Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
cordova-plugin-advanced-http
Advanced tools
Cordova / Phonegap plugin for communicating with HTTP servers using SSL pinning
Cordova / Phonegap plugin for communicating with HTTP servers. Supports iOS, Android and Browser.
This is a fork of Wymsee's Cordova-HTTP plugin.
Please check CHANGELOG.md for details about updating to a new version.
The plugin conforms to the Cordova plugin specification, it can be installed using the Cordova / Phonegap command line interface.
phonegap plugin add cordova-plugin-advanced-http
cordova plugin add cordova-plugin-advanced-http
AndroidBlacklistSecureSocketProtocols
: define a blacklist of secure socket protocols for Android. This preference allows you to disable protocols which are considered unsafe. You need to provide a comma-separated list of protocols (check Android SSLSocket#protocols docu for protocol names).
e.g. blacklist SSLv3
and TLSv1
:
<preference name="AndroidBlacklistSecureSocketProtocols" value="SSLv3,TLSv1" />
This plugin registers a global object located at cordova.plugin.http
.
Check the Ionic docs for how to use this plugin with Ionic-native.
This returns an object representing a basic HTTP Authorization header of the form {'Authorization': 'Basic base64encodedusernameandpassword'}
var header = cordova.plugin.http.getBasicAuthHeader('user', 'password');
This sets up all future requests to use Basic HTTP authentication with the given username and password.
cordova.plugin.http.useBasicAuth('user', 'password');
Set a header for all future requests to a specified host. Takes a hostname, a header and a value (must be a string value or null).
cordova.plugin.http.setHeader('Hostname', 'Header', 'Value');
You can also define headers used for all hosts by using wildcard character "*" or providing only two params.
cordova.plugin.http.setHeader('*', 'Header', 'Value');
cordova.plugin.http.setHeader('Header', 'Value');
The hostname also includes the port number. If you define a header for www.example.com
it will not match following URL http://www.example.com:8080
.
// will match http://www.example.com/...
cordova.plugin.http.setHeader('www.example.com', 'Header', 'Value');
// will match http://www.example.com:8080/...
cordova.plugin.http.setHeader('www.example.com:8080', 'Header', 'Value');
Set the data serializer which will be used for all future PATCH, POST and PUT requests. Takes a string representing the name of the serializer.
cordova.plugin.http.setDataSerializer('urlencoded');
You can choose one of these:
urlencoded
: send data as url encoded content in body
Object
json
: send data as JSON encoded content in body
Array
or an dictionary style Object
utf8
: send data as plain UTF8 encoded string in body
String
multipart
: send FormData objects as multipart content in body
FormData
instanceraw
: send data as is, without any processing
Uint8Array
or an ArrayBuffer
This defaults to urlencoded
. You can also override the default content type headers by specifying your own headers (see setHeader).
:warning: urlencoded
does not support serializing deep structures whereas json
does.
:warning: multipart
depends on several Web API standards which need to be supported in your web view. Check out https://github.com/silkimen/cordova-plugin-advanced-http/wiki/Web-APIs-required-for-Multipart-requests for more info.
Set how long to wait for a request to respond, in seconds. For Android, this will set both connectTimeout and readTimeout. For iOS, this will set timeout interval. For browser platform, this will set timeout.
cordova.plugin.http.setRequestTimeout(5.0);
Set connect timeout for Android
cordova.plugin.http.setRequestTimeout(5.0);
Set read timeout for Android
cordova.plugin.http.setReadTimeout(5.0);
Configure if it should follow redirects automatically. This defaults to true.
cordova.plugin.http.setFollowRedirect(true);
Returns saved cookies (as string) matching given URL.
cordova.plugin.http.getCookieString(url);
Add a custom cookie. Takes a URL, a cookie string and an options object. See ToughCookie documentation for allowed options.
cordova.plugin.http.setCookie(url, cookie, options);
Clear the cookie store.
cordova.plugin.http.clearCookies();
These functions all take success and error callbacks as their last 2 arguments.
Set server trust mode, being one of the following values:
default
: default SSL trustship and hostname verification handling using system's CA certslegacy
: use legacy default behavior (< 2.0.3), excluding user installed CA certs (only for Android)nocheck
: disable SSL certificate checking and hostname verification, trusting all certs (meant to be used only for testing purposes)pinned
: trust only provided certificatesTo use SSL pinning you must include at least one .cer
SSL certificate in your app project. You can pin to your server certificate or to one of the issuing CA certificates. Include your certificate in the www/certificates
folder. All .cer
files found there will be loaded automatically.
:warning: Your certificate must be DER encoded! If you only have a PEM encoded certificate read this stackoverflow answer. You want to convert it to a DER encoded certificate with a .cer extension.
