Refused to set unsafe header "Accept-Charset" and CORS is false

Question

Refused to set unsafe header "Accept-Charset" and CORS is false

be236 opened this issue 6 years ago · comments

be236 commented 6 years ago

When I tried to set this header for my OData request, using:

o().config({headers:[{name:'Accept-Charset',value:'application/json'}]});
o(MYURL).get();

Here is the error back in my response ( and note I turned off CORS):

Refused to set unsafe header "Accept-Charset" <--- how to get past this error?

oData {
data:
[ { name: 'Photos', kind: 'EntitySet', url: 'Photos' },
{ name: 'People', kind: 'EntitySet', url: 'People' },
{ name: 'Airlines', kind: 'EntitySet', url: 'Airlines' },
{ name: 'Airports', kind: 'EntitySet', url: 'Airports' },
{ name: 'Me', kind: 'Singleton', url: 'Me' },
{ name: 'GetNearestAirport',
kind: 'FunctionImport',
url: 'GetNearestAirport' } ],
inlinecount: null,
param: {},
oConfig:
{ endpoint: 'http:///mgmt/odata',
format: 'json',
autoFormat: true,
version: 4,
strictMode: true,
start: null,
ready: null,
error: null,
headers: [ [Object] ],
username: null,
password: null,
isAsync: true,
isCors: false, <--- set to false
openAjaxRequests: 0,
isHashRoute: true,
appending: '' },
raw:
{ '@odata.context': 'http://services.odata.org/V4/TripPinService/$metadata'
...etc...

Any idea how to get o.js to set/use my headers I specified in my request?

Jan Hommes · Answer 1 · Mon Mar 26 2018 15:34:10 GMT+0800 (China Standard Time)

This sounds like an issue with the backend which does not allow that header or the value. Which status code do you get back?

be236 · Answer 2 · Tue Mar 27 2018 00:08:24 GMT+0800 (China Standard Time)

How do I get my response headers back?

I'm using this:

o().config({headers:[{name:'Accept-Charset',value:'iso-8859-5, unicode-1-1;q=0.8'}]});
const ohandler = o(MYURL).get((result) => {
console.log(ohandler.raw);

and it returns:

Refused to set unsafe header "Accept-Charset"
{ '@odata.context': 'https://172.17.0.3/mgmt/odata/$metadata#shared/pipelineworker',
value:
[ { boolValFour: true,
boolValOne: true,
... etc...

So I am guessing I get status code 200 back as shown in my response payload above? But seems I get the error msg about "unsafe" from my server and it is not being handled correctly?

Jan Hommes · Answer 3 · Tue Apr 03 2018 16:19:18 GMT+0800 (China Standard Time)

The easiest way to look at your response headers is to use google chrome dev tools. What does the network tab say?

be236 · Answer 4 · Wed Apr 04 2018 03:02:49 GMT+0800 (China Standard Time)

When I use curl against my service, it shows status code 200 back:

andrew@dockerlive: curl -ski -X GET -H "Accept-Charset: utf-8" https://10.145.90.58/mgmt/odata/something
HTTP/1.1 200 OK
Date: Tue, 03 Apr 2018 19:00:45 GMT
Server: Jetty(9.2.22.v20170606)
Set-Cookie: BIGIPAuthCookie=D697AF30AF1DD44EE0FDF41007F86487C2C3C82E; path=/; Secure; HttpOnly
Set-Cookie: BIGIPAuthUsernameCookie=admin; path=/; Secure; HttpOnly
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=16070400; includeSubDomains
Content-Type: application/json; charset=utf-8
Allow:

ETag: W/"1b161-OIV8h+DidmtSasf+E3/lc3lLhWo"
OData-Version: 4.0
X-Powered-By: Express
... etc...

So, why does Curl work to accept that header, but o.js gives that error?

