TypeError: Cannot call method 'split' of undefined at Object.internals.originParser about crumb HOT 20 CLOSED

The error happens when cors true is enabled even without passing allowOrigins option

from crumb.

this is happening when the request Origin header is not set - which is a bit strange in itself that with CORS enabled no origin header is being sent by your client.
added to test and will fix this issue, thanks

from crumb.

this latest commit should fix your issue, but need to test it further on a real project - CORS is very difficult to test only in lab - before publishing on npm
@mazzy89 if you can clone the code and test with your project, that would be helpful :)

from crumb.

@stongo no problem. I'm going to test it

from crumb.

@stongo I have executed the project with cors set to true and options the same above. unfortunately the crumb value is undefined

from crumb.

Definitely put whatever url you access your site locally at in the array
On Sep 23, 2014 5:23 PM, "Salvatore Mazzarino" [email protected]
wrote:

Maybe I should include localhost in allowOrigins array?

—
Reply to this email directly or view it on GitHub
#28 (comment).

from crumb.

it still doesn't work

from crumb.

Since at the moment I'm developing the project locally I have put in the array

allowOrigins: ['127.0.0.1:*', 'localhost:*']

but without any success. Cors set to true and those options return crumb value in the template equal to undefined

from crumb.

You can use Crumb 2.x for now if you want to use it with CORS, but
please be advised it may be insecure if used improperly, as it can leak
the crumb token to cross-origin sites that may not be privileged to get it.

On 2014-09-24, 11:45 AM, Salvatore Mazzarino wrote:

Since at the moment I'm developing the project locally I have put in
the array

|allowOrigins: ['127.0.0.1:', 'localhost:']
|

but without any success. Cors set to true and the those options return
crumb value in the template equal to undefined

—
Reply to this email directly or view it on GitHub
#28 (comment).

from crumb.

@stongo I have cloned the repository and started to debug crumb along with my project. let you know whether I get results

from crumb.

Ok I'm pretty sure I have found the bug but I don't know it depends to my own code or to this plugin
In order to generate the crumb

if ((settings.autoGenerate ||
     request.route.plugins._crumb) &&
    (request.server.settings.cors ? internals.originParser(request.headers.origin, settings.allowOrigins, request) : true)) {
    generate(request, reply);
}

the function here above internals.originParser(...) should return true in order to generate crumb successfully. In my code request.headers.origin is undefined for a reason I don't know.

from crumb.

I found another problem. when the project is executed locally host is equal to localhost while requestHost comes with the number of the port at the end so it never return true
In fact I have added the number of the port to host var and the problem has been fixed. I would made a pull request but I don't know if it is the right way

  var host = request.server.info.uri.split(':')[1].substring(2);
    var requestHost = request.headers.host;

    if (host === requestHost) {
        return true;
    }

I still don't know why request.headers.origin is undefined

from crumb.

Hey thanks for finding all this stuff. I'm struggling to find a reliable way to qualify if a request is cross-origin or same origin.
Basically if CORS is set, but it's a same origin request it should bypass internals.originParser check, and only run the check on cross-origin requests.
The problem is there isn't enough consistency in the request 'Host' header sent by browsers and clients to have a sane same origin check

from crumb.

@mazzy89 would you be able to test the latest code please :)

from crumb.

@stongo I'm gonna to test it

from crumb.

I have tested the code. Now the crumb values is generated correctly but I'm not able to use sendgrid official npm to send out email. when I try to send email it gives me a 403 Forbidden error. I have inserted into allowOrigins array 'localhost:*' but it doesn't work

from crumb.

I have debugged my code and I'm not pretty sure about what it's happening. Cors is set to true. Here is the options

{
  plugin: require('crumb'),
  options: {
    cookieOptions: {
      isSecure: false
    },
    allowOrigins: ['localhost:*']
  }
}

when I made an ajax call to send the email I got a 403 forbidden error. The debugger says this line in jquery.js file causes an exception:

xhr.send( options.hasContent && options.data || null );

from crumb.

I have found a similar problem but in sinatra environment. when cors is set to true at the server side any xhr request is forbidden sinatra/sinatra#518

from crumb.

Closing this issue as the original error is solved in master. Please create a new issue if you are still having a problem.

from crumb.

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

from crumb.