Adding http headers to window.location.href in Angular app

Asked 9/6, 2014 at 22:22 Answered 15/4, 2016 at 12:18

Solved angularjs http oauth-2.0 http-headers window.location

I have a angular app that I needed to redirect outside to a non angular html page, so I thought I could just use the $window.location.hrefto redirect the angular app to my external site. This actually works fine, however, I have a nodejs/express backend that checks for auth token before serving up any content(even static content).

This requires a auth token to be sent in the header of the http request. Now the question:

Can/How do you add an auth token to the request that is made by changing the $window.location.href before it is sent off?

Grubbs answered 9/6, 2014 at 22:22 Comment(0)

When you use $window.location.href the browser is making the HTTP request and not your JavaScript code. Therefore, you cannot add a custom header like Authorization with your token value.

You could add a cookie via JavaScript and put your auth token there. The cookies will automatically be sent from the browser. However, you will want to review the security implications of using a cookie vs. a header. Since both are accessible via JavaScript, there is no additional attack vector there. Unless you remove the cookie after the new page loads, there may be a CSRF exploit available.

Usual answered 15/10, 2014 at 2:24 Comment(1)

great answer, I wonder if angular-cookies would work for this. Anyways thanks for the right direction. – Grubbs 16/10, 2014 at 12:29

This answer is NOT a safe way, as the token is exposed in the URL, which is logged in browser history, access logs, etc. Use a domain cookie instead. I'll leave the answer as it can be an easy way to debug in your local setup.

I am using JWT as authentication on a Laravel PHP backend, and it works by putting ?token=... in the URL. For example, when using AngularJS with satellizer plug-in, I add ?token=' + $auth.getToken() to the URL.

Deoxygenate answered 15/4, 2016 at 12:18 Comment(5)

well embedding token as URL parameter is the last thing that i would like to do. – Charactery 19/5, 2017 at 10:16

Even in SSL a sniffer could read the URL of the request so it is WORST way to pass a token to a request. If you're using SSL you should put the token in headers or in body. – Caenogenesis 12/9, 2017 at 21:54

"in SSL a sniffer could read the URL of the request" This is not true, only the hostname/ip can be detected, not the url. – Marienbad 22/2, 2018 at 9:21

Two vulnerabilities of doing this are: (1) The token is in the IIS logs (2) Drive by hacking, e.g. someone looks at your browser url or grabs it from your browser history while you make a cup of coffee – Decade 15/8, 2019 at 8:8

This solution must be avoided for security reason as well explained by @Decade – Gig 11/12, 2019 at 8:22

Recommended topics

Hot tags