Give user options concerning fetch credentials

libreform / wp-libre-form

Easy native HTML5 forms for WordPress. Version 1.5 is unmaintained, but works without issue. 2.0 has been rewritten from the ground, and can be found at https://github.com/libreform/libreform

https://wordpress.org/plugins/wp-libre-form

GNU General Public License v3.0

67 stars 27 forks source link

Give user options concerning fetch credentials #53

Closed k1sul1 closed 7 years ago

k1sul1 commented 7 years ago

By default, fetch doesn't send any cookies, resulting in unauthenticated form submissions.

https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials

It's easily fixable though:

fetch(ajax_object.ajax_url  + '?action=wplf_submit', {
  method: "POST",
  body: data
}).then(function(response){

fetch(ajax_object.ajax_url  + '?action=wplf_submit', {
  method: "POST",
  credentials: ajax_object.credentials, // to make it filterable
  body: data
}).then(function(response){

I'll send a follow-up PR in a moment.

anttiviljami commented 7 years ago

Why don't we just send cookies by default along with fetch?

anttiviljami commented 7 years ago

fetch(ajax_object.ajax_url  + '?action=wplf_submit', {
  method: "POST",
  body: data,
  credentials: 'same-origin',
})
.then((response) => handleResponse);

I would say WP Libre Form should never send anything to any other origin, so ajax_url will always be on the same host. Why would we ever opt out of sending cookies, or allow sending cookies to a different domain?

k1sul1 commented 7 years ago

Flexibility. Sensible defaults, but easily overridable.

We should be sending them by default, but I simply overlooked the problem (I wasn't aware / didn't remember that fetch doesn't send cookies by default) when working on file uploads :)