// enable SSL pinning
cordova.plugin.http.setServerTrustMode('pinned', function() {
console.log('success!');
}, function() {
console.log('error :(');
});
// use system's default CA certs
cordova.plugin.http.setServerTrustMode('default', function() {
console.log('success!');
}, function() {
console.log('error :(');
});
// disable SSL cert checking, only meant for testing purposes, do NOT use in production!
cordova.plugin.http.setServerTrustMode('nocheck', function() {
console.log('success!');
}, function() {
console.log('error :(');
});
Configure X.509 client certificate authentication. Takes mode and options. mode
being one of following values:
none
: disable client certificate authenticationsystemstore
(only on Android): use client certificate installed in the Android system store; user will be presented with a list of all installed certificatesbuffer
: use given client certificate; you will need to provide an options object:
rawPkcs
: ArrayBuffer containing raw PKCS12 container with client certificate and private keypkcsPassword
: password of the PKCS container // enable client auth using PKCS12 container given in ArrayBuffer `myPkcs12ArrayBuffer`
cordova.plugin.http.setClientAuthMode('buffer', {
rawPkcs: myPkcs12ArrayBuffer,
pkcsPassword: 'mySecretPassword'
}, success, fail);
// enable client auth using certificate in system store (only on Android)
cordova.plugin.http.setClientAuthMode('systemstore', {}, success, fail);
// disable client auth
cordova.plugin.http.setClientAuthMode('none', {}, success, fail);
Remove all cookies associated with a given URL.
cordova.plugin.http.removeCookies(url, callback);
Execute a HTTP request. Takes a URL and an options object. This is the internally used implementation of the following shorthand functions (post, get, put, patch, delete, head, uploadFile and downloadFile). You can use this function, if you want to override global settings for each single request. Check the documentation of the respective shorthand function for details on what is returned on success and failure.
:warning: You need to encode the base URL yourself if it contains special characters like whitespaces. You can use encodeURI()
for this purpose.
The options object contains following keys:
method
: HTTP method to be used, defaults to get
, needs to be one of the following values:
get
, post
, put
, patch
, head
, delete
, options
, upload
, download
data
: payload to be send to the server (only applicable on post
, put
or patch
methods)params
: query params to be appended to the URL (only applicable on get
, head
, delete
, upload
or download
methods)serializer
: data serializer to be used (only applicable on post
, put
or patch
methods), defaults to global serializer value, see setDataSerializer for supported valuesresponseType
: expected response type, defaults to text
, needs to be one of the following values:
text
: data is returned as decoded string, use this for all kinds of string responses (e.g. XML, HTML, plain text, etc.)json
data is treated as JSON and returned as parsed object, returns undefined
when response body is emptyarraybuffer
: data is returned as ArrayBuffer instance, returns null
when response body is emptyblob
: data is returned as Blob instance, returns null
when response body is emptytimeout
: timeout value for the request in seconds, defaults to global timeout valuefollowRedirect
: enable or disable automatically following redirectsheaders
: headers object (key value pair), will be merged with global valuesfilePath
: file path(s) to be used during upload and download see uploadFile and downloadFile for detailed informationname
: name(s) to be used during upload see uploadFile for detailed informationHere's a quick example:
const options = {
method: 'post',
data: { id: 12, message: 'test' },
headers: { Authorization: 'OAuth2: token' }
};
cordova.plugin.http.sendRequest('https://google.com/', options, function(response) {
// prints 200
console.log(response.status);
}, function(response) {
// prints 403
console.log(response.status);
//prints Permission denied
console.log(response.error);
});
Execute a POST request. Takes a URL, data, and headers.
cordova.plugin.http.post('https://google.com/', {
test: 'testString'
}, {
Authorization: 'OAuth2: token'
}, function(response) {
console.log(response.status);
}, function(response) {
console.error(response.error);
});
The success function receives a response object with 4 properties: status, data, url, and headers. status is the HTTP response code as numeric value. data is the response from the server as a string. url is the final URL obtained after any redirects as a string. headers is an object with the headers. The keys of the returned object are the header names and the values are the respective header values. All header names are lowercase.
Here's a quick example:
{
status: 200,
data: '{"id": 12, "message": "test"}',
url: 'http://example.net/rest'
headers: {
'content-length': '247'
}
}
Most apis will return JSON meaning you'll want to parse the data like in the example below:
cordova.plugin.http.post('https://google.com/', {
id: 12,
message: 'test'
}, { Authorization: 'OAuth2: token' }, function(response) {
// prints 200
console.log(response.status);
try {
response.data = JSON.parse(response.data);
// prints test
console.log(response.data.message);
} catch(e) {
console.error('JSON parsing error');
}
}, function(response) {
// prints 403
console.log(response.status);
//prints Permission denied
console.log(response.error);
});
The error function receives a response object with 4 properties: status, error, url, and headers (url and headers being optional). status is a HTTP response code or an internal error code. Positive values are HTTP status codes whereas negative values do represent internal error codes. error is the error response from the server as a string or an internal error message. url is the final URL obtained after any redirects as a string. headers is an object with the headers. The keys of the returned object are the header names and the values are the respective header values. All header names are lowercase.
