Confusion over API

by **New Rogernomics** » Mon Apr 30, 2018 7:00 am

To start with, I'll say I have next to no Cross-Origin Resource Sharing (CORS) and XMLHttpRequest knowledge, and I don't implement them in my own coding projects.

It seems that XMLHttpRequest are against site rules, but I need clarification over it's use.

Basically it was implemented briefly on the Lazarus forum by one of our members as a test code. Till we were advised this could be in breach of site rules.

I don't know the full origin of the code, or where it came from. Just that it was hosted on the ZB forum, and technically would break site rules somehow.

The first code was meant to take a nation name [typed in by a member], and then show it in a box, as a link.*

The second code added an image retrieval request of some kind.

Sorry about this. I don't want to make a habit of it obviously, and I'll keep a close eye on what scripts are actually implemented in the future.

It was just hard for me to spot this, since as I said before, I don't use them myself, so don't know what they are all about.

*http://support.zathyus.com/topic/5153198/1/

Edit: Added the link to the first script.

by **Kutumal** » Mon Apr 30, 2018 7:05 am

A brief info on what the code was (I spotted it and told NR about it):

It was retrieving nation/region flag URLs via the API on the client-side. It was using XMLHttpRequest's setRequestHeader() function to set a User-Agent, but browsers explicltly don't allow overriding the UA in that way and, accordingly, it didn't identify it correctly to NationStates. The correct approach would have been to include a "&user_agent=...."-parameter in the URL.

So basically, the intent for compliance was there, just the execution flawed.

EDIT: What NR posted isn't the offending code, by the way.

by **New Rogernomics** » Mon Apr 30, 2018 7:11 am

Kutumal wrote:A brief info on what the code was (I spotted it and told NR about it):

It was retrieving nation/region flag URLs via the API on the client-side. It was using XMLHttpRequest's setRequestHeader() function to set a User-Agent, but browsers explicltly don't allow overriding the UA in that way and, accordingly, it didn't identify it correctly to NationStates. The correct approach would have been to include a "&user_agent=...."-parameter in the URL.

So basically, the intent for compliance was there, just the execution flawed.

EDIT: What NR posted isn't the offending code, by the way.

The offending code was removed ASAP. Here is the code:

Code: Select all:  <script type="text/javascript"> $("dl.user_profile dt:contains('Nation')").each(function(){ var nation=$(this).next('dd').text(); var xhr = new XMLHttpRequest(); xhr.open("GET", "https://www.nationstates.net/cgi-bin/api.cgi?nation="+nation+"&q=flag+region", false); xhr.setRequestHeader("User-Agent",<redacted>); xhr.send(); xmlDocument = xhr.responseXML; var flagurl = xmlDocument.getElementsByTagName("FLAG")[0].textContent; var region = xmlDocument.getElementsByTagName("REGION")[0].textContent; if (region == "Lazarus") { $(this).next('dd').html("<span style='font-style:normal; line-height: 1.75em;'><a href='http://nationstates.net/nation="+nation+"' target='_blank'><img src='"+flagurl+"' height='26px' style='border: 1px solid #80d280;' /> "+nation+"</a></span>"); } else { var xhr = new XMLHttpRequest(); xhr.open("GET", "https://www.nationstates.net/cgi-bin/api.cgi?region="+region+"&q=flag", false); xhr.setRequestHeader("User-Agent", <redacted>); xhr.send(); xmlDocument = xhr.responseXML; var regionflagurl = xmlDocument.childNodes['0'].textContent; $(this).next('dd').html("<span style='font-style:normal; line-height: 1.75em;'><a href='http://nationstates.net/nation="+nation+"' target='_blank'><img src='"+flagurl+"' height='26px' style='border: 1px solid #62ce62;' /> "+nation+"</a><div style='font-size:12px;'><i>visiting from</i> <a href='http://nationstates.net/region="+region+"' target='_blank' style='font-family: Nunito Sans;'><img src='"+regionflagurl+"' height='13px' style='border: 1px solid #80d280;' /> "+region+"</a></div></span>"); } });</script>

Kutumal wrote:EDIT: What NR posted isn't the offending code, by the way.

I think it was one that it was initially based off though, obviously with a lot of changes.

by **Kutumal** » Mon Apr 30, 2018 7:44 am

Yep, that's the one.

Besides the synchronous XHR that made me cry

the offending line:

Code: Select all: xhr.setRequestHeader("User-Agent", <redacted>);

Setting the User-Agent programmatically in such a way isn't allowed in most browsers.

by **New Rogernomics** » Mon Apr 30, 2018 8:08 am

Kutumal wrote:Yep, that's the one.

Besides the synchronous XHR that made me cry the offending line:

Code: Select all
xhr.setRequestHeader("User-Agent", <redacted>);

Setting the User-Agent programmatically in such a way isn't allowed in most browsers.

Really this is the only thing I found that helps me understand it: https://www.html5rocks.com/en/tutorials/cors/

I always hosted things on one server. So never ran into/knew of this issue.

by **Mount Seymour** » Mon Apr 30, 2018 10:13 am

^ That was my request butchering. Don't think I have much to add (lesson is basically I need to actually learn things before trying to make them work...). I have next to no background in js or using XHR, and had no intention of avoiding setting a user-agent. Kutumal helpfully explained the (numerous) problems with the code. Apologies to the NS admins (I'll make sure to check with multiple people as well as wait for a while before I venture into some other piece of code) and to all the developers and programmers whose eyes I made bleed.

by **Wolfram and Hart** » Tue May 01, 2018 5:56 am

Mount Seymour wrote:^ That was my request butchering. Don't think I have much to add (lesson is basically I need to actually learn things before trying to make them work...). I have next to no background in js or using XHR, and had no intention of avoiding setting a user-agent. Kutumal helpfully explained the (numerous) problems with the code. Apologies to the NS admins (I'll make sure to check with multiple people as well as wait for a while before I venture into some other piece of code) and to all the developers and programmers whose eyes I made bleed.

This is where I started for this type of code:
https://www.w3schools.com/xml/ajax_intro.asp

Hope it helps!

by **Mount Seymour** » Tue May 01, 2018 1:03 pm

Wolfram and Hart wrote:
Mount Seymour wrote:^ That was my request butchering. Don't think I have much to add (lesson is basically I need to actually learn things before trying to make them work...). I have next to no background in js or using XHR, and had no intention of avoiding setting a user-agent. Kutumal helpfully explained the (numerous) problems with the code. Apologies to the NS admins (I'll make sure to check with multiple people as well as wait for a while before I venture into some other piece of code) and to all the developers and programmers whose eyes I made bleed.

This is where I started for this type of code:
https://www.w3schools.com/xml/ajax_intro.asp

Hope it helps!

Thanks so much!

*adds to list of mandatory evening reading*

Confusion over API

Confusion over API

Who is online