Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Qwest is a simple ajax library based on promises
behaviour and that supports XmlHttpRequest2
special data like ArrayBuffer
, Blob
and FormData
.
You can pick the minified library or install it with :
jam install qwest
bower install qwest
npm install qwest --save-dev
The response type option is now set to auto
by default.
auto
mode is only supported for xml
, json
and text
response types; for arraybuffer
, blob
and document
you'll need to define explicitly the responseType
optionContent-Type
header, then you must explicitly set the responseType
optionqwest.get('example.com')
.then(function(response){
alert(response);
});
qwest.post('example.com',{
firstname: 'Pedro',
lastname: 'Sanchez',
age: 30
})
.then(function(response){
// Make some useful actions
})
.catch(function(message){
// Print the error message
});
qwest.<method>(<url>,[data],[options])
.then(function(response){
// Run when the request is successful
})
.catch(function(message){
// Process error message
})
.complete(function(){
// Always run
});
The method is either get
, post
, put
or delete
. The data
parameter can be a multi-dimensional array or object, a string, an ArrayBuffer, a Blob, etc... If you don't want to pass any data but specify some options, set data to null
.
The available options
are :
post
(by default), json
, text
, arraybuffer
, blob
, document
or formdata
(you don't need to specify XHR2 types since they're automatically detected)auto
(default), json
, xml
, text
, arraybuffer
, blob
or document
false
for GET requests and true
for POST requeststrue
(default) or false
; used to make asynchronous or synchronous requestsfalse
by default; sends credentials with your XHR2 request (more info in that post)3000
by defaultnull
In each callback, the this
keyword refers to the XmlHttpRequest
object, so you can do some specific tasks you may need.
qwest.get('example.com')
.then(function(response){
// Blah blah blah
})
.catch(function(message){
log(this.responseText);
throw message;
});
One of the great qwest's functionnalities is the request limitation. It avoids browser freezes and server overloads by freeing bandwidth and memory resources when you have a whole bunch of requests to do at the same time (when you load a gallery, per example). You just need to set the request limit and when the count is reached qwest will stock all further requests and start them when a slot is free.
qwest.limit(4);
$('.foo').forEach(function(){
qwest.get(this.data('some_url_to_get'));
});
If you want to remove the limit, do qwest.limit(null)
.
If you want to apply some manual options to the XHR
object, you can use the before
promise. It must be called before any other promise. The this
keyword refers to the XHR
object itself.
qwest.before(function(){
this.uploadonprogress=function(e){
// Upload in progress
};
})
.get('example.com')
.then(function(response){
// Blah blah blah
});
XHR2 is not available on every browser, so, if needed, you can simply verify the XHR version.
if(qwest.xhr2){
// Actions for XHR2
}
else{
// Actions for XHR1
}
Getting binary data in legacy browsers needs a trick, as we can read it on MDN. In qwest, that's how we could handle it :
qwest.before(function(){
this.overrideMimeType('text\/plain; charset=x-user-defined');
})
.get('example.com/file')
.then(function(response){
// response is now a binary string
});
According to this compatibility table, IE7/8 do not support using catch
and delete
as method name because these are reserved words. If you want to support those browsers you should write :
qwest.delete('example.com')
.then(function(){})
.catch(function(){});
Like this :
qwest['delete']('example.com')
.then(function(){})
['catch'](function(){});
The CORS object shipped with IE8 and 9 is XDomainRequest
. This object does not support PUT
and DELETE
requests and XHR2 types.
XHR2 does not support arraybuffer
, blob
and document
response types in synchroneous mode.
then()
callback, it will be catched by the catch()
promiseContent-Type
header is application/x-www-form-urlencoded
for post
and xhr2
data types, with a POST
requesttext
MIT license everywhere!
FAQs
Ajax library with XHR2, promises and request limit
We found that qwest demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.