curl to f3 site not working

66 views
Skip to first unread message

v.

unread,
Aug 8, 2019, 8:39:03 AM8/8/19
to f3-fra...@googlegroups.com
I am trying to send a json response to a post request (with login credentials) from another server.
The web application needs to be working as it is, but only when the remote server is posting to a URL it should return the json file. I can go to the url in my browser and it returns the correct json content.

But apparently the page is blocked by default because of XSS-protection, server response is: 
HTTP/1.1 302 Found
Date: Thu, 08 Aug 2019 12:19:28 GMT
Server: Apache
X-Powered-By: Fat-Free Framework
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 +0000
Set-Cookie: PHPSESSID=aae78512f1eb1f56c1e71c0b404738cf; path=/; domain=XXX.TLD; HttpOnly
Vary: User-Agent
Location: XXX.TLD/STANDARD-LOGIN-PAGE?!?!?! -> THIS SHOULD NOT HAPPEN SINCE THE JSON PAGE IS NOT REDIRECTED TO THE LOGIN PAGE
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

Is there a way to disable the X-XSS protection for this page only?
Why is my location not the actual location that is being requested by curl, but the standard login page (which all other pages get redirected to when not logged in)?


richgoldmd

unread,
Aug 8, 2019, 9:24:25 AM8/8/19
to Fat-Free Framework
I'm not sure XSS is the issue. The headers you see are set by F3 to keep the browser from cacheing the page results. 

Can we see you routes? Also, do you have a beforeRoute handler or a plugin which may be intercepting and rerouting for login?

So it works if you GET from the browser, but not a POST from the other app server?
edit: btw. the same happens without post

ikkez

unread,
Aug 8, 2019, 2:37:14 PM8/8/19
to Fat-Free Framework
it's a simple reroute... the 302 status tells you to visit the other page.. check if your url is correct (slash / at the end?)

v.

unread,
Aug 9, 2019, 3:11:46 AM8/9/19
to f3-fra...@googlegroups.com
Hi guys,

Thanks for trying to help me.
The GET did work indeed, also in curl.
The url was correct, for this particular page I use a .json extension which is defined in my routes and which works without problem, no trailing slash is needed.

I have managed to solve the issue by sending the login information as a basic http request (https://username:passord@website.tld/pagename)
For the time being it seems to be doing what I need, will try to get into the post issue later.



richgoldmd

unread,
Aug 9, 2019, 7:29:20 AM8/9/19
to Fat-Free Framework
Happy to be of any help - It seems that you must have something hooking the post call (a beforeRoute somewhere?) that is catching the POSTs and attempting to authenticate, or perhaps since it responds to basic auth some setup in your web server?
Reply all
Reply to author
Forward
0 new messages