Closed MrOrz closed 3 years ago
From slack
問題的核心是 rumors-site 戳 API 的時候,無論是造訪 cofacts.org, cofacts.tw 還是 cofacts.g0v.tw,都是往同一個 API_URL。 這三個網域都需要放在 CORS whitelist 上面,不然會直接壞掉 但 login session 只會寫在 redirect back 的那個網域上,也就是 API_URL。 不管 API_URL 設成 api.cofacts.org, api.cofacts.tw 還是 cofacts-api.g0v.tw,都只能與網站三個網域中的一個網域 same-site,另外兩個網域,就會在 disable 3rd party cookie 的瀏覽器中遇到無法登入的狀況。
See: https://g0v.hackmd.io/@mrorz/cofacts-meeting-notes/%2F-Mth-vd5RPWqdLOfRJHHcg This is because
Proposed change
When redirecting to original site, we fix the domain to cofacts.g0v.tw. In this way, cofacts.g0v.tw and cofacts-api.g0v.tw are considered same-site, then iOS can send login cookie along with it's request to API.
alternative
Use
cofacts.tw
as main site and redirect target, and connect toapi.cofacts.tw
for all domains. In this waycofacts.tw
andapi.cofacts.tw
are also considered same-site.