alechenninger
commented
8 years ago 90% sure it's this: https://bugzilla.mozilla.org/show_bug.cgi?id=1019603
Open alechenninger opened 8 years ago
alechenninger
commented
8 years ago 90% sure it's this: https://bugzilla.mozilla.org/show_bug.cgi?id=1019603
alechenninger
commented
8 years ago It looks like this is due to a mishandling of OPTIONS request in lightblue-rest.
Per spec at http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#preflight-request the preflight request never includes cookies. Specifically, the spec says:
Exclude user credentials.
and that links to http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#user-credentials which says:
The term user credentials for the purposes of this specification means cookies, HTTP authentication, and client-side SSL certificates.
lightblue-rest bug tracked here: https://github.com/lightblue-platform/lightblue-rest/issues/187
Old description:
This is not really a bug in the app but it is affecting users. If Firefox can't do this for some legitimate reason, we should reconsider alternate strategies for implementing the lightblue communication.
For instance, originally, we tossed around the idea of having a backend be able to "impersonate" users or be able to give lightblue a request and a user and have it tell is if that user would be allowed to make that request, and if not, why.
Perhaps an even better fix would be (as mentioned in above issues) if we could use OAuth to authenticate apps to talk to lightblue via CORS instead (much more common way to CORS in the wild).
But first and foremost let's understand what the deal with Firefox is before we talk about any of that stuff.