assume that the page successfully redirects to my success page how to capture the response that payu sends me online.
Thanks in advance if more input is needed from my side kindly ask in reply.
It's not that HTML does not allow POST by default, it's that HTML does not handle POST, period. (Not even if the HTML file contains JavaScript.) POST sends data to a script that runs on your server, and the script has to be smart enough to know what to do with the data. HTML isn't that smart. The only thing your server can do with HTML is to send the HTML back to whatever is requesting it. You need a server-side script that knows how to parse payu's response, do something appropriate with the hash, and then generate some HTML to display in the user's browser.
I'm writing an extension that requests XML content from a server and displays data in a popup/dialog window. I've added the website to my manifest.json permissions like so:
"permissions": [
"http://*/*"
],
Later I added the following code to my background page:
function loadData() {
var url = "http://www.foo.com/api/data.xml";
var xhr = new XMLHttpRequest();
xhr.open('GET', url, true);
...
xhr.send();
the problem is, that I get the cross-site security error "Origin chrome-extension://kafkefhcbdbpdlajophblggbkjloppll is not allowed by Access-Control-Allow-Origin. "
The thing is, with "http:///" in the permissions I can request "http://www.foo.com/api", but I can't find any way to allow "http://www.foo.com/api/data.xml".
I've tried both "http:////*" and http://www.foo.com/api/data.xml" in the "permissions". What else should I be doing?
This should work (SOP doesn't apply to chrome extensions),so there are three possibilities:
There is some mistake somewhere
Just to make sure use add <all urls> permission and check that extension really have this permission. (e.g. execute chrome.runtime.getManifest() in console when inspecting background page )
Server itself is checking Origin header and is rejecting request if origin value is unexpected
You can quickly check this by using some http tester and sending request manually (for example Dev Http Client for chrome, since I'm one of the developers). If it shows the same error, it means that the server is really checking origin header.
To fix this you will have to make server somehow accept your origin , or you can use chrome.webRequest to set valid origin header to all the requests sent to the target server (standard XHR api doesn't allow modification of Origin header)
Chrome bug
Well in this case you can only report this error and wait for the best