mp
07/06/2018, 1:08 PMvincent.brule
07/06/2018, 1:09 PMmp
07/06/2018, 1:11 PManyHost()
) wn’t work. I’ll pull up the spec to explain why, hang onvincent.brule
07/06/2018, 1:12 PMmp
07/06/2018, 1:13 PMWhen responding to a credentialed request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the “*” wildcard.
<http://localhost:3000>
.vincent.brule
07/06/2018, 1:15 PMmp
07/06/2018, 1:15 PMvincent.brule
07/06/2018, 1:16 PMmp
07/06/2018, 1:17 PMinstall(CORS) {
val originUrl = config.corsAllowOrigin()
val host = if (originUrl.port > 0) {
"${originUrl.host}:${originUrl.port}"
} else {
originUrl.host
}
host(host, schemes = listOf(originUrl.protocol))
allowCredentials = true
header("X-MI-AntiCSRF")
method(HttpMethod.Delete)
}
config.corsAllowOrigin()
is a URL
which is broken apart as the CORS config API prefers.vincent.brule
07/06/2018, 1:18 PMmp
07/06/2018, 1:19 PM<http://foo.com|foo.com>
tried ot access <http://bar.com|bar.com>
, browsers won’t let it do that because of security.vincent.brule
07/06/2018, 1:20 PMmp
07/06/2018, 1:20 PM<http://bar.com|bar.com>
is intended to be consumed by websites, it can use CORS to tell the browser “nah it’s fine”vincent.brule
07/06/2018, 1:20 PMmp
07/06/2018, 1:20 PMlocalhost
but with different ports for the http server that serves your JS, your backend API, databse, etc.URL("<http://localhost:3000>")
)vincent.brule
07/06/2018, 1:21 PMmp
07/06/2018, 1:23 PMvincent.brule
07/06/2018, 1:23 PMmp
07/06/2018, 1:24 PMvincent.brule
07/06/2018, 1:24 PMmp
07/06/2018, 1:25 PManyHost
vincent.brule
07/06/2018, 1:25 PMmp
07/06/2018, 1:26 PMvincent.brule
07/06/2018, 1:26 PMmp
07/06/2018, 1:27 PMvincent.brule
07/06/2018, 1:28 PMmp
07/06/2018, 1:28 PMheaderannia
but the server cors config is only whitelisting annia_session
— try changing your cors config to use headerannia
vincent.brule
07/06/2018, 1:30 PMmp
07/06/2018, 1:32 PMvincent.brule
07/06/2018, 1:33 PMDeactivated User
07/06/2018, 1:34 PMvincent.brule
07/06/2018, 1:36 PMmp
07/06/2018, 1:36 PManyHost()
with credentialed requestsDeactivated User
07/06/2018, 1:44 PMmp
07/06/2018, 1:47 PMPUT
and DELETE
, credentials, and a custom header or twoDeactivated User
07/06/2018, 1:54 PMmp
07/06/2018, 1:56 PManyHost()
will be rejected by the browser for credentialed requests — see “Credentialed requests and wildcards” in https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS. Must use host("<http://foo.com>")
form insteadDeactivated User
07/06/2018, 2:00 PMmp
07/06/2018, 2:00 PM