I am trying to use the YUI uploader to upload files to Django view.
However, I am getting a 403 error in CsrfViewMiddleware. I have determined that the problem is due to the flash uploader (that the YUI uploader uses) not sending the CSRF cookie in the file upload request.
The YUI uploader's uploadAll() function allows additional data to be sent with the upload request in object form. Since the CSRF cookie can be easily retrieved, I am trying to add the cookie to the request via the uploadAll() function, but I am not entirely sure as to what format to send it in so that CsrfViewMiddleware finds the cookie where it expects it. This does not work:
var cookie = YAHOO.util.Cookie.get('csrftoken');
uploader.uploadAll(url, 'POST', { csrfmiddlewaretoken: cookie });
Any insight would be greatly appreciated!
Unfortunately, because of Flash player limitations, the YUI Uploader can't insert the cookie into the header of the request, which is where the backend expects it to be. The only thing you can do, which is what that additional argument up there does, is to add POST variables to the request. However, that means that you need additional server logic to extract them as POST variables and them compare them to the cookie record -- it won't work by default.
If you are unable to modify the server-side code, you won't be able to authenticate the requests sent from the Uploader :(.
Related
I have:
React app: https://myreact.com
Django + DRF: https://mydjango.com
React has a form that when submitted sends a POST request to mydjango.com/handle-form with all the cookies, because I speicfy withCredentials: true in my ajax request (thus all the cookies are sent).
As I can see it, there's no way to perform csrf attack, because browser stores cookies only for myreact.com. And if an attacker creates a domain myreact2.com with the same exact form (that upon submitting sends POST request to mydjango.com/handle-form), cookies from myreact.com won't be sent, meaning there's no csrf attack.
The questions:
Am I right?
Will browser store cookies only in myreact.com or in both domains, when I make an ajax request from myreact.com to mydjango.com and mydjango.com in response sends a Set-Cookie header?
I understand how it would work, when both frontend and backend shared the same domain. CSRF attack could be very possible without csrf token or something else. But my case bothers me.
My requirement is that send an email to some recipient with text body using POSTMAN Native app,
I used the below endpoint with requested data,
Base URL: https://www.googleapis.com/gmail/v1/users/userId/messages/send
Headers :Authorization:Bearer
Request Method :POST
Request body :{"raw";"to:user1mail#gmail.com","subject":"Test_Mail"}
Clicking Send button
But getting error response code 400,required recipient address
Please help me in this to send an email using POSTMAN,and I've tried with upload end point too -https://www.googleapis.com/upload/gmail/v1/users/user1email#gmail.com/messages/send
Thanks in advance,looking for help guys
Came across your question trying to figure this out myself today.
Request body : {"raw";"to:user1mail#gmail.com","subject":"Test_Mail"}
The raw param should be a complete email message that's base64-encoded.
i.e.: {"raw": "VG86IHVzZXIxbWFpbEBnbWFpbC5jb20KU3ViamVjdDogVGVzdF9NYWls"}
400 error means bad request, which could mean there are missing or wrong parameters. Check the Users.messages.send
Path parameters
userId string The user's email address. The special value me can be
used to indicate the authenticated user.
Required query parameters
uploadType string The type of upload request to the /upload URI.
Acceptable values are:
media - Simple upload. Upload the media only, without any metadata.
multipart - Multipart upload. Upload both the media and its metadata, in a single request.
resumable - Resumable upload. Upload the file in a resumable fashion, using a series of at least two requests where the first
request includes the metadata.
I am trying to use Session auth in Django with React. All my GET REST calls are being reject with status 403. I probably have to send sessionidin headers, but sessionid cookie is HTTP only, so my JS code gets a null value when reading it. If I set the cookie to not be HTTP-only anymore, I can read it and send it in headers, but still seing the same problem.
Note: the view which includes the React app has a path /app, the REST api path is /api. Could this be the problem?
This is actually related to the fetch library I am using for making API calls. In order to send the sessionid automatically, credentials: include must be added in options.
I'm setting a cookie in a response from my web service. The set-cookie header is coming through, and I can see the cookie in the network tab in Chrome, but the cookie isn't being stored. It doesn't show up in the resources->cookies tab, and the cookie isn't sent with subsequent requests. Nothing shows up in the JS console. I've also tried leaving the domain field off the cookie, but it still isn't stored.
Is there a way to debug the browser to understand why the cookie was rejected from being stored?
Turns out it had to do with the way I was making the request. I expected fetch() to work the same way as XHR requests. Setting credentials: 'include' on my fetch call resolved the problem. See 5.6.14 of the fetch spec
I am trying to build a Django powered website. I want the website to be dynamic. For example, I want the profile page for a authenticated user to contain multiple resources (like a friends list, a group list, usage history etc) and these resources should be loaded in the same area on the page by making API calls without reloading the page.
Here is my understanding of the process:
Browser on the client side requests the profile page at www.example.com/user:id
The server returns a HTTP response and sends the html, css and javascript to the browser.
To load variable resources on the webpage, for example, the friend list, the javascript makes API calls using HTTP and sending context in JSON.
The API returns a JSON response which contain the data requested.
Javascript renders the data as html and the client is able to see new content on the same page.
I thought that in order to do this, some of my server side views need to be ordinary Django views which returns an HTTP response, while some others need to be API views which return JSON.
Now here's my confusion. Let's say www.example.com/user:id is processed using an ordinary django view, while www.example.com/user/:id/friendslist is processed using an API view. Now if the user inadvertently points the browser at www.example.com/user/:id/friendslist by typing the entire URL and hits go, what happens?
If I go with the flow of logic that I mentioned above, then the view will simply return a JSON. No html, css or javascript. In this case, how will the browser know what html to display?
I am just a beginner and I am sure I got the flow of logic wrong. Can someone please point out which part I got wrong?
Now if the user inadvertently points the browser at www.example.com/user/:id/friendslist by typing the entire URL and hits go, what happens?
It depends on how you coded your server. In Django you can use is_ajax to check whether the request was AJAX or not. You could return an HTTP error code when the request is not an AJAX one, if you wanted. So a user who inadvertently points the browser to your URL but does not take any further action will get an error.
Note here that a knowledgeable user could circumvent is_ajax by setting the request header field HTTP_X_REQUESTED_WITH to XMLHttpRequest manually.
If I go with the flow of logic that I mentioned above, then the view will simply return a JSON. No html, css or javascript. In this case, how will the browser know what html to display?
Setting your returned data type to application/json already tells the browser what it is dealing with. The least a browser would do this with this is display it as text.
Here's an example of an API call that returns JSON: https://api.zotero.org/users/475425/collections/9KH9TNSJ/items?format=json My browser just shows the JSON.