Here's a quick example:
{
status: 403,
error: 'Permission denied',
url: 'http://example.net/noperm'
headers: {
'content-length': '247'
}
}
:warning: An enumeration style object is exposed as cordova.plugin.http.ErrorCode
. You can use it to check against internal error codes.
Execute a GET request. Takes a URL, parameters, and headers. See the post documentation for details on what is returned on success and failure.
cordova.plugin.http.get('https://google.com/', {
id: '12',
message: 'test'
}, { Authorization: 'OAuth2: token' }, function(response) {
console.log(response.status);
}, function(response) {
console.error(response.error);
});
Execute a PUT request. Takes a URL, data, and headers. See the post documentation for details on what is returned on success and failure.
Execute a PATCH request. Takes a URL, data, and headers. See the post documentation for details on what is returned on success and failure.
Execute a DELETE request. Takes a URL, parameters, and headers. See the post documentation for details on what is returned on success and failure.
Execute a HEAD request. Takes a URL, parameters, and headers. See the post documentation for details on what is returned on success and failure.
Execute a OPTIONS request. Takes a URL, parameters, and headers. See the post documentation for details on what is returned on success and failure.
Uploads one or more file(s) saved on the device. Takes a URL, parameters, headers, filePath(s), and the name(s) of the parameter to pass the file along as. See the post documentation for details on what is returned on success and failure.
// e.g. for single file
const filePath = 'file:///somepicture.jpg';
const name = 'picture';
// e.g. for multiple files
const filePath = ['file:///somepicture.jpg', 'file:///somedocument.doc'];
const name = ['picture', 'document'];
cordova.plugin.http.uploadFile("https://google.com/", {
id: '12',
message: 'test'
}, { Authorization: 'OAuth2: token' }, filePath, name, function(response) {
console.log(response.status);
}, function(response) {
console.error(response.error);
});
Downloads a file and saves it to the device. Takes a URL, parameters, headers, and a filePath. See post documentation for details on what is returned on failure. On success this function returns a cordova FileEntry object as first and the response object as second parameter.
cordova.plugin.http.downloadFile(
"https://google.com/",
{ id: '12', message: 'test' },
{ Authorization: 'OAuth2: token' },
'file:///somepicture.jpg',
// success callback
function(entry, response) {
// prints the filename
console.log(entry.name);
// prints the filePath
console.log(entry.fullPath);
// prints all header key/value pairs
Object.keys(response.headers).forEach(function (key) {
console.log(key, response.headers[key]);
});
},
// error callback
function(response) {
console.error(response.error);
}
);
Abort a HTTP request. Takes the requestId
which is returned by sendRequest and its shorthand functions (post, get, put, patch, delete, head, uploadFile and downloadFile).
If the request already has finished, the request will finish normally and the abort call result will be { aborted: false }
.
If the request is still in progress, the request's failure
callback will be invoked with response { status: -8 }
, and the abort call result { aborted: true }
.
:warning: Not supported for Android < 6 (API level < 23). For Android 5.1 and below, calling abort(reqestId)
will have no effect, i.e. the requests will finish as if the request was not cancelled.
// start a request and get its requestId
var requestId = cordova.plugin.http.downloadFile("https://google.com/", {
id: '12',
message: 'test'
}, { Authorization: 'OAuth2: token' }, 'file:///somepicture.jpg', function(entry, response) {
// prints the filename
console.log(entry.name);
// prints the filePath
console.log(entry.fullPath);
// prints the status code
console.log(response.status);
}, function(response) {
// if request was actually aborted, failure callback with status -8 will be invoked
if(response.status === -8){
console.log('download aborted');
} else {
console.error(response.error);
}
});
//...
// abort request
cordova.plugin.http.abort(requestId, function(result) {
// prints if request was aborted: true | false
console.log(result.aborted);
}, function(response) {
console.error(response.error);
});
This plugin supports a very restricted set of functions on the browser platform. It's meant for testing purposes, not for production grade usage.
Following features are not supported:
This plugin utilizes some awesome open source libraries:
We made a few modifications to the networking libraries.
This plugin uses amazing cloud services to maintain quality. CI Builds and E2E testing are powered by:
First, install current package with npm install
to fetch dev dependencies.
Then, to execute Javascript tests:
npm run test:js
And, to execute E2E tests:
appium
npm run test:android
npm run test:ios
We've set up a separate document for our contribution guidelines.
3.3.1
FAQs
Cordova / Phonegap plugin for communicating with HTTP servers using SSL pinning
The npm package cordova-plugin-advanced-http receives a total of 14,856 weekly downloads. As such, cordova-plugin-advanced-http popularity was classified as popular.
We found that cordova-plugin-advanced-http demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.