Comments (12)
I'm not following the flow. Why are vision routes acting differently?
from crumb.
sorry @hueniverse you're right, it's not limited to vision routes, but to any route being access directly from browser when CORS is enabled.
so if CORS is set globally and one tries to access a route directly in browser for example, request.info.cors.isOriginMatch
is always going to be false because the origin
header isn't there.
this makes it so that a route can't be used in both CORS and non-CORS contexts when using crumb. maybe this is okay though, and I just need to clearly state that in crumb readme?
from crumb.
Directly you mean CURL?
from crumb.
CURL or in a browser
Here's the headers from chrome dev tools from a Vision route with CORS enabled
Request URL:http://localhost:8001/
Request Method:GET
Status Code:200 OK
Remote Address:127.0.0.1:8001
Response Headers
cache-control:no-cache
Connection:keep-alive
content-encoding:gzip
content-type:text/html; charset=utf-8
Date:Tue, 09 Aug 2016 18:02:02 GMT
Transfer-Encoding:chunked
vary:origin,accept-encoding
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Host:localhost:8001
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
vs
curl -vv -H "origin: http://localhost" 127.0.0.1:8001
* Rebuilt URL to: 127.0.0.1:8001/
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8001 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:8001
> User-Agent: curl/7.43.0
> Accept: */*
> origin: http://localhost
>
< HTTP/1.1 200 OK
< vary: origin
< access-control-allow-origin: http://localhost
< access-control-expose-headers: WWW-Authenticate,Server-Authorization
< set-cookie: crumb=xxxxxxxxxxxxxxxxxxxxxxxx; HttpOnly; Path=/
< cache-control: no-cache
< content-type: text/html; charset=utf-8
< content-length: 1638
< accept-ranges: bytes
< Date: Tue, 09 Aug 2016 17:38:16 GMT
< Connection: keep-alive
<
from crumb.
If I disable CORS for the same route, then crumb generate is called and crumb works as expected.
This came up when I was debugging someone's setup where the crumb cookie wasn't being set or added to the view context, and it was because CORS was enabled globally
from crumb.
Why isn't the browser sending the CORS headers?
from crumb.
I don't know honestly. Probably the root issue. I'll dig in to that
from crumb.
@hueniverse the browser will never use CORS for a single api request or for an initial html page as served by a Vision route for example.
"A resource makes a cross-origin HTTP request when it requests a resource from a different domain than the one which the first resource itself serves" - https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
So that explains a route not being able to qualify a valid CORS request vs a same-origin request, as currently implemented.
I'm wondering if the lack of a origin
header is enough to confirm it's a same-origin request in the context of crumb, but need to dig in to the implications of that a bit more.
from crumb.
this page outlines when the header origin is served https://wiki.mozilla.org/Security/Origin
from crumb.
I think that's the right change. Enforce CORS where Origin is present.
from crumb.
Closed by a11b358
from crumb.
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
from crumb.
Related Issues (20)
- How does the check between the cookie and the header actually work? HOT 5
- Publish version 7.2.0 to npm HOT 6
- Getting a deprecation warning when installing HOT 2
- cookie not being parsed into request.headers instead still in request.state.crumb HOT 2
- unable to implement crumb for csrf protection in application with api's developed using hapi and front end developed using angular HOT 3
- Suggest to secure cookie by default in documentation HOT 3
- Change module namespace HOT 1
- Action required: Greenkeeper could not be activated 🚨 HOT 1
- Update deps HOT 1
- Update joi HOT 1
- Per-Request VS Per-Session option? HOT 4
- support legacy cookies for samesite policy in iframe HOT 1
- Only node 12
- Change plugin name to @hapi/crubm
- Drop hapi v17 and v18
- isSecure settings are not working HOT 1
- Plugin strips security headers HOT 3
- Unable to add crumb token to payload with h2o2 proxy HOT 3
- HMAC based token pattern
- PUT / DELETE requests don't do crumb validation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crumb.