Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POST Calls fail if Origin header isn't supplied #1806

Closed
makhdumi opened this issue Nov 19, 2015 · 5 comments
Closed

POST Calls fail if Origin header isn't supplied #1806

makhdumi opened this issue Nov 19, 2015 · 5 comments

Comments

@makhdumi
Copy link

I don't see any mention of the Origin header being a requirement in POST requests so I'm assuming this is a bug.

I'm using PowerShell's Invoke-RestMethod to make Kudu API calls in Azure.

$url = "https://mysite.scm.azurewebsites.net/api/triggeredwebjobs/$jobName/"
Invoke-RestMethod $url -Headers @{"Authorization"="Basic $base64AuthInfo"}

This fails with a strange 403 error saying the site is Stopped (when it clearly isn't since GET requests go through fine).

          Error 403 - This web app is stopped.
          The web app you have attempted to reach is currently stopped and does not accept any requests. Please try to reload the page or visit it again soon.
          If you are the Administrator of this web app, please visit the Azure Portal to check why the app is stopped.

Specifying a fake Origin makes it work,

$url = "https://mysite.scm.azurewebsites.net/api/triggeredwebjobs/$jobName/"
Invoke-RestMethod $url -Headers @{"Authorization"="Basic $base64AuthInfo"; "Origin"="fake://"}
@makhdumi makhdumi changed the title POST Calls fail if Origin header isn't supplied POST calls fail if Origin header isn't supplied Nov 19, 2015
@makhdumi makhdumi changed the title POST calls fail if Origin header isn't supplied POST Calls fail if Origin header isn't supplied Nov 19, 2015
@suwatch
Copy link
Member

suwatch commented Nov 19, 2015

Let us check the log. Will get back to you.

@suwatch
Copy link
Member

suwatch commented Nov 20, 2015

The issue is, unlike CURL, Powershell's Invoke-RestMethod POST tries to mimics browser form-post (Content-Type: application/x-www-form-urlencoded, User-Agent: Mozilla/...). To protect against CSRF attack, we require additional headers the browser generally passes with form-post. Unfortunately, powershell Invoke-RestMethod POST does not pass those and the call is rejected.

The workaround is ...

  • Provide UserAgent when Invoke-RestMethod from powershell. This will tell us the request is not from browser. The also helps us investigate issues faster. Simply tell us your User-Agent, we can find your requests quickly.
  • Provide explicit Content-Type: application/json (for example) since your intention are not doing any form post body.

For instance, ...

$username = "username"
$securePwd = ConvertTo-SecureString "password" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($username, $securePwd)
$body = "{ ... }"
$url = "https://mysite.scm.azurewebsites.net/deploy"

Invoke-RestMethod $url -Credential $credential  -Method Post -Body $body -ContentType "application/json" -UserAgent "myuseragent"

@ahmelsayed
Copy link
Member

btw, same as #1801

@davidebbo
Copy link
Member

Closing since it's really a client issue.

@StingyJack
Copy link

That error message could stand to be a bit more correct - the web app isnt stopped. For the record this also affects Invoke-WebRequest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@davidebbo @ahmelsayed @suwatch @makhdumi @StingyJack