Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

optionally allow credentials #154

Closed
wants to merge 2 commits into from
Closed

optionally allow credentials #154

wants to merge 2 commits into from

Conversation

JanST123
Copy link

introduce a new flag 'allowCredentials' disabling the stripping of cookies and set the access-control-allow-credentials header to true. Additionally set the allow-origin header to the explicit origin then as it is required

@coveralls
Copy link

Coverage Status

Coverage decreased (-1.8%) to 98.214% when pulling b02c683 on JanST123:master into 4814647 on Rob--W:master.

1 similar comment
@coveralls
Copy link

Coverage Status

Coverage decreased (-1.8%) to 98.214% when pulling b02c683 on JanST123:master into 4814647 on Rob--W:master.

@timothy-janssen
Copy link

Tried using these changes (switched allowCredentials to true). I am getting 'set-cookie' listed in 'Access-Control-Expose-Headers' in the header response to my browser, but it is still stripping the actual cookie from the header. I can see the cookie in the response to the proxy, but can't tell where it is getting removed since it's not hitting the delete proxyRes.headers

@JanST123
Copy link
Author

JanST123 commented Mar 1, 2019

@timothy-janssen Can you validate that it IS stripped by the proxy? There are some pitfalls with Cookies, it could have been bind to specific domain but the response comes from localhost now... that are things the proxy does not handle, even with this pull request.

@Rob--W
Copy link
Owner

Rob--W commented Mar 1, 2019

This PR is far from proper cookie support. Please do not use it in production, as the implementation is dangerously incorrect and can result in leaking cookies to other websites, or denial of service of the proxy server (when the browser, the proxy server or the destination server starts rejecting requests due to the large number of accumulated cookies).

See also the rejection reasons for a previous PR at https://github.com/Rob--W/cors-anywhere/pull/148#issuecomment-452465262

@Rob--W Rob--W closed this Mar 1, 2019
@timothy-janssen
Copy link

First, I am not planning on using this in production, just for a POC with the assumption that the webpage already has a valid cookie. And, I am not running cors-anywhere locally, but on heroku. No, I am not currently able to actually tell where the cookie is lost, just that it is returned from the backend and received by the proxy (able to print it to the console) but it never reaches my browser. Any ideas on how to debug this further?

@JanST123
Copy link
Author

JanST123 commented Mar 5, 2019

@timothy-janssen You could use a tool like wireahark for inspecting the network traffic to find out if your browser strips the cookie or really the proxy.

For all who want to use the proxy with cookies for development only and NOT on production I published my fork on npm for easy install and named it "cors-for-dev". https://www.npmjs.com/package/cors-for-dev

@timothy-janssen If you find the bug within the proxy you are welcome to create a fix PR in my fork.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@JanST123 @coveralls @timothy-janssen @Rob--W