search

hapijs / crumb

CSRF crumb generation and validation for hapi
Other
171 stars 50 forks source link

Question: Same-domain requests are blocked when cors is enabled? #71

Closed cjnqt closed 8 years ago

cjnqt commented 8 years ago

I have a server set up at http://somedomain.com. I have enabled cors on a specific route: 

{
  method: 'GET',
  path: '/generate',
  config: {
    cors: {
      origin: ['http://otherdomain.com:3000']
    }
  },
  handler: ......

Ajax-requests from http://otherdomain.com:3000 works fine and Crumb generates a token as expected.

But if I do an ajax-request from http://somedomain.com (the same domain the server is running on) to this route, Crumb doesn't generate a token.

It seems like enabling cors implies that only cross-domain requests are allowed? Is this correct?

stongo commented 8 years ago

@cjnqt yes this is the current behavior. The previous version of crumb did allow both same-origin and CORS on the same route. The workaround would be to have a route for the presumably server rendered site and then a separate route for api access using CORS. You can use the same handler in multiple routes. @hueniverse this is the scenario I was trying unsuccessfully to explain and what the extra logic was in the previous version before switching to using request.info.cors.isOriginMatch. Is there a way to reliably qualify same-origin requests in Hapi?

hueniverse commented 8 years ago

Well, the previous code just didn't work. I am pretty sure that extra logic was working only in the tests. Why not simply configure the same origin in the allowed cors origins?

stongo commented 8 years ago

I think adding the domain to cors allowed origins is definitely an adequate solution. @cjnqt can you please confirm if that works for you? On Mar 3, 2016 5:16 PM, "Eran Hammer" notifications@github.com wrote:

Well, the previous code just didn't work. I am pretty sure that extra logic was working only in the tests. Why not simply configure the same origin in the allowed cors origins?

— Reply to this email directly or view it on GitHub https://github.com/hapijs/crumb/issues/71#issuecomment-191991198.

cjnqt commented 8 years ago

Confirmed!

lock[bot] commented 4 years ago

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.