Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Qwest is a simple ajax library based on promises
and that supports XmlHttpRequest2
special data like ArrayBuffer
, Blob
and FormData
.
npm install qwest
bower install qwest
jam install qwest
abort()
to abort an async requestcomplete()
has been removedqwest.get('example.com')
.then(function(xhr, response) {
alert(response);
});
qwest.post('example.com', {
firstname: 'Pedro',
lastname: 'Sanchez',
age: 30
})
.then(function(xhr, response) {
// Make some useful actions
})
.catch(function(e, xhr, response) {
// Process the error
});
qwest.`method`(`url`, `data`, `options`, `before`)
.then(function(xhr, response) {
// Run when the request is successful
})
.catch(function(e, xhr, response) {
// Process the error
});
The method is either get
, post
, put
or delete
. The data
parameter can be a multi-dimensional array or object, a string, an ArrayBuffer, a Blob, etc... If you don't want to pass any data but specify some options, set data to null
.
The available options
are :
post
(by default), json
, text
, arraybuffer
, blob
, document
or formdata
(you don't need to specify XHR2 types since they're automatically detected)auto
(default), json
, xml
, text
, arraybuffer
, blob
or document
false
true
(default) or false
; used to make asynchronous or synchronous requestsfalse
by default; sends credentials with your XHR2 request (more info in that post)30000
by defaultnull
You can change the default data type with :
qwest.setDefaultDataType('json');
If you want to make a call with another HTTP method, you can use the map()
function :
qwest.map('PATCH', 'example.com')
.then(function() {
// Blah blah
});
If you need to do a sync
request, you must call send()
at the end of your promise :
qwest.get('example.com', {async: false})
.then(function() {
// Blah blah
})
.send();
Since service APIs often need the same type of request, you can set default options for all of your requests with :
qwest.setDefaultOptions({
dataType: 'arraybuffer',
responseType: 'json',
headers: {
'My-Header': 'Some-Value'
}
});
Sometimes we need to call several requests and execute some tasks after all of them are completed. You can simply do it by chaining your requests like :
qwest.get('example.com/articles')
.get('example.com/users')
.post('example.com/login', auth_data)
.then(function(values) {
/*
Prints [ [xhr, response], [xhr, response], [xhr, response] ]
*/
console.log(values);
});
If an error is encountered then catch()
will be called and all requests will be aborted.
You can define a base URI for your requests. The string will be prepended to the other request URIs.
qwest.base = 'http://example.com';
// Will make a request to 'http://example.com/somepage'
qwest.get('/somepage')
.then(function() {
// Blah blah
});
One of the greatest qwest functionnalities is the request limit. It avoids browser freezes and server overloads by freeing bandwidth and memory resources when you have a whole bunch of requests to do at the same time. Set the request limit and when the count is reached qwest will stock all further requests and start them when a slot is free.
Let's say we have a gallery with a lot of images to load. We don't want the browser to download all images at the same time to have a faster loading. Let's see how we can do that.
<div class="gallery">
<img data-src="images/image1.jpg" alt="">
<img data-src="images/image2.jpg" alt="">
<img data-src="images/image3.jpg" alt="">
<img data-src="images/image4.jpg" alt="">
<img data-src="images/image5.jpg" alt="">
...
</div>
// Browsers are limited in number of parallel downloads, setting it to 4 seems fair
qwest.limit(4);
$('.gallery').children().forEach(function() {
var $this = $(this);
qwest.get($this.data('src'), {responseType: 'blob'})
.then(function(xhr, response) {
$this.attr('src', window.URL.createObjectURL(response));
$this.fadeIn();
});
});
If you want to remove the limit, set it to null
.
According to #90 and #99, a CORS request will send a preflight OPTIONS
request to the server to know what is allowed and what's not. It's because we're adding a Cache-Control
header to handle caching of requests. The simplest way to avoid this OPTIONS
request is to set cache
option to true
. If you want to know more about preflight requests and how to really handle them, read this : https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
// Start the request
var request = qwest.get('example.com')
.then(function(xhr, response) {
// Won't be called
})
.catch(function(xhr, response) {
// Won't be called either
});
// Some code
request.abort();
Not that only works with asynchroneous requests since synchroneous requests are... synchroneous.
If you want to apply some manual options to the XHR
object, you can use the before
option
qwest.get('example.com', null, null, function(xhr) {
xhr.upload.onprogress = function(e) {
// Upload in progress
};
})
.then(function(xhr, response) {
// Blah blah blah
});
XHR2 is not available on every browser, so, if needed, you can simply verify the XHR version with :
if(qwest.xhr2) {
// Actions for XHR2
}
else {
// Actions for XHR1
}
Getting binary data in legacy browsers needs a trick, as we can read it on MDN. In qwest, that's how we could handle it :
qwest.get('example.com/file', null, null, function(xhr) {
xhr.overrideMimeType('text\/plain; charset=x-user-defined');
})
.then(function(response) {
// response is now a binary string
});
According to this compatibility table, IE7/8 do not support using catch
and delete
as method name because these are reserved words. If you want to support those browsers you should write :
qwest.delete('example.com')
.then(function(){})
.catch(function(){});
Like this :
qwest['delete']('example.com')
.then(function(){})
['catch'](function(){});
XHR2 does not support arraybuffer
, blob
and document
response types in synchroneous mode.
The CORS object shipped with IE8 and 9 is XDomainRequest
. This object does not support PUT
and DELETE
requests and XHR2 types. Moreover, the getResponseHeader()
method is not supported too which is used in the auto
mode for detecting the reponse type. Then, the response type automatically fallbacks to json
when in auto
mode. If you expect another response type, please specify it explicitly. If you want to specify another default response type to fallback in auto
mode, you can do it like this :
qwest.setDefaultXdrResponseType('text');
responseType
to auto
to avoid the issuecatch
handler will be executed for status codes different from 2xx
; if no data has been received when catch
is called, response
will be null
auto
mode is only supported for xml
, json
and text
response types; for arraybuffer
, blob
and document
you'll need to define explicitly the responseType
optionContent-Type
header, then you must explicitly set the responseType
optionContent-Type
header for a POST
request is application/x-www-form-urlencoded
, for post
and xhr2
data typesdataType
option to text
MIT license everywhere!
FAQs
Ajax library with XHR2, promises and request limit
The npm package qwest receives a total of 1,371 weekly downloads. As such, qwest popularity was classified as popular.
We found that qwest demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.