Skip to content
This repository has been archived by the owner on Jul 17, 2020. It is now read-only.

run-headless: Disable cross origin protection ("webSecurity") #267

Open
allquixotic opened this issue Jan 25, 2016 · 2 comments
Open

run-headless: Disable cross origin protection ("webSecurity") #267

allquixotic opened this issue Jan 25, 2016 · 2 comments

Comments

@allquixotic
Copy link

This is required to support the latest release of PhantomJS.

Explanation and 1-line diff here.

PhantomJS 2.1.1 is now properly respecting cross-origin strictness with web-security set to true (the default). To maintain support for the way the bot is architected, we have to tell PhantomJS it's okay to do cross-origin stuff. We trust chat.SE/SO and the bot script, right? :)

NB: PhantomJS 2.0 erroneously allowed our cross-origin stuff to run just fine with web-security enabled. This was actually a security vulnerability of sorts in PhantomJS. So we're just regressing our "security level" to where we used to be, not actually making it any worse.
@Zirak
Copy link
Owner

Zirak commented Jan 25, 2016

What part of the bot violates web security?

@allquixotic
Copy link
Author

Hmm, not sure. PJS doesn't give me enough info. I can try to find out exactly what it is, but would probably need a verbose option somewhere in Nightmare.

Here's the console output with webSecurity enabled (no errors with webSecurity false):

$ node run-headless.js
phantom stdout: NETWORK_ERR: XMLHttpRequest Exception 101: A network error occurred in synchronous requests.

  phantomjs://code/shim.js:1815 in send
  phantomjs://code/shim.js:1815 in _start
  phantomjs://code/shim.js:1842

Update: With PhantomJS --debug=true, not much better output (squelched notification of my cookies being picked up from the CookieJar):

phantom stderr: 2016-01-25T07:45:20 [DEBUG] Set  "http"  proxy to:  "" : 1080

phantom stderr: 2016-01-25T07:45:20 [DEBUG] Phantom - execute: Configuration
2016-01-25T07:45:20 [DEBUG]      0 objectName : ""
2016-01-25T07:45:20 [DEBUG]      1 cookiesFile : "cookies.jar"
2016-01-25T07:45:20 [DEBUG]      2 diskCacheEnabled : "false"
2016-01-25T07:45:20 [DEBUG]      3 maxDiskCacheSize : "-1"
2016-01-25T07:45:20 [DEBUG]      4 diskCachePath : ""
2016-01-25T07:45:20 [DEBUG]      5 ignoreSslErrors : "true"
2016-01-25T07:45:20 [DEBUG]      6 localUrlAccessEnabled : "true"
2016-01-25T07:45:20 [DEBUG]      7 localToRemoteUrlAccessEnabled : "false"
2016-01-25T07:45:20 [DEBUG]      8 outputEncoding : "UTF-8"
2016-01-25T07:45:20 [DEBUG]      9 proxyType : "http"
2016-01-25T07:45:20 [DEBUG]      10 proxy : ":1080"
2016-01-25T07:45:20 [DEBUG]      11 proxyAuth : ":"
2016-01-25T07:45:20 [DEBUG]      12 scriptEncoding : "UTF-8"
2016-01-25T07:45:20 [DEBUG]      13 webSecurityEnabled : "true"
2016-01-25T07:45:20 [DEBUG]      14 offlineStoragePath : ""
2016-01-25T07:45:20 [DEBUG]      15 localStoragePath : ""
2016-01-25T07:45:20 [DEBUG]      16 localStorageDefaultQuota : "-1"
2016-01-25T07:45:20 [DEBUG]      17 offlineStorageDefaultQuota : "-1"
2016-01-25T07:45:20 [DEBUG]      18 printDebugMessages : "true"
2016-01-25T07:45:20 [DEBUG]      19 javascriptCanOpenWindows : "true"

phantom stderr: 2016-01-25T07:45:20 [DEBUG]      20 javascriptCanCloseWindows : "true"
2016-01-25T07:45:20 [DEBUG]      21 sslProtocol : "any"
2016-01-25T07:45:20 [DEBUG]      22 sslCiphers : "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SH$
2016-01-25T07:45:20 [DEBUG]      23 sslCertificatesPath : ""
2016-01-25T07:45:20 [DEBUG]      24 sslClientCertificateFile : ""
2016-01-25T07:45:20 [DEBUG]      25 sslClientKeyFile : ""
2016-01-25T07:45:20 [DEBUG]      26 sslClientKeyPassphrase : ""
2016-01-25T07:45:20 [DEBUG]      27 webdriver : ":"
2016-01-25T07:45:20 [DEBUG]      28 webdriverLogFile : ""
2016-01-25T07:45:20 [DEBUG]      29 webdriverLogLevel : "INFO"
2016-01-25T07:45:20 [DEBUG]      30 webdriverSeleniumGridHub : ""

phantom stderr: 2016-01-25T07:45:20 [DEBUG] Phantom - execute: Script & Arguments
2016-01-25T07:45:20 [DEBUG]      script: "/home/sean/dev/SO-ChatBot/node_modules/nightmare/node_modules/phantom/shim.js"
2016-01-25T07:45:20 [DEBUG]      0 arg: "13201"
2016-01-25T07:45:20 [DEBUG]      1 arg: "127.0.0.1"
2016-01-25T07:45:20 [DEBUG] Phantom - execute: Starting normal mode

phantom stderr: 2016-01-25T07:45:20 [DEBUG] WebPage - setupFrame ""

phantom stderr: 2016-01-25T07:45:20 [DEBUG] FileSystem - _open: ":/modules/fs.js" QMap(("mode", QVariant(QString, "r")))

phantom stderr: 2016-01-25T07:45:20 [DEBUG] FileSystem - _open: ":/modules/system.js" QMap(("mode", QVariant(QString, "r")))

phantom stderr: 2016-01-25T07:45:20 [DEBUG] FileSystem - _open: ":/modules/webpage.js" QMap(("mode", QVariant(QString, "r")))

phantom stdout: NETWORK_ERR: XMLHttpRequest Exception 101: A network error occurred in synchronous requests.

phantom stdout:   phantomjs://code/shim.js:1815 in send
  phantomjs://code/shim.js:1815 in _start
  phantomjs://code/shim.js:1842

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@allquixotic @Zirak