2

I'm developing a Firefox OS client for ownCloud. When I try to login and send the user credentials to the server, I need to obtain in response the cookie that I will use to authenticate in ownCloud in each request.

My problem is that as I’ve seen in Wireshark, the cookie is sent in a HTTP 302 message, but I cannot read this message in my code because Firefox handles it automatically and I read the final HTTP 200 message without cookie information in the 

request.reponseText; 
request.getAllResponseHeaders();

So my question is if there is any way to read this HTTP 302 message headers, or if I can obtain the cookie from Firefox OS before I send the next request, or even make Firefox OS to add the cookie automatically. I use the following code to make the POST:

request = new XMLHttpRequest({mozSystem: true});
request.open('post', serverInput, true);
request.withCredentials=true;
request.addEventListener('error', onRequestError);
request.setRequestHeader("Cookie",cookie_value);
request.setRequestHeader("Connection","keep-alive");  
request.setRequestHeader("Content-type","application/x-www-form-urlencoded");

request.send(send_string);
if(request.status == 200 || request.status==302){
  response = request.responseText;
  var headers = request.getAllResponseHeaders();
  document.getElementById('results').innerHTML="Server found";
  loginSuccessfull();
}else{
  alert("Response not found");
  document.getElementById('results').innerHTML="Server NOT found";
}
unor
  • 92,415
  • 26
  • 211
  • 360
jorge baranguan castro
  • 21
  • 2

1 Answers1

0

"mozAnon

Boolean: Setting this flag to true will cause the browser not to expose the origin and user credentials when fetching resources. Most important, this means that cookies will not be sent unless explicitly added using setRequestHeader.

mozSystem

Boolean: Setting this flag to true allows making cross-site connections without requiring the server to opt-in using CORS. Requires setting mozAnon: true, i.e. this can't be combined with sending cookies or other user credentials." [0]

I'm not sure if you're an owncloud developer, but if you are and have access to the server, you should try setting CORS headers. [1] Maybe if you can stand up a proxy server and have your app connect to the proxy server that does have CORS enabled?

There's also a withCredentials property [2] you can set on instances of xhr objects. It looks like it will add the header Access-Control-Request-Headers: "cookies" and send an HTTP OPTIONS request, which is the preflight [3]. So this would still require server side support for CORS. [4]

Though it seems like this shouldn't work based on internal comments [5], I was able to run this from a simulator and see the request and response headers:

var x = new XMLHttpRequest({ mozSystem: true });
x.open('get', 'http://stackoverflow.com');
x.onload = function () { console.log(x.getResponseHeader('Set-Cookie')); };
x.setRequestHeader('Cookie', 'hello=world;');
x.send();

You'd probably want to reassign document.cookie in the onload event, rather than logging it, if the response header exists (not every site sets cookies on every request). You'd also want to set the request header to document.cookie itself.

[0] https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest#XMLHttpRequest%28%29

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

[2] https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest#Properties

[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests

[4] http://www.html5rocks.com/en/tutorials/cors/#toc-making-a-cors-request

[5] https://bugzilla.mozilla.org/show_bug.cgi?id=966216#c2

Nick Desaulniers
  • 2,046
  • 3
  • 25
  • 47