-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable support for Cordova and Electron applications #39
Conversation
As the issue you have linked says:
Are there alternatives? I am not very familiar with Cordova, but if anything, the origin header should not be sent at all. Have you properly configured your app's domain whitelist? http://cordova.apache.org/docs/en/7.x/guide/appdev/whitelist/index.html I can also find related issues in cordova itself: I can also find lots of discussions mentioning ionic, cordova, phonegap, etc and in no case it is recommended to allow for the |
Hi Andrius, The whitelisting only controls which the cordova application is allowed to make requests to. It doesn't control/influence the response of the server. No matter what. A cordova application loaded on the mobile will always send 'Origin: file://' (which the HAT will always reject) A quick google search also says that it's impossible to programatically set Origin (due to security concerns. You don't want program to mock where it is from). I think this is why the play.filters.cors.serveForbiddenOrigins setting was accepted into Play Framework in the first place to allow cordova and electron application to call it. |
Our own backend is also written in Play Framework. Our cordova application is calling it fine. So I made a close examination of our configuration and noted that in our setup, we have a nginx proxy in front of the Play backend. The proxy server modifies the Origin setting to keep both parties happy. Our nginx config
|
yes, and the nginx workaround has exactly the same effect as just allowing And indeed in the general case Origin header cannot be set programmatically, which is exactly because it is used as a security measure to prevent a user being tricked into sending or requesting information from a different backend than they think they should be talking to. Some recommended reading: https://code.google.com/archive/p/browsersec/wikis/Part2.wiki#Same-origin_policy
Now an app running on the phone (as opposed to a browser) has no reason in setting the Perhaps your workaround lies within how Cordova opens chrome: Ionic themselves have a post on this: http://blog.ionicframework.com/handling-cors-issues-in-ionic/. Specifically:
Though I am not clear whether this will mean that the browser will not care to check CORS directives but |
Concluding Remarks/Solution Regarding above comment
Indeed the The problem statement This addition by the Cordova platform's $http causes backend services written in Play Framework to forbid access. And HAT is written in the HAT framework. Rejected solution On the other hand, it's impossible to modify the So how do we solve this impasse? Solution We found the replacement with the cordova plugin The above plugin does not auto include the |
Thank you and happy that there was an easy workaround, closing this for now |
Problem Statement
When a Cordova Mobile application make a Javascript call to HAT endpoints, (with the correct headers, tokens and credentials), a 403 Forbidden status is always returned by HAT.
Detailed Description
The above issue has been reported before
playframework/playframework#5193
The cause is during a call to a webservice, Cordova would set the
Origin
header tofile://
. And the CORSFilter in the Play Framework would reject it. This observation is further tested/verified with Postman or curl calls.Resolution
Play Framework has resolved this issue by introducing the setting
play.filters.cors.serveForbiddenOrigins
. The default value is false.This PR adds the above setting and sets the value to true.
Extended Impact
Web literature seems to suggest that Electron applications would encounter the same error.
HAT DCO
Signed-off-by: Terry Lee terry.lee@nogginasia.com