Jan Hommes · Answer 5 · Wed Apr 04 2018 15:45:09 GMT+0800 (China Standard Time)

So browser has CORS, which might block your header because it is not allowed. Can you check what the access-control-allow-header is returning? More info here.

be236 · Answer 6 · Thu Apr 05 2018 00:25:47 GMT+0800 (China Standard Time)

Using Postman to make my call to my OData service, here are the headers I see (I dont see access-control-allow-header back in response):

Allow →
Cache-Control →no-store
Cache-Control →no-cache
Cache-Control →must-revalidate
Connection →Keep-Alive
Content-Length →110945
Content-Security-Policy →default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type →application/json; charset=utf-8
Date →Wed, 04 Apr 2018 16:23:25 GMT
ETag →W/"1b161-OIV8h+DidmtSasf+E3/lc3lLhWo"
Expires →-1
Keep-Alive →timeout=4, max=100
OData-Version →4.0
Pragma →no-cache
Server →Jetty(9.2.22.v20170606)
Set-Cookie →BIGIPAuthCookie=6716C555A2ED866FBBA92C5729B6125A2BA31BF7; path=/; Secure; HttpOnly
Set-Cookie →BIGIPAuthUsernameCookie=admin; path=/; Secure; HttpOnly
Strict-Transport-Security →max-age=16070400; includeSubDomains
X-Content-Type-Options →nosniff
X-F5-Api-Status →DEPRECATED_PROPERTY
X-F5-Odata-Query-Operators-Handled →
X-Frame-Options →SAMEORIGIN
X-Powered-By →Express
X-XSS-Protection →1; mode=block

Jan Hommes · Answer 7 · Thu Apr 05 2018 00:32:49 GMT+0800 (China Standard Time)

As said, only browsers have CORS. I don't think that Postman use CORS. Why not checking it with Chrome and F12 -> dev tools? There should be an OPTIONS preflight request which is blocked because of the cors settings if you use o.js.

I am assuming you are using o.js in the browser and not in node.js?

be236 · Answer 8 · Thu Apr 05 2018 00:34:34 GMT+0800 (China Standard Time)

Oh, no...

I am using o.js with node.js (not inside browser)... hence using this header doesnt work with node.js (get that error in my original post), but using with Curl, it works fine using that header.

Jan Hommes · Answer 9 · Thu Apr 05 2018 00:50:35 GMT+0800 (China Standard Time)

okay, I think we are getting somewhere...

Why do you want to set the accept-charset header? By spec this is not allowed for browsers and because we are simulating browser calls in node it is correctly refused.

Also, the value you provided makes no sense for that header (at least in the first example). And you are sure that you don't want to get UTF-8 data (which is basically the standard)? So you really want to switch the charset and not just want to use another content type (accept-header)?
If so, I must sadly say that it is not possible because we are following here the spec for XMLHttpRequest (to support browser!) and it refuses it (that's why you are geting correctly that error).

be236 · Answer 10 · Thu Apr 05 2018 01:20:12 GMT+0800 (China Standard Time)

I am wanting "utf-8" charset, as shown above....

The issue is ... why does Curl work to set that accept-charset header, again:

andrew@dockerlive: curl -ski -X GET -H "Accept-Charset: utf-8" https://10.145.90.58/mgmt/odata/something
HTTP/1.1 200 OK
Date: Tue, 03 Apr 2018 19:00:45 GMT
... etc...
this Curl works and it runs outside browser just fine...

But using o.js with node.js (and using mocha), it doesn't work, I get that error...

And I tried to set CORS in o.js header to true or false and it had no effect...

So, are you saying I can never get this header to work with node.js?

Jan Hommes · Answer 11 · Thu Apr 05 2018 15:57:46 GMT+0800 (China Standard Time)

So, are you saying I can never get this header to work with node.js?

No, I am saying: You will never get the Accept-Charset header working with o.js. We are using the XMLHttpRequest (better known as AJAX) standard in Browser and Node.js to make it isomorphic, and that standard does not allow to set that header. We can not switch because then o.js would not work in the browser anymore.

You could use any other library which does http requests like this. Personally, I would ask myself the question why I need to set a charset to one that is a defacto standard. If you don't have any access to the server and it is returning another charset, it is understandable. Otherwise, I would try to change the charset to UTF-8 on the server implementation.