Thanks a ton Richard !! I will ask my colleague if this works in angularjs on Monday; my gut feel is it will :) Thanks a ton guys !!!
Thanks and Regards, Ajay On Fri, Apr 14, 2017 at 5:01 PM, Richard Stanway <[email protected]> wrote: > You're correct - placing the username and password in the URI is just as > safe as any other method as long as it's going over HTTPS, and the > credentials should never appear in any access logs (unless you specifically > choose to log the Authorization header). > > On Fri, Apr 14, 2017 at 6:47 AM, Ajay Garg <[email protected]> wrote: > >> Hi Richard. >> >> You have got me thinking ... >> https://username:[email protected]/ works, even without ANY of the >> "add_header" and "proxy_set_header" directives. >> >> So, now the only thing that worries me is security. >> >> http://stackoverflow.com/questions/4143196/is-get-data-also- >> encrypted-in-https indicates that the URL is safe, in the sense that >> "username" and "password" would not be sniffable through a >> man-in-the-middle attack, right? >> >> Also, since 1.2.3.4 is our own server, so we are not really bothered >> about GET-requests getting logged on the server, so we should be good. >> >> Do I make sense? >> >> Kindly let know your thoughts. >> >> >> Thanks and Regards, >> Ajay >> >> On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway < >> [email protected]> wrote: >> >>> You're missing the "Authorization" header in >>> your Access-Control-Allow-Headers directive. >>> >>> You can alternatively pass the basic auth in your URI, eg >>> xhr.open("GET", "https://username:[email protected]/";) rather than >>> crafting it manually. >>> >>> On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <[email protected]> >>> wrote: >>> >>>> Strange, but rebooting the machine caused the credentials-popup to be >>>> seen again :-| >>>> Sorry for the noise here. >>>> >>>> There has been some progress, but still get a "CORS preflight did not >>>> succeed error". >>>> Following is what I am doing. >>>> >>>> >>>> a) >>>> Following is the server-block in /etc/nginx/conf.d/default.conf :: >>>> >>>> ############################################################ >>>> ############## >>>> server { >>>> >>>> listen 443 ssl; >>>> >>>> ssl_certificate /etc/nginx/ssl/nginx.crt; >>>> ssl_certificate_key /etc/nginx/ssl/nginx.key; >>>> >>>> add_header 'Access-Control-Max-Age' 1728000 'always'; >>>> add_header 'Access-Control-Allow-Origin' $http_origin >>>> 'always'; >>>> add_header 'Access-Control-Allow-Credentials' 'true' >>>> 'always'; >>>> add_header 'Access-Control-Allow-Methods' 'GET, POST, >>>> OPTIONS' 'always'; >>>> add_header 'Access-Control-Allow-Headers' >>>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,U >>>> ser-Agent,X-Requested-With,If-Modified-Since,Cache-Control,C >>>> ontent-Type' >>>> 'always'; >>>> >>>> location / { >>>> >>>> auth_basic 'Restricted'; >>>> auth_basic_user_file /etc/nginx/ssl/.htpasswd; >>>> >>>> proxy_set_header 'Access-Control-Max-Age' >>>> 1728000; >>>> proxy_set_header 'Access-Control-Allow-Origin' >>>> '*'; >>>> proxy_set_header >>>> 'Access-Control-Allow-Credentials' 'true'; >>>> proxy_set_header >>>> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; >>>> proxy_set_header >>>> 'Access-Control-Allow-Headers' >>>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,I >>>> f-Modified-Since,Cache-Control,Content-Type'; >>>> >>>> proxy_pass >>>> $forwarded_protocol://127.0.0.1:$forwarded_port; >>>> >>>> } >>>> } >>>> ############################################################ >>>> ############## >>>> >>>> >>>> >>>> >>>> b) >>>> Firing the following html from firefox (sensitive information changed) >>>> :: >>>> >>>> ############################################################ >>>> ############## >>>> <html> >>>> <body> >>>> <script type="text/javascript"> >>>> var data = null; >>>> >>>> var xhr = new XMLHttpRequest(); >>>> xhr.withCredentials = true; >>>> >>>> xhr.addEventListener("readystatechange", function () { >>>> if (this.readyState === 4) { >>>> console.log(this.responseText); >>>> } >>>> }); >>>> >>>> xhr.open("GET", "https://1.2.3.4/";); >>>> xhr.setRequestHeader("authorization", "Basic abcdefg"); >>>> xhr.setRequestHeader("cache-control", "no-cache"); >>>> >>>> xhr.send(data); >>>> </script> >>>> </body> >>>> </html> >>>> ############################################################ >>>> ############## >>>> >>>> >>>> >>>> Following is received in the firebug-console (sensitive information >>>> changed) :: >>>> >>>> ############################################################ >>>> ############## >>>> GET https://23.253.207.208/ >>>> uff.html (line 19) >>>> Headers >>>> >>>> Accept >>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >>>> Accept-Encoding gzip, deflate, br >>>> Accept-Language en-US,en;q=0.5 >>>> Authorization Basic abcdefg >>>> Cache-Control no-cache >>>> Host 1.2.3.4 >>>> Origin null >>>> User-Agent Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0) >>>> Gecko/20100101 Firefox/47.0 >>>> >>>> >>>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading >>>> the remote resource at https://1.2.3.4/. (Reason: CORS preflight >>>> channel did not succeed). >>>> ############################################################ >>>> ############## >>>> >>>> >>>> I am beginning to believe that I am close to solving the issue (of >>>> course all credit to tremendous help from this list). >>>> I will be grateful for the last bit of help being received by the >>>> really helpful experts here.. >>>> >>>> Sorry again for the noise in my previous email. >>>> >>>> >>>> Thanks and Regards, >>>> Ajay >>>> _______________________________________________ >>>> nginx mailing list >>>> [email protected] >>>> http://mailman.nginx.org/mailman/listinfo/nginx >>>> >>> >>> >>> _______________________________________________ >>> nginx mailing list >>> [email protected] >>> http://mailman.nginx.org/mailman/listinfo/nginx >>> >> >> >> >> -- >> Regards, >> Ajay >> >> _______________________________________________ >> nginx mailing list >> [email protected] >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx > -- Regards, Ajay
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
