75lb
commented
4 years ago Hi, thanks for the feature - do you think it should be on by default?
Closed 5im-0n closed 4 years ago
75lb
commented
4 years ago Hi, thanks for the feature - do you think it should be on by default?
5im-0n
commented
4 years ago Yes I think so. Since lws is "A lean, modular web server for rapid full-stack development." I think it should be on in the default use case, that is, development.
75lb
commented
4 years ago yeah, i agree.. the only concern is that making this behaviour the default could surprise existing users accustomed to the previous behaviour.. It's a breaking change, unless people consider it a bug fix and not feature addition..
5im-0n
commented
4 years ago True. But I think that since it did not work before, nobody used lws this way, so there should be no breaking changes for anyone.
75lb
commented
4 years ago Released in lws-rewrite v2.1.0. Reinstall local-web-server to pick up the change.
On insecure connections (plain HTTP), stripping the secure attribute from remote, rewrite-target cookies is now the default behaviour. Set the --rewrite.keep-secure-attr to disable this.
When rewriting happens with an https destination, like in
ws --rewrite '/:user/repos/:name -> https://api.github.com/repos/:user/:name', cookies set by the destination are usually set with thesecureflag, but since lws listens on http, this cookie gets lost. lws should strip the secure flag from the cookie, so cookies set from an https origin get set correctly.