No more cookies included in requests? #1133
Comments
|
👋🏾Thanks for opening your first issue here! Be sure to follow the issue template! ✌🏾 |
|
Hey @sneko, how are you using Altair? The chrome extension? Which cookies do you expect to be sent with the request but aren't? |
|
Yes I'm using the Chrome extension. In the past months I was using Altair like that:
But that was before. Now when looking in my Chrome console at my requests made from Altair, I no longer see the cookie in "request headers". I'm not sure from which side (Altair vs my side) the issue comes from so I preferred to ask you if some changes have been made. Thank you, |
|
I don't think any of the changes I made to Altair recently would have changed that. I would suggest checking an older version of Altair https://github.com/imolorhe/altair/releases to compare the results with. I can verify if an updated version of the libraries has a different default, because I don't specify the
|
|
I'm looking for a way to make it working with last updates. What would be the way you advise so I can inject an authentication cookie in all my request (or all requests for a specific chosen environment)? I saw prerequest editor but I'm not able to use Otherwise, a great solution in the Chrome Extension of GraphQL Playground is they allow customizing the HTTP parameter Note: if you made any change I don't understand why this is no longer working, subdependencies should not have modified defaults such as |
|
I can add the option to specify if the requests should be sent with credentials. Looking through the changes in git, I don't think credentials were ever included in the requests that were sent (the last change to that part of the code was about a year ago). Also looking at the git repo of the angular HttpClient module, the default for However, I think for some specific cases, the HttpClient module includes credentials but I haven't been able to verify that yet. Ps: There's no way to specify the domain from which cookies for a request should be sent from. That would be a major security flaw in the web if that existed. |
|
Another case when the cookies could have been sent is if you used Altair hosted on your own domain (or localhost), using one of the npm packages. In that case, the cookies are always sent since it is a same-site request. |
|
That's really strange, I was just using the extension and the GraphQL API was for sure protected by cookie checking ^^... Anyway, I'm indeed interested by the option you mention, making us able to override the parameter if needed. BTW, thank you for your work, Altair is an amazing GQL client 🎉 |
|
Awesome reactivity @imolorhe ! Thanks! Can't wait for the release 🎉 |
|
Hey @sneko, it seems the reason for the cookies change was due to changes to some of the permission of the browser extensions. I'll re-add those permissions again and the cookies should be sent again. The permissions implicitly removed allowed the extension circumvent the CORS policy of the browsers for any domain. I hadn't realized that those permissions were responsible for this behavior. I'll re-add those permissions again in the next release. |
Describe the bug
Hi @imolorhe , it's been some time without using Altair but I noticed I'm not anymore able to send requests since they no longer includes my credential cookies. I opened the Chrome console to check and I cannot see them even if the request is made to a domain having some cookies in place.
Did you make some changes about that?
Thank you,
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: