Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better document use of the credentials flag #39

Open
al2o3cr opened this issue Jan 6, 2014 · 1 comment
Open

Better document use of the credentials flag #39

al2o3cr opened this issue Jan 6, 2014 · 1 comment

Comments

@al2o3cr
Copy link

al2o3cr commented Jan 6, 2014

I ran into an odd problem today on a company app suite. TL;DR - you need to set credentials: false if you want multiple JS endpoints all hitting the same API endpoint to work.

Some background:

  • my company has a suite of internal applications that all interact via AJAX with a central API server. (Rails 3.2.14, rack-cors 0.2.8) Each JS app is on a separate subdomain (so foo-app.example.com, bar-app.example.com)
  • the API server had the following configuration for rack-cors:
  Rails.application.config.middleware.insert_before Warden::Manager, Rack::Cors do
    allow do
      origins '*'
      resource '*',
        headers: :any,
        methods: [:get, :post, :put, :delete, :options]
    end
  end
  • the observed behavior was that the first application visited in a tab would load successfully, but navigating to another in the suite relatively quickly afterwards (in the same tab) would fail with a CORS error in the browser.
  • some digging revealed that when the first app preflighted its requests, the Access-Control-Allow-Origin header was set to foo-app.example.com. This result was cached by the browser, causing the second app's requests to fail.
  • adding credentials: false to the resource call caused the Access-Control-Allow-Origin to be correctly sent as * and solved the problem.

The behavior is definitely correct by the W3C docs, but it's not at all obvious (short of either extreme familiarity with the spec or reading the source) that the credentials flag would have this effect.

I'm happy to help write up some docs for this, but I'm not sure where they should go. In the meantime, perhaps this issue will save somebody else some confusion.
@singfoom
Copy link

I apologize if this is the wrong place to ask this, but I'm having this exact issue and I wanted to ask...
This is my block for the cors configuration, adding the subdomains like your applications above, as well as some localhosts for development in different apps...

    config.middleware.use Rack::Cors do
      allow do
        origins 'http://subdomain1.foo.com', 'http://localhost:3000', 'http://localhost:63342', 'http://localhost', 'http://subdomain2.foo.com'
        resource '*', 
          :headers => :any, 
          :methods => [:get, :post, :options, :delete, :put]
      end
    end

I don't think it's a good solution to use "*" as the origin as I only want my API accessible to the apps that are authorized to use it. Yet, looking at the CORS spec, it will only return one URL at a time. So what's the solution to allow multiple origins to hit the same Rack::CORS enabled service? I saw the previous issue of #30 which had a comment suggesting the use of *.domain.com to address this.

What's the best way to address this in the config?

UPDATE (same day):

I have this 95% solved by setting the :max_age => 0. That avoids caching the Allow-Access-Control-Origin when you switch from one internal app to another. Leaving this here in case someone else has the same problem.

That said, the '*.subdomain.foo" had the effect of not working for any of the subdomains...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@al2o3cr @singfoom