New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow send() on Cordova/non-same-origin #11
Conversation
Hey @s-ol , I'd love to merge it, but I'm getting errors: Any ideas on what may went wrong? |
@dr-dimitru hm, it looks like some values are being urlEncoded where they shouldn't be - or hadn't been (or they are not being urlDecoded, where they used to be). |
@dr-dimitru i just pushed a blind fix, since apparently the way i was running the tests the last time didn't work. Could you please let me know whether this passes the tests? |
Added info about running tests to docs. I still experiencing issues: |
Hello @s-ol , I've got to reject this PR due to failed test and major (seems like unnecessary) changes in core codebase. I'm going manually implement |
@dr-dimitru you can try implementing it yourself of course, but i think you will find out why it is necessary to change some of the internals for implementing proper cookie setting for cordova. The important thing is that cookies need to be transmitted using an XHR with |
@s-ol if we are going to send "cookies" as query string, it isn't really "cookies". |
@s-ol our goal — keep this library RFC 6265 compatible |
isn't that exactly what the middleware in this PR does? following only RFC6265 will not lead very far because the cordova-plugin-meteor-webapp completely circumvents any regular cookie behavior with its same-origin violation. |
Why this should be part of this library, when it can be simply implemented on demand? /CC @jankapunkt |
@dr-dimitru: no, it is the case whenever cookies are used on Cordova - i would not call this an edge case, it is one of the main intended use cases of meteor and this library: right now your package does not support all the platforms that meteor supports - and this is not mentioned in ths README. If any package includes the fix that makes cookies work on cordova - shouldn't it be the one that provides "isomorphic bulletproof cookies"? |
__Major Changes:__ - 👨💻 `handler` option now called even if `auto` option is set to `false` - 👷♂️ `Path=/` now is default `path` of all cookies - 👨🔬 Partly implemented suggested changes from #11 to provide support over Cordova platform, via `Access-Control-Allow-Credentials` and `Access-Control-Allow-Origin` headers and supplying XHR request with `withCredentials - true` option, thanks to @s-ol Other Changes: - 👨💻 Overall security and stability enhancements - 👷♂️ Add `onCookies` *Server* callback/hook triggered only when client invokes `.send()` method - 📦 Internal Meteor dependencies update
Cordova (v2.4.0) __Major Changes:__ - 👨💻 `handler` option now called even if `auto` option is set to `false` - 👷♂️ `Path=/` now is default `path` of all cookies - 👨🔬 Partly implemented suggested changes from #11 to provide support over Cordova platform, via `Access-Control-Allow-Credentials` and `Access-Control-Allow-Origin` headers and supplying XHR request with `withCredentials - true` option, thanks to @s-ol Other Changes: - 👨💻 Overall security and stability enhancements - 👷♂️ Add `onCookies` *Server* callback/hook triggered only when client invokes `.send()` method - 📦 Internal Meteor dependencies update
As outlined in veliovgroup/Meteor-Files#656 (comment), there is still open issues / fixes that were part of this PR. @menelike is currently working on rebasing the missing changes onto your v2.4.0 in |
This PR enables
cookies.send()
on Cordova (iOS/Android), where it was before unusable because Cookies never reached the non-origin domain$ROOT_URL
, regardless of whether.send()
was called or not sincedocument.cookie
referred only to thelocalhost:12008
"proxy" domain and the.send()
request was also sent there and was unanswered.Some notable changes:
this.cookies
now stores the cookieString; not the sanitized Value. This is necessary because after setting attributes likePath=/
indocument.cookie
, these attributes are not accessible by the client anymore, i.e. they do not show up indocument.cookie
, and therefore need to be tracked independently.send()
passes the Cookies by URI-string because they otherwise couldn't reach the serverMeteor.isCordova
send()
reaches out toMeteor.absoluteUrl()
instead of the default, which islocalhost:12008
in these cases, where the server cannot reply and instead index.html is served.Access-Control-Allow-Origin: http://localhost:12008
andAccess-Control-Allow-Credentials: true
are set on the___cookie___/set
route.The overall API remains consistent and as far as I could tell
meteor test-packages
agrees that nothing got hurt.