Refused to set unsafe header "cookie" and net::ERR_INSECURE_RESPONSE in AngularJS

Question

I am trying to make REST request on Wildfly server. First I must login to old application and to get cookie. That cookie must be used in newer application which makes REST requests. New application is some template from real existing one. I have tried some options in header of REST request like setting properties withCredentials, Access-Control-Allow-Credentials, token, crossDomain as shown in function getAllEntities bellow.

REST requests where tested and they worked fine with RestClient on Firefox browser as shown bellow.

I do not know how to:

• insert cookie which I get from previous application

• remove token (it seems this is impossible)

• solve these two errors which are written in title

This is how does request look like in RestClient:

Method: GET 
URL: https://xx.xx.xx.xx:8443/api/codes
Content-Type: application/json
Accept: application/json
Cookie: code_system_frontend=bvkkvbcp24igdgja4h5hht13p4; code=ae8be9267e8dfea86a8f54f6bd980733

This is how response look like in RestClient:

Status Code: 200 OK
Access-Control-Allow-Headers: Content-Type, Content-Disposition, Accept, responseType, X-MAC, X-TIME, Cookie
Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Type, Content-Disposition, Accept
Connection: keep-alive
Content-Type: application/json
Date: Tue, 26 Jul 2016 15:22:00 GMT
Server: WildFly/9
Transfer-Encoding: chunked
access-control-allow-credentials: true
x-powered-by: Undertow/1

and typical JSON response body:

[
    {
        "code": 1,
        "codename": "Demo"
    },
    {
       "code": 2,
       "codename": "Gmx"
    }
    //AND SO ON 
]

This is code in Angularjs:

function getAllEntities(entityName, addToCache) {
    config = {
       headers: {

                'cookie':'code_system_frontend=bvkkvbcp24igdgja4h5hht13p4;code=ae8be9267e8dfea86a8f54f6bd980733',
                'Content-Type': 'application/json',
                'Accept': 'application/json',
                'withCredentials':'true',
                //'Access-Control-Allow-Credentials': 'true',
                //'X-API-TOKEN': undefined,
                //'token':undefined,
                //crossDomain: true
            },
            data: ''
        };

        return $http.get(endPoints.api + entityName, config)
            .then(getAllEntitiesComplete)
            .catch(function (message) {
                exception.catcher('XHR Failed for getAllEntities for entity ' + entityName)(message);
                return $q.reject(message);
                logger.info('Message ' + message);
            });

        function getAllEntitiesComplete(data, status, headers, config) {

            var entities = data.data;

            if (addToCache) {
                service.cachedLookups[entityName] = entities;
                service[entityName + 's'] = entities;
            }
            return entities;
        }
    }

In Firebug I get:

Request Header in Firebug:

Accept: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Host: XX.XX.XX.XX:8443
Origin http://admin.dev.xxxxxxxx.xxx
Referer http://admin.dev.xxxxxxxx.xxx/xx/codes
User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
token fake token for anonymous user 
withCredentials true

And I also get warning in Firebug:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the 
remote resource at https://xx.xx.xx.xx:8443/xxxxxxxx/api/code. (Reason: 
CORS header 'Access-Control-Allow-Origin' does not match '*').

And I get this error because of my code:

Error: XHR Failed for getAllEntities for entity suborder Object { status=0, config={...},  data=null,  more...}

In Crome I get:

Refused to set unsafe header "cookie" 

and

net::ERR_INSECURE_RESPONSE

Answer 1

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://xx.xx.xx.xx:8443/xxxxxxxx/api/code. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*').

It seems like you have not enabled Cross Origin Resource Sharing (CORS) on your server or that it's wrongly configured.

Regarding the header issue, you should have a look at that post:

AJAX post error : Refused to set unsafe header "Connection"

XMLHttpRequest isn't allowed to set these headers, they are being set automatically by the browser. The reason is that by manipulating these headers you might be able to trick the server into accepting a second request through the same connection, one that wouldn't go through the usual security checks - that would be a security vulnerability in the browser.

If you are using cookies, the cookie should automatically be sent with each request, particularly if you have set withCredentials = true.

If you are using tokens however, you must add them to the Authorization header, generally in the format: "Bearer " + mytoken