Login/Register
Access vuforia vws with react forbidden header
Asked Answered
reactjsxmlhttprequestreact-reduxvuforia
O

1

6

I'm trying to call vuforia's webservice using react + axios, reading the docs of vuforia and following those steps when I make the call I get an error in chrome's console log which is:

xhr.js:121 Refused to set unsafe header "Date"

But if I understand correctly I have to declare the header "Date" in the request. How can I solve that, here is my code:

class App extends Component {
  componentDidMount() {
    var md5 = require('md5');
    var base64 = require('base-64');
    var hmacsha1 = require('hmacsha1');
    var contentType = "application/json";
    var hexDigest = "d41d8cd98f00b204e9800998ecf8427e";
    var accessKey = "xxxxxxxxxxxx";
    var secretKey = "xxxxxxxxxxx";
    var date = new Date().toUTCString();
    var url = `${'https://cors-anywhere.herokuapp.com/'}https://vws.vuforia.com/targets`;
    var dateValue = date;
    var requestPath = url;
    var newLine = '\n';
    var toDigest = `GET${newLine}${hexDigest}${newLine}${contentType}${newLine}${dateValue}${newLine}${requestPath}`;
        var shaHashed = hmacsha1(secretKey, toDigest);

    var signature = base64.encode(shaHashed);
    const config = {
        headers: {
        'Date': `${date}`,
        'Authorization': `VWS ${accessKey}:${signature}`
    }
}
console.log(toDigest);
axios.get(url, config,{ crossdomain: true })
.then(json => console.log(json))
}

console.log(toDigest):

GET
d41d8cd98f00b204e9800998ecf8427e
application/json
Mon, 29 Oct 2018 12:45:26 GMT
https://cors-anywhere.herokuapp.com/https://vws.vuforia.com/targets
Oneman answered 29/10, 2018 at 13:51 Comment(0)
S
1

Change your config code from

const config = {
    headers: {
    'Date': `${date}`,
    'Authorization': `VWS ${accessKey}:${signature}`
}

to

const config = {
    headers: {
    'Authorization': `VWS ${accessKey}:${signature}`
}

XMLHttpRequest isn't allowed to set the Date header, it is being set automatically by the browser. The reason is that by manipulating these headers you might be able to trick the server into accepting a second request through the same connection, one that wouldn't go through the usual security checks - that would be a security vulnerability in the browser. Here's the list of HTTP headers you can't set by yourself.

Let me know if you are still getting the error.

Schizomycete answered 27/11, 2018 at 10:44 Comment(2)
The error of unsafe header is gone, but I'm getting a bad request now, although your answer is correct, vuforia specifically want the date in the header in a particular format, I don't know if it's because of that I'm getting a bad requestOneman
have you tried the same xhr call from postman, then check what's the response you are getting there.Schizomycete

© 2022 - 2024 — McMap. All rights reserved.