ptaoussanis
commented
9 years ago Hi there, thanks for bringing this to my attention! Would be happy to see an encore PR :-)
Cheers!
Closed bplatz closed 9 years ago
ptaoussanis
commented
9 years ago Hi there, thanks for bringing this to my attention! Would be happy to see an encore PR :-)
Cheers!
bplatz
commented
9 years ago The PR solves the core support in encore. The other place the issue would appear in sente would be in the ChAjaxSocket interface, in the case of websocket support not being in place.
In looking through the sente source, I think adding another option to make-channel-socket!, :with-credentials, would make sense. The option would pass to ChAjaxSocket, which would then utilize it in the calls to ajax-call. Without this, in a CORS implementation, you'd likely be in a scenario where AJAX users would not get proper user-ids, perhaps all defaulting to the same? If so, then attempts to send to that user would send to all AJAX users inadvertently. Again, this is based on the implementation in your example, assuming someone didn't do further checks to ensure they had a valid user session.
I could look at a PR for that piece too if you agree.
ptaoussanis
commented
9 years ago Just pushed [com.taoensso/sente "1.5.0-RC1"] which allows an {:ajax-opts {:with-credentials? true}} opt to be passed to the cljs-side make-channel-socket!.
Please let me know if that does the trick? Cheers! :-)
bplatz
commented
9 years ago With RC2 it appears to work great. Thanks! RC1 didn't seem to pull the deps correctly, or didn't get to clojars correctly but I was able to get it to work with manual builds from source.
ptaoussanis
commented
9 years ago Okay, great - thanks for confirming! Cheers :-)
sente/ajax-call (which traces back to support in encore/ajax-lite) has not exposed the opt_withCredentials option available in xhrio.
When attempting to use sente in a CORS environment, the built-in ajax-call cannot be used (without some trickery), as the ring session cookie will not be sent in the request... screwing up the desired default behavior in setting a user-id.
For whatever reason the option is not documented in the link you provide in the source code: https://developers.google.com/closure/library/docs/xhrio
But it is fully supported: goog.net.XhrIo.send(url, opt_callback, opt_method, opt_content, opt_headers, opt_timeoutInterval, opt_withCredentials) https://closure-library.googlecode.com/git-history/docs/local_closure_goog_net_xhrio.js.html
If the option is available, then sente will natively support CORS (with proper configuration).