Comments (20)
The error happens when cors true is enabled even without passing allowOrigins option
from crumb.
this is happening when the request Origin header is not set - which is a bit strange in itself that with CORS enabled no origin header is being sent by your client.
added to test and will fix this issue, thanks
from crumb.
this latest commit should fix your issue, but need to test it further on a real project - CORS is very difficult to test only in lab - before publishing on npm
@mazzy89 if you can clone the code and test with your project, that would be helpful :)
from crumb.
@stongo no problem. I'm going to test it
from crumb.
@stongo I have executed the project with cors set to true and options the same above. unfortunately the crumb value is undefined
from crumb.
Definitely put whatever url you access your site locally at in the array
On Sep 23, 2014 5:23 PM, "Salvatore Mazzarino" [email protected]
wrote:
Maybe I should include localhost in allowOrigins array?
—
Reply to this email directly or view it on GitHub
#28 (comment).
from crumb.
it still doesn't work
from crumb.
Since at the moment I'm developing the project locally I have put in the array
allowOrigins: ['127.0.0.1:*', 'localhost:*']
but without any success. Cors set to true and those options return crumb value in the template equal to undefined
from crumb.
You can use Crumb 2.x for now if you want to use it with CORS, but
please be advised it may be insecure if used improperly, as it can leak
the crumb token to cross-origin sites that may not be privileged to get it.
On 2014-09-24, 11:45 AM, Salvatore Mazzarino wrote:
Since at the moment I'm developing the project locally I have put in
the array|allowOrigins: ['127.0.0.1:', 'localhost:']
|but without any success. Cors set to true and the those options return
crumb value in the template equal to undefined—
Reply to this email directly or view it on GitHub
#28 (comment).
from crumb.
@stongo I have cloned the repository and started to debug crumb along with my project. let you know whether I get results
from crumb.
Ok I'm pretty sure I have found the bug but I don't know it depends to my own code or to this plugin
In order to generate the crumb
if ((settings.autoGenerate ||
request.route.plugins._crumb) &&
(request.server.settings.cors ? internals.originParser(request.headers.origin, settings.allowOrigins, request) : true)) {
generate(request, reply);
}
the function here above internals.originParser(...) should return true in order to generate crumb successfully. In my code request.headers.origin is undefined for a reason I don't know.
from crumb.
I found another problem. when the project is executed locally host is equal to localhost while requestHost comes with the number of the port at the end so it never return true
In fact I have added the number of the port to host var and the problem has been fixed. I would made a pull request but I don't know if it is the right way
var host = request.server.info.uri.split(':')[1].substring(2);
var requestHost = request.headers.host;
if (host === requestHost) {
return true;
}
I still don't know why request.headers.origin is undefined
from crumb.
Hey thanks for finding all this stuff. I'm struggling to find a reliable way to qualify if a request is cross-origin or same origin.
Basically if CORS is set, but it's a same origin request it should bypass internals.originParser check, and only run the check on cross-origin requests.
The problem is there isn't enough consistency in the request 'Host' header sent by browsers and clients to have a sane same origin check
from crumb.
@mazzy89 would you be able to test the latest code please :)
from crumb.
@stongo I'm gonna to test it
from crumb.
I have tested the code. Now the crumb values is generated correctly but I'm not able to use sendgrid official npm to send out email. when I try to send email it gives me a 403 Forbidden error. I have inserted into allowOrigins array 'localhost:*' but it doesn't work
from crumb.
I have debugged my code and I'm not pretty sure about what it's happening. Cors is set to true. Here is the options
{
plugin: require('crumb'),
options: {
cookieOptions: {
isSecure: false
},
allowOrigins: ['localhost:*']
}
}
when I made an ajax call to send the email I got a 403 forbidden error. The debugger says this line in jquery.js file causes an exception:
xhr.send( options.hasContent && options.data || null );
from crumb.
I have found a similar problem but in sinatra environment. when cors is set to true at the server side any xhr request is forbidden sinatra/sinatra#518
from crumb.
Closing this issue as the original error is solved in master. Please create a new issue if you are still having a problem.
from crumb.
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
from crumb.
Related Issues (20)
- How does the check between the cookie and the header actually work? HOT 5
- Publish version 7.2.0 to npm HOT 6
- Getting a deprecation warning when installing HOT 2
- cookie not being parsed into request.headers instead still in request.state.crumb HOT 2
- unable to implement crumb for csrf protection in application with api's developed using hapi and front end developed using angular HOT 3
- Suggest to secure cookie by default in documentation HOT 3
- Change module namespace HOT 1
- Action required: Greenkeeper could not be activated 🚨 HOT 1
- Update deps HOT 1
- Update joi HOT 1
- Per-Request VS Per-Session option? HOT 4
- support legacy cookies for samesite policy in iframe HOT 1
- Only node 12
- Change plugin name to @hapi/crubm
- Drop hapi v17 and v18
- isSecure settings are not working HOT 1
- Plugin strips security headers HOT 3
- Unable to add crumb token to payload with h2o2 proxy HOT 3
- HMAC based token pattern
- PUT / DELETE requests don't do crumb validation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crumb.