(#2) - turn off credentials true

pouchdb / add-cors-to-couchdb

CLI to add a good default CORS configuration to CouchDB

Apache License 2.0

132 stars 18 forks source link

(#2) - turn off credentials true #4

Closed calvinmetcalf closed 10 years ago

nolanlawson commented 10 years ago

When I try to use my local CouchDB via PouchDB with credentials not set to true, I see this error in Chrome:

XMLHttpRequest cannot load http://localhost:5984/foo/?_nonce=8vHvlvJwGRo7Ak9V.
Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''.
It must be 'true' to allow credentials.

This is apparently because we hard-code the xhr to xhr.withCredentials = true;. We need to resolve https://github.com/pouchdb/pouchdb/issues/2513 first.

nolanlawson commented 10 years ago

Also, I am -1 on this, because apparently it will still work if credentials is true on the server but false on the client, but not the reverse. IMO add-cors-to-couchdb should open the floodgates; fiddling with stuff that may or may not break PouchDB should be left to advanced users.

kxepal commented 10 years ago

@nolanlawson

it will still work if credentials is true on the server but false on the client, but not the reverse

It works just because server implicitly turns credentials to false when origin is * - that's why you don't notice the issue. Relaying on implicit behaviours is bad practice since one day you can find everything broken. Better fix PouchDB and config.

calvinmetcalf commented 10 years ago

so closing this as setting credentials=false will make lots of previous version of pouchdb stop working, that being said we need to fix pouchdb so it only sets credentials=true when it actually has credentials.

we can reopen this as an option that defaults to false maybe a -s --strict