Skip to content
This repository has been archived by the owner on Jul 17, 2020. It is now read-only.

run-headless: Disable cross origin protection ("webSecurity") #267

Open
allquixotic opened this issue Jan 25, 2016 · 2 comments
Open

run-headless: Disable cross origin protection ("webSecurity") #267

allquixotic opened this issue Jan 25, 2016 · 2 comments

Comments

@allquixotic
Copy link

This is required to support the latest release of PhantomJS.

Explanation and 1-line diff here.

PhantomJS 2.1.1 is now properly respecting cross-origin strictness with web-security set to true (the default). To maintain support for the way the bot is architected, we have to tell PhantomJS it's okay to do cross-origin stuff. We trust chat.SE/SO and the bot script, right? :)

NB: PhantomJS 2.0 erroneously allowed our cross-origin stuff to run just fine with web-security enabled. This was actually a security vulnerability of sorts in PhantomJS. So we're just regressing our "security level" to where we used to be, not actually making it any worse.

@Zirak
Copy link
Owner

Zirak commented Jan 25, 2016

What part of the bot violates web security?

@allquixotic
Copy link
Author

Hmm, not sure. PJS doesn't give me enough info. I can try to find out exactly what it is, but would probably need a verbose option somewhere in Nightmare.

Here's the console output with webSecurity enabled (no errors with webSecurity false):

$ node run-headless.js
phantom stdout: NETWORK_ERR: XMLHttpRequest Exception 101: A network error occurred in synchronous requests.

  phantomjs://code/shim.js:1815 in send
  phantomjs://code/shim.js:1815 in _start
  phantomjs://code/shim.js:1842

Update: With PhantomJS --debug=true, not much better output (squelched notification of my cookies being picked up from the CookieJar):

phantom stderr: 2016-01-25T07:45:20 [DEBUG] Set  "http"  proxy to:  "" : 1080

phantom stderr: 2016-01-25T07:45:20 [DEBUG] Phantom - execute: Configuration
2016-01-25T07:45:20 [DEBUG]      0 objectName : ""
2016-01-25T07:45:20 [DEBUG]      1 cookiesFile : "cookies.jar"
2016-01-25T07:45:20 [DEBUG]      2 diskCacheEnabled : "false"
2016-01-25T07:45:20 [DEBUG]      3 maxDiskCacheSize : "-1"
2016-01-25T07:45:20 [DEBUG]      4 diskCachePath : ""
2016-01-25T07:45:20 [DEBUG]      5 ignoreSslErrors : "true"
2016-01-25T07:45:20 [DEBUG]      6 localUrlAccessEnabled : "true"
2016-01-25T07:45:20 [DEBUG]      7 localToRemoteUrlAccessEnabled : "false"
2016-01-25T07:45:20 [DEBUG]      8 outputEncoding : "UTF-8"
2016-01-25T07:45:20 [DEBUG]      9 proxyType : "http"
2016-01-25T07:45:20 [DEBUG]      10 proxy : ":1080"
2016-01-25T07:45:20 [DEBUG]      11 proxyAuth : ":"
2016-01-25T07:45:20 [DEBUG]      12 scriptEncoding : "UTF-8"
2016-01-25T07:45:20 [DEBUG]      13 webSecurityEnabled : "true"
2016-01-25T07:45:20 [DEBUG]      14 offlineStoragePath : ""
2016-01-25T07:45:20 [DEBUG]      15 localStoragePath : ""
2016-01-25T07:45:20 [DEBUG]      16 localStorageDefaultQuota : "-1"
2016-01-25T07:45:20 [DEBUG]      17 offlineStorageDefaultQuota : "-1"
2016-01-25T07:45:20 [DEBUG]      18 printDebugMessages : "true"
2016-01-25T07:45:20 [DEBUG]      19 javascriptCanOpenWindows : "true"

phantom stderr: 2016-01-25T07:45:20 [DEBUG]      20 javascriptCanCloseWindows : "true"
2016-01-25T07:45:20 [DEBUG]      21 sslProtocol : "any"
2016-01-25T07:45:20 [DEBUG]      22 sslCiphers : "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SH$
2016-01-25T07:45:20 [DEBUG]      23 sslCertificatesPath : ""
2016-01-25T07:45:20 [DEBUG]      24 sslClientCertificateFile : ""
2016-01-25T07:45:20 [DEBUG]      25 sslClientKeyFile : ""
2016-01-25T07:45:20 [DEBUG]      26 sslClientKeyPassphrase : ""
2016-01-25T07:45:20 [DEBUG]      27 webdriver : ":"
2016-01-25T07:45:20 [DEBUG]      28 webdriverLogFile : ""
2016-01-25T07:45:20 [DEBUG]      29 webdriverLogLevel : "INFO"
2016-01-25T07:45:20 [DEBUG]      30 webdriverSeleniumGridHub : ""

phantom stderr: 2016-01-25T07:45:20 [DEBUG] Phantom - execute: Script & Arguments
2016-01-25T07:45:20 [DEBUG]      script: "/home/sean/dev/SO-ChatBot/node_modules/nightmare/node_modules/phantom/shim.js"
2016-01-25T07:45:20 [DEBUG]      0 arg: "13201"
2016-01-25T07:45:20 [DEBUG]      1 arg: "127.0.0.1"
2016-01-25T07:45:20 [DEBUG] Phantom - execute: Starting normal mode

phantom stderr: 2016-01-25T07:45:20 [DEBUG] WebPage - setupFrame ""

phantom stderr: 2016-01-25T07:45:20 [DEBUG] FileSystem - _open: ":/modules/fs.js" QMap(("mode", QVariant(QString, "r")))

phantom stderr: 2016-01-25T07:45:20 [DEBUG] FileSystem - _open: ":/modules/system.js" QMap(("mode", QVariant(QString, "r")))

phantom stderr: 2016-01-25T07:45:20 [DEBUG] FileSystem - _open: ":/modules/webpage.js" QMap(("mode", QVariant(QString, "r")))

phantom stdout: NETWORK_ERR: XMLHttpRequest Exception 101: A network error occurred in synchronous requests.

phantom stdout:   phantomjs://code/shim.js:1815 in send
  phantomjs://code/shim.js:1815 in _start
  phantomjs://code/shim.js:1842

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants