Localhost JSROOT server

Each access to the “remote server” requires user credentials.

The “listRootFiles.php” script returns a list with several tens of “files”.
Then the “simpleGUI” always needs to combine the remote “path” with one of the “files”.

Using the “xhrFields’” setting (explicit “username” and “password” variables are removed, of course), I can easily get the “This site is asking you to sign in” dialog window (and then the “php” script executes fine).
But I do not know how to “retrieve” / “propagate” the given credentials in the “success: function(result)”.
Its full specification says: “success: function(result, textStatus, jqXHR)
I’ve been thinking that I could maybe “retrieve” the credentials from the jqXHR (jQuery XMLHttpRequest), but I failed (perhaps it just needs someone who is much more familiar with javascript).

I am not sure if credentials, provided by the user, can be received in plain form - it would major security violation.

Normally browser reuses credentials provided once for particular server for the following HTTP requests.
But I am not an expert how it can be properly configured for all situations.

I understand I cannot get the credentials in the “plain form”.
But maybe one could still retrieve the “Authorization” header, which looks like “Basic some_Base64_string”.

Well, I also tried another approach.

Before running the “remoteFileList” function, which gets the list of “files”, I added a separate:
<script>$.ajaxSetup({xhrFields: { withCredentials: true }})</script>
This works fine for any later “ajax” calls, but … unfortunately, it does NOT work in the later JSROOT calls (i.e., JSROOT doesn’t see that it should run “withCredentials”).

So, I am looking for some way to get the “This site is asking you to sign in” dialog window “at startup” and then use the provided credentials in my own “ajax” calls and then also in the JSROOT calls.

JSROOT does not using ajax function from jQuery - just plain XMLHttpRequest.
May be it has some extra settings which should be specified to reuse credentials provided before.

As I can see, there is withCredentials property.

I will provide soon method which will optionally enable such property.

With current master branch one can add following code:

import { settings } from './modules/core.mjs';
settings.WithCredentials = true;

It doesn’t work.
I tried:

      import { buildGUI } from '../jsroot/modules/gui.mjs';
      import { settings } from '../jsroot/modules/core.mjs';
      settings.WithCredentials = true;

but when I click the “Load” button it doesn’t use the credentials (still “[HTTP/1.1 401 Unauthorized 734ms]”).

Did you take jsroot from repository?
Also check that browser cache is cleared.

I cleared the cache, cloned the repository again and now I get strange errors (I am running “php -S localhost:8000”):
Loading module from “http://localhost:8000/jsroot/modules/gui.mjs” was blocked because of a disallowed MIME type (“”).
Loading module from “http://localhost:8000/jsroot/modules/core.mjs” was blocked because of a disallowed MIME type (“”)

For .mjs extension one should configure ‘text/javascript’ MIME type.
Have no idea how it can be done with php server

Excellent news … the credentials management works! Thanks.

I tried “python3 -m http.server” and it worked.

The strange thing is that … afterward, also"php -S localhost:8000" worked (but if the web cache is cleared, one needs to run “python3 ...” once again).

I’ve found a note about the “.mjs” MIME problem: Failed to load module script: The server responded with a non-JavaScript MIME type of "" - Stack Overflow

See also (“.js” is there, “.mjs” is not): PHP → Built-in web server

BTW. Would it be possible to automatically deploy the current “git” sources (maybe always when you commit “build”) into the official “JSROOT dev (expert)” web page?

I always deploy latest changes on https://jsroot.gsi.de/dev/.
root.cern/js/dev/ updated less frequently

I think I found a problem … if I “right click” on a histogram name and use “Draw in new tab” then the credentials are not passed.

Yes, this setting not transferred to new tab - I will fix it tomorrow.

I can also see (maybe only when I try “Draw in new tab”?) a strange (from some unknown “index.htm”): Error in parsing value for ‘padding’. Declaration dropped.

It seems that all my remote ROOT files contain canvases (not individual histograms), so all “Draw->[grid|tick|log]->...” have no effect.

There is possibility to change settings via context menu - try it when mouse over “Read ROOT file” title.
Now I add in “File > With credentials” item.

Settings can be stored as cookie and then reused in all browser tabs. Means if you once change some flags and then store settings, all consequent sessions will use such settings. There is also possibility to delete cookie if necessary.

Can you provide more info? When you see such message?

Draw options like ‘gridx’ or ‘logy’ should work for canvas, but do not propagated to each sub-pads. Is it that you want?

Thanks. I can see “Settings -> Files -> With credentials” checked.

But the “Draw in new tab” still says:

[HTTP/1.1 200 OK 0ms]

Set jsroot source_dir to https://jsroot.gsi.de/dev/, dev 27/04/2023 core.mjs:34:15
Error in parsing value for ‘padding’.  Declaration dropped. index.htm
[HTTP/1.1 401 Unauthorized 539ms]


I just get this strange message in the Firefox “Inspect (Q) -> Concole” window when I try “Draw in new tab” (i.e., in the new tab, see the above output).

Well, I don’t really know what to expect … I just say they do nothing when I click a canvas with pads (from a remote ROOT file).
But, I now noticed that when I “expand all items in the browser” and then try to “Draw->[grid|tick|log]->...” some individual pad then it works (for this pad).
On second thought … maybe it would really be a good idea to “enforce” the corresponding option (recursively) on all pads in the canvas.

I cannot reproduce such error with my server.
It is something wrong with created HTML element inside JSROOT.
How you run http server when you see such error?

Now in the repository.

I’m not really sure what server runs on the remote site (which provides files).

Try the following:

  1. Load” some ROOT file and “Draw” some canvas,
  2. Right-click on the canvas name and execute “Draw in new tab -> <dflt>”,
  3. In the new tab (assuming you use Firefox), right-click in it and execute “Inspect (Q)”, select “Console”, and then “Reload current page (Ctrl+R)” (in the “Console” output you should then see the strange error message, right before the message that it retrieved the ROOT file, like in the output in my previous post).

No, with root web site it does not appear:


It has something to do with the server delivering files.
Can you open “Network” tab in the inspector and reload such page?
Does all http requests to the file looks ok?

Maybe you should disable “Settings → Files → Use stamp arg” menu?
Some http servers do not like extra URL arguments for the files.