-
Notifications
You must be signed in to change notification settings - Fork 6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
optionally allow credentials #154
Conversation
1 similar comment
Tried using these changes (switched allowCredentials to true). I am getting 'set-cookie' listed in 'Access-Control-Expose-Headers' in the header response to my browser, but it is still stripping the actual cookie from the header. I can see the cookie in the response to the proxy, but can't tell where it is getting removed since it's not hitting the delete proxyRes.headers |
@timothy-janssen Can you validate that it IS stripped by the proxy? There are some pitfalls with Cookies, it could have been bind to specific domain but the response comes from localhost now... that are things the proxy does not handle, even with this pull request. |
This PR is far from proper cookie support. Please do not use it in production, as the implementation is dangerously incorrect and can result in leaking cookies to other websites, or denial of service of the proxy server (when the browser, the proxy server or the destination server starts rejecting requests due to the large number of accumulated cookies). See also the rejection reasons for a previous PR at https://github.com/Rob--W/cors-anywhere/pull/148#issuecomment-452465262 |
First, I am not planning on using this in production, just for a POC with the assumption that the webpage already has a valid cookie. And, I am not running cors-anywhere locally, but on heroku. No, I am not currently able to actually tell where the cookie is lost, just that it is returned from the backend and received by the proxy (able to print it to the console) but it never reaches my browser. Any ideas on how to debug this further? |
@timothy-janssen You could use a tool like wireahark for inspecting the network traffic to find out if your browser strips the cookie or really the proxy. For all who want to use the proxy with cookies for development only and NOT on production I published my fork on npm for easy install and named it "cors-for-dev". https://www.npmjs.com/package/cors-for-dev @timothy-janssen If you find the bug within the proxy you are welcome to create a fix PR in my fork. |
introduce a new flag 'allowCredentials' disabling the stripping of cookies and set the access-control-allow-credentials header to true. Additionally set the allow-origin header to the explicit origin then as it is required