MuxZeroNet
commented
7 years ago AJAX requests contain credentials, but by default credentials are stripped in cross-origin requests.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials
The most interesting capability exposed by both
XMLHttpRequestorFetchand CORS is the ability to make "credentialed" requests that are aware of HTTP cookies and HTTP Authentication information. By default, in cross-siteXMLHttpRequestorFetchinvocations, browsers will not send credentials. A specific flag has to be set on theXMLHttpRequestobject or theRequestconstructor when it is invoked.invocation.withCredentials = true;
- [x] Added to ZeroMux
MDN points out that, despite a GET request will not be preflighted, the server is required to send back this access control header:
Access-Control-Allow-Credentials: trueThe same applies to crossorigin attribute:
"use-credentials"A cross-origin request (i.e. withOrigin:HTTP header) is performed with credential is sent (i.e. a cookie, a certificate and HTTP Basic authentication is performed). If the server does not give credentials to the origin site (throughAccess-Control-Allow-Credentials:HTTP header), the image will be tainted and its usage restricted.
It seems that ZeroNet sends back this header only when the request is preflighted.
- [ ] Source code of ZeroNet has been changed accordingly.
Another issue is that Firefox complains:
Credential is not supported if the CORS header
Access-Control-Allow-Originis*
According to the CORS article on MDN,
For requests without credentials, the server may specify "*" as a wildcard, thereby allowing any origin to access the resource.
By changing the value of Access-Control-Allow-Origin to null seems to solve this issue.
- [ ] Source code of ZeroNet has been changed accordingly.
A third issue is that Web Fonts are required to be fetched anonymously. This is controversial but it is defined and implemented.
CSS Fonts Module Level 3 says that user agents must use "Anonymous" mode of CORS-enabled fetch [1], that means credentials are not sent regardless of server's Access-Control-Allow-Credentials header. (XMLHttpRequest change of Chrome 37 is unrelated to font fetches.)
[1] http://www.w3.org/TR/css3-fonts/#font-fetching-requirements
Therefore there is no easy solution to use Web Font with UiPassword plugin enabled. Perhaps we can put credential information into Referrer header or Query String, but that is far from the scope of this issue ticket.
When I enabled UiPassword plugin, all ZeroMux is not work. For example: http://127.0.0.1:43110/zeromux.bit http://127.0.0.1:43110/1CiDoBP8RiWziqiBGEd8tQMy66A6fmnw2V/big/sample-loader/ http://127.0.0.1:43110/1MjzGw2HQRpJuiuX2U1Gr2PpNPz3rKXCJ/?type=video/mp4&json=files/nuchijizhe.mp4/file.json&poster=files/nuchijizhe.mp4/poster.jpg
It seems XMLHttpRequest without a session? But I read some document said it contain session. So it caused by a zerobug???
But the same problem happened when I use nginx reverse proxy to zeronet and enabled http basic authentication. And the XMLHttpRequest of ZeroMux is not contain the login information.