403 Forbidden from /_api/contextinfo when using Chrome Postman REST App

tl;dr
The Postman App was sending an Origin header to /_api/contextinfo and that was generating a 403 Forbidden. Using a fiddler rule I removed the Origin HTTP header and the call to /_api/contextinfo endpoint then worked.

I’ve recently been trying to grok the SharePoint online REST API, particularly executing requests that require an HTTP POST and therefore a X-RequestDigest header.

To help me understand the interaction with the REST API I installed the Google Chrome Postman REST App and started to test.

If you open google chrome, login to your Office 365 site, then launch Postman, requests to the RESP API will be sent with the appropriate cookies for FedAuth and rtFA to authenticate.

So all good then, I was able to execute simple GET requests such as https://*myo365site*/_api/web and get back results as expected.

I wanted to start experimenting with the REST APIs for custom permissions that are “documented” here:

https://msdn.microsoft.com/en-us/library/office/dn495392.aspx

So the first thing I needed to do was to get a Request Digest to add as a header to my POST requests from Postman. Of course to get a Request Digest you need to have issued a POST request – but for POST requests you need a X-RequestDigest header – chicken & egg.

The process to follow is to issue a POST request to the https://*myo365site*/_api/contextinfo endpoint with an empty body and two headers:

Accept: application/json;odata=verbose
Content-Length: 0

This “should” return a 200 status code and a body such as the following:


{


 "d": {
 "GetContextWebInformation": {
 "__metadata": {
 "type": "SP.ContextWebInformation"
 },
 "FormDigestTimeoutSeconds": 1800,
 "FormDigestValue": "<FORMDIGESTVALUE>",
 "LibraryVersion": "16.0.4107.1226",
 "SiteFullUrl": "https://*myo365site*",
 "SupportedSchemaVersions": {
 "__metadata": {
 "type": "Collection(Edm.String)"
 },
 "results": [
 "14.0.0.0",
 "15.0.0.0"
 ]
 },
 "WebFullUrl": "https://*myo365site*"
 }
 }
}

Instead I was getting a 403 Forbidden status code with no body. I then started up fiddler to what was being sent through by Postman. Postman was sending through a few extra headers:

POST https://*myo365site*/_api/contextinfo HTTP/1.1
Host: *myo365site*
Connection: keep-alive
Content-Length: 0
Accept: application/json;odata=verbose
Origin: chrome-extension://fdmmgilgnpjigdojojpjoooidkmcomcm
CSP: active
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: WSS_FullScreenMode=false; rtFa=*cookievalue*; FedAuth=*cookievalue*

I copied all of the above headers into fildder’s Compose tab, I then started to remove the additional headers one by one to see if it made any difference.

When I removed the Origin: chrome-extension://fdmmgilgnpjigdojojpjoooidkmcomcm the request succeeded!

I then added a rule to fildder in the static function OnBeforeRequest(oSession: Session) method:

oSession.RequestHeaders.Remove("origin");

And my requests from Postman to /_api/web/contextinfo now succeeded and I was able to obtain the RequestDigest value from the JSOM and use it as the value for the X-RequestDigest HTTP header for subsequent HTTP POST calls to REST endpoints.

Now…should I be leaving this fiddler rule in place “for all requests”?, I don’t know. All I know for now is that for my specific environment this is what I was seeing and I was able to get the call to /_api/contextinfo to execute successfully by removing the origin header.

I suspect that once I start issuing calls that do require the origin header (guessing here but the calls from an AppWeb to a HostWeb for example) then I’ll maybe run into issues. Need to investigate further.

YMMV

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

13 Responses to 403 Forbidden from /_api/contextinfo when using Chrome Postman REST App

  1. Denis Renam says:

    Hello, I was reading your article and am having trouble with the same error (403 Forbidden) .I have an application in cord which can authenticate to the online sharepoint and even consume OData. But the cunsumir a REST api to perform a precise Update the RequestDigest, there begins my problems. I can not make a post to ‘/ _api / contextinfo’. Could you help me in this matter?

    $.support.cors = true; // enable cross-domain query
    $.ajax({
    type: ‘POST’,
    data: oAuth.SecurityToken,
    crossDomain: true, // had no effect, see support.cors above
    contentType: ‘text/xml; charset=”utf-8″‘,
    url: oAuth.ProjectURL + ‘/_api/contextinfo’,
    dataType: ‘xml’,
    success: function (data, textStatus, result) {
    var teste = result;

    //digest = $(result.responseText).find(“d\\:FormDigestValue”).text();

    },
    error: function (result, textStatus, errorThrown) {
    var response = JSON.parse(result.responseText);
    if ((response.error != undefined) && (response.error.message != undefined)) {
    alert(response.error.message.value);
    }
    }
    });

    • finarne says:

      In your code above you are sending data in the POST body, to get the security digest try to issue a POST to /_api/contextinfo that has no body, a Content-length: 0 header, and an Accept: application/json;odata=versbose header.

      • Denis Renam says:

        already I tried everything and the error is always the same 403, tried through the Rest Client in Chrome and successful, more needed to change the HTTPS URL for HTTP.

        The result Client Rest was:

        To: https: //mysite.sharepoint.com/SITES/pwa/_api/contextinfo with status: 307 Show explanation HTTP / 1.1 307 Internal Redirect
        Redirection information has not Been cached.
        Location: https://mysite.sharepoint.com/SITES/pwa/_api/contextinfo
        Non-Authoritative-Reason: HSTS
        Access-Control-Allow-Origin: chrome-extension: // hgmloofddffdnphfgcellkdfbfbjeloo
        Access-Control-Allow-Credentials: true

        var xhr = new XMLHttpRequest();
        var open_str = url + ‘/_api/contextinfo’;
        xhr.open(“POST”, open_str, true);
        xhr.setRequestHeader(“Content-Type”, “application/json;odata=verbose”);
        xhr.setRequestHeader(“Accept”, “application/json;odata=verbose”);
        xhr.withCredentials = false;
        xhr.onload = function () {
        var responseText = xhr.responseText;
        console.log(responseText);
        // process the response.
        };

        xhr.onerror = function () {
        console.log(‘There was an error!’);
        };
        xhr.onreadystatechange = function () {

        if (xhr.readyState == 4 && xhr.status == 200) {

        var digest = $(xhr.responseText).find(“d\\:FormDigestValue”).text();

        alert(digest);

        }
        }
        xhr.send(null);

  2. finarne says:

    Can you try to add the Content-length: 0 header to your POST and see if that works? (maybe you can trace the calls with fiddler and then inside fiddler’s compose feature you can tweak the headers one at a time).

  3. lucky says:

    Hey guys ? any luck on the above issue? I am having the same issue
    I am making a POST request to /_api/contextinfo but i am getting 403(forbidden)
    i have checked in fiddler everything seems to be fine, Content-length header is also 0

  4. James Murray says:

    A really simple solution I found thanks to this post is in Postman add a header value of Origin:””. This will clear the origin value and I immediately got a 200 message. Thank you for the information that led me to resolving my issue.

  5. flynnn555 says:

    This article was spot on, saved me loads of time, working with api’s in SharePoint can be so painful and the documentation is not always available or accurate keep up the good work. If you have any further resources I would really like to read them on SharePoint API’s

  6. Casey says:

    Thank you so much for this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s