Spoofing Header Request to use online JSON Help!

Hey guys,

So there is a JSON output from an external URL that I want to use on one of my pages, but the JSON is only sent to the request if the referal header is set to a specific value. In chrome spoofing headers is easy, but how do add this referal value to a request in Ionic/Angular?

storing the JSON shouldn’t be too hard either right? I am sure I can find a tutorial for that later. But right now I really do need to be able to to spoof the request.

any help or links to tutorials would be great.

Not sure if this will help but if you are just wanting to get the data, you could use json-csv.com. It will turn the JSON URL into a CSV spreadsheet where you can extract out the data or save to HTML etc.

thanks for the reply simon9…

actually I want in JSON, its easier for my Angular scripts to digest and I am using PouchDB/CouchDB to handle the other part of the app so it means less data digestion scripts for displaying stuff.

the data on the other end of the external URL changes, and I need to be showing the latest information. But I can’t get the information unless the referer header has a specific value passed.

i know how to spoof http headers in chrome, but not sure how to make my angular code do it to get the data.

Is this what you are looking for?

1 Like

yes this looks like what I am trying to do. going to play around with it and see if I can get it working to replace existing header properly.

thanks again for you help!

okay so I am still having trouble… here is what I have:

var config = {headers:  {
        'referer': 'http://URL/'

$scope.events= [];
$http.get('http://URL/events/', config).success(function(data) { 
    $scope.events = data;

I connect to the URL fine but the header value is not being replaced properly. If I load in manual headers into chrome it works fine but the script itself seems to not be able to spoof the header.

any suggestions of changes to my script?

I should clarify that this isn’t “spoofing”. Spoofing is a bad thing. What you are doing is trying to override the default headers. However in this case, what is happening is the browser simply ignores your override, mostly because of security.

You shouldn’t (and as it turns out aren’t) be allowed to run JavaScript that can mislead another server like this.

The real solution is to build your own API proxy using something like this https://github.com/nodejitsu/node-http-proxy. Then your API can set the referrer to whatever value it wants, and pass along the request to the real API.

1 Like

although off topic I would say spoofing isn’t inherently bad or good. It has its uses (both bad and good), I spoof the IP’s on my wireless printers in the office to allow for a one button push multi-print feature. Although you could accomplish the same goal with a background software solution, my method requires no software setup or configuration on new computers or laptops that are brought into the office that try to use the dual print. But that’s off topic, I just couldn’t help but comment on the tech side of anything being inherently always ‘bad’ (or ‘good’ for that matter).

but back to my problem at hand. thanks for the information and the suggestion! I did not know that. okay so you can change the http header with javascript but just not some parts that browser specific declares a security issue. cool beans! (and as you say, prob for the best).

with the link you provided, just so i understand, are you suggesting I setup an additional web-server running node.js in order to create the websocket proxy? or are you saying I should build the node.js server into my app to handle the proxy calls?

(also, in this case yes I might be using the term ‘spoofing’ wrong, because our website IT said the calendar JSON can only be accessed by the site itself that refeered the domain name, they can add other accepted website URLS but since im not running a website I am doing a mobile app (and have no URL to submit), i used the term spoofing cause in my mind I was trying to make it appear that my app was our website, when in fact it is not, which i guess i deemed worthy of ‘spoof’ but I could be wrong on that one)