5

Problem description

We are running a Kibana 4.3 service. I do not want to modify the source code.

The objective is add an encrypted token, call it A-Token to every Ajax request that the browser makes to Kibana.

Background

The Kibana service is proxied by nginx.

When a user makes an Ajax request to the Kibana service, the request is intercepted by an nginx http_auth_request proxy and passed to an "auth" service that validates the token. If its missing or invalid, then "auth" returns 201 to http_auth_request and the request to the Kibana service is executed, else it returns a 404 and the request is denied since it was made without a valid token.

(this scheme is based on the encrypted token pattern often used as a countermeasure for cross-site scripting in session-less situations like the one at hand).

I read the W3 XMLHttpRequest documentation and it seems that setRequestHeader needs to run after open and before send - which implies that this scheme is either impossible in a general case or very JS platform dependent.

A test using the Jquery .ajaxSetup like this example, confirms that headers cannot be set independently:

$.ajaxSetup({
    beforeSend: function(xhr) {
                xhr.setRequestHeader(A-Token", 1314159);
                  }
});

Looking for possible solutions which will not require forking Kibana.

Danny

Danny Lieberman
  • 293
  • 4
  • 9
  • 1
    Possible duplicate of [How can I add a custom HTTP header to ajax request with js or jQuery?](http://stackoverflow.com/questions/7686827/how-can-i-add-a-custom-http-header-to-ajax-request-with-js-or-jquery) – Lukasz Wiktor Jun 22 '16 at 09:32
  • Lukasz - thanks! That post is Jquery specific. It will not work in a general case where you want to always inject a header like an encrypted token. The setRequestHeader method needs to be called after open and before send. The Jquery ajaxSetup method is Jquery specific. – Danny Lieberman Jun 22 '16 at 09:40
  • 1
    Ah, I see! So you're not looking for a jQuery solution but for a native XHR? Or actually every XHR, regardless if it's native, produces from jQuery or any other library. Do I understand it correctly? – Lukasz Wiktor Jun 22 '16 at 09:44
  • Correct. Every XHR regardless of library. It seems that since the setRequest has to be made after open and before send - that we have to intercept the Ajax request - inject the Header token and then shoot it out. Thats my current thinking at least – Danny Lieberman Jun 22 '16 at 09:51

1 Answers1

12

I was searching for solution for this problem as well but couldn't find anything and then I came up with next solution:

        XMLHttpRequest.prototype.origOpen = XMLHttpRequest.prototype.open;
        XMLHttpRequest.prototype.open   = function () {
            this.origOpen.apply(this, arguments);
            this.setRequestHeader('X-TOKEN', 'the token');
        };
Ziyadin Shemsedinov
  • 357
  • 8
  • 20
  • Clever solution, but adding to a prototype that isn't yours is always a tricky business, especially built-ins. Still +1, though. – trysis Jun 04 '18 at 12:47
  • @Ziyadin, How i can do same thing for ActiveXObject? If IE my code will use ActiveXObject. – user_27 Mar 03 '20 at 12:44