hotwired / turbo

The speed of a single-page web application without having to write any JavaScript
https://turbo.hotwired.dev
MIT License
6.76k stars 431 forks source link

Turbo frame request from subdomain after hard reload without cookie header #1323

Open mdrbohlav opened 1 month ago

mdrbohlav commented 1 month ago

Hi guys, I have an issue with loading turbo frame from subdomain after hard reload (cmd/ctrl+shift+r or disabled cache in the Dev console > Network tab). So far I know it happens in Chrome and Safari, everything works in Firefox.

The overview of the setup: 1) Main app runs on root domain, let's say example.com. The app there has a turbo frame that returns either user menu if signed in or guest menu if not. The url for that is https://example.com/-/user_menu. Everything on this domain works as expected. 2) I have an admin part of the app that runs on a subdomain admin.example.com. It has the same user menu so the turbo frame there has the same url https://example.com/-/user_menu.

The user menu is loaded correctly when I come to the admin app via a link from the main app. It also works when I reload the page (cmd/ctrl+r). But when I do hard reload (cmd/ctrl+shift+r) the turbo frame request does not contain the cookie. Could there be an issue with how some browsers handle the cache reset on hard reload and the asynchronous turbo frame load? All the turbo frames loaded later have the cookie set in the request. Lazy loading does not help since this part of the page is at the top.

The user cookie is set up to work with subdomains and the fetch has credentials: 'same-origin'.

Do you have any idea what might be going wrong and where to look for a possible cause?

Ruby version: 3.3.2 Rails version: 7.0.4 Turbo version: 8.0.10 Chrome version: 129.0.6668.90

pedroaugustofsilva commented 1 month ago

Hi!

When you say "the fetch has withCredentials: true", what do you mean? Because "withCredentials" is not a valid option for fetch. The correct option is credentials and Turbo sets it to "same-origin".

Have you checked the console for any errors?

Let me see if I got this straight. If you access admin.example.com in incognito mode, the first load will not send the cookie using src defined in tubo frame. But, in subsequent loads it works?

mdrbohlav commented 1 month ago

You are right of course. Do not know where I saw XMLHttpRequest, edited the first post so it does not confuse anyone else. Anyway, that does not change my issue since I have the domain in the cookies set to .example.com.