7 – How to retrieve response segments from an xhr request

On a website, I have third party registration and subscription software, it works mainly on Js.

Registered user can be non-subscriber and digital subscriber which appears clearly on the demand segment
I need to fetch this digital subscriber value! How do you do that?

enter description of image here

I tried to recover all this data with

var xhr = new XMLHttpRequest();
    xhr.open('GET', 'https://cmp.uat.evolok.net/acd/api/3.0/segment', true);

// If specified, responseType must be empty string or "text"
    xhr.responseType = 'text';

xhr.onload = function () {
    if (xhr.readyState === xhr.DONE) {
        if (xhr.status === 200) {


As good as

$segment = drupal_http_request('https://cmp.uat.evolok.net/acd/api/3.0/segment');

    $data = drupal_json_decode($segment->data);


And I get:

{"result": "OK", "sessionKeys": {"ev_sid": "5e3ab79ee4b0d7a45de04073", "ev_did": "5e3ab79ee4b0d7a45de04072"}, "sessionId": "5e3ab79ee4b0d7a45de04073 (
Authenticated "," Not subscribed "," First monthly visit – Unknown
Users "," Other page ")}

using ajax

… (Object) stdClass request (String, 105 characters) GET
/acd/api/3.0/segment HTTP / 1.0 User-Agent: … data (String, 243
characters) {"result": "OK", "sessionKeys": {"ev_sid": "5e3ab79 …
{"result": "OK", "sessionKeys": {"ev_sid": "5e3ab79de4b0d7a45de04051", "ev_did": "5e3ab79de4b0d7a45de04050"}, "sessionId": "5e3ab79de4b0d7a45de04051 (
Authenticated "," Not subscribed "," First monthly visit – Unknown
Users "," Other page ")} protocol (string, 8 characters) HTTP / 1.1
status_message (string, 2 characters) OK headers (table, 5 elements)
code (string, 3 characters)

Web application – Why is it not possible to spoof the referent and the header with XHR?

Technically speaking, it is possible to usurp both headers with the help of an interception proxy, but this is useless because we do it ourselves as a proxy. ;attacker.

When we send an ajax request using JS from another domain with our spoofed referent and our original header, this will not be really usurped. The browser would send the legitimate header to the server.

My question is, why can not we spoof these two headers when sending cross-domain requests?

security – A more efficient way to block the constant barrage of xhr ad-tracking queries?

I currently have a set of dynamic rules configured to block various ad tracking sites with the help of uBlock Origin, which work with a steady stream of requests, as observed in the recorder. My question would be: is there a more efficient way to proceed?

From what I've understood, the dynamic rules replace the "My filter" rules, but they both correspond to the same thing. Is there a previous point where I could cut these requests, or a potential tip to let a request go, then block it for toll-free numbering? Or maybe even kill him on arrival, so to speak?

My apologies for the poorly worded question. English is my mother tongue, so I do not really have a valid excuse.

javascript – Why is XHR not defined in this ajax call?

I'm trying to make an ajax call but xhr is not defined.

I have a file called threeDmaker.js that is imported into WordPress with the following items:

wp_enqueue_script (& # 39; threeDmaker & # 39 ;, get_stylesheet_directory_uri (). & # 39; /js/threeDmaker.js');

wp_localize_script ('threeDmaker', 'threeDmakerData', array (
& # 39; root_url & # 39; => get_site_url (),
& # 39; nonce & # 39; => wp_create_nonce (& # 39; wp_rest & # 39;)

and the threeDmaker.js file looks like this.

import $ since & # 39; jquery & # 39 ;;

function take_screenshot (e) {
var ajaxurl = e.getAttribute ("data-url");
var canvas = document.getElementById (& # 39; threeD-canvas & # 39;);
var dataURL = canvas.toDataURL ();
$ .ajax ({
URL: ajaxurl,
type: "POST",
The data: {
beforeSend: (xhr) => {
xhr.setRequestHeader ("X-WP-Nonce", threeDmakerData.nonce);
action: & # 39; my_screenshot & # 39;
dataURL: dataURL
error: function (answer) {
console.log (response);
success: function (answer) {
console.log (response);


no idea what could go wrong here?