Skip to content

Commit

Permalink
CORS requests not allowed in Chrome if withCredentials true
Browse files Browse the repository at this point in the history
  • Loading branch information
@mattheworiordan
mattheworiordan committed Jul 2, 2015
1 parent 55678f2 commit f5187ec
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion browser/lib/transport/xhrrequest.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,10 @@ var XHRRequest = (function() {

xhr.open(method, this.uri, true);
xhr.responseType = responseType;
xhr.withCredentials = 'true';

if ('authorization' in headers) {
xhr.withCredentials = 'true';
}

for(var h in headers)
xhr.setRequestHeader(h, headers[h]);
Expand Down

2 comments on commit f5187ec

@paddybyers
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We discussed this and I decided to leave as-is.

When an authURL is given, which is a cross-domain request, then the client is responsible for setting the CORS headers appropriately in the authURL response. If they wish to get an Authorization header, then they have to ensure that there is no wildcard origin in the CORS response. So I think this check is correct.

The side-effects of omitting withCredentials also include no cookies being sent. I can see a use-case for the authURL request expecting a cookie in the same-origin case, but I don't think it is reasonable to expect anything in the cross-origin case.

@mattheworiordan
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup makes sense, and later if anyone asks, we could add another Auth option if need be

Please sign in to comment.