0

How to set headers and open a url (https://www.example.com) in new window. I've to send authentication information headers, since it senstive information it should not be part of url request parameters.

I'm using angularjs to do this.

I've gone through existing questions. Convert $.param in angularjs how to add authentication header to $window.open Open a PDF in a new window of the browser with angularjs

Solution mentioned are appending the token to the url and some are not working for me.. Please help me..

Community
  • 1
  • 1
user3373917
  • 55
  • 6
  • I suggest you to do some encryption and pass it in the url so that user cannot understand it. – Venkatesh Konatham Dec 29 '16 at 13:17
  • @VenkateshKonatham — It's a password. The user doesn't need to understand it, only copy it. – Quentin Dec 29 '16 at 13:18
  • Your headers are setting on server-side, not from client. Is your (example.com) website is controlled by your organization? If yes - make first some hidden ajax request to save your token to cookies and use it from cookies. – VadimB Dec 29 '16 at 13:18
  • @VadimB — "Your headers are setting on server-side, not from client" — HTTP requests and responses *both* have headers. Auth credentials are sent in requests. – Quentin Dec 29 '16 at 13:18
  • There is an open issue for adding support for headers to the window.open function in the HTML standard. Please voice your opinions and needs on there. [https://github.com/whatwg/html/issues/7810](https://github.com/whatwg/html/issues/7810) – Dan Apr 14 '22 at 21:40

1 Answers1

0

There is no way to specify HTTP headers for a browser to send when it loads a new page.

The closest you could come would be to:

  1. Open the window with a new document in it
  2. Put JavaScript in that Document which:
    1. Uses XMLHttpRequest to load the data (with the headers you want)
    2. Modifies the content of the displayed page with that data
    3. Changes the URL with the History API

That will prevent shoulder surfing from sniffing the credentials from the URL … but it is a really complicated way to solve the problem. It would be simpler to just issue time limited credentials and include them in the URL, and to make it a sufficiently complicated string to make it hard to copy.

No technique could stop people looking at the source code of the page or using the developer tools in the browser to watch the HTTP requests and copy the data there, so if your goal is to let a user access something without letting the user access the credentials that provide that access, then you are out of luck